@cmssy/next 0.2.2 → 0.2.4

package/dist/index.cjs

@@ -221,8 +221,8 @@ async function splitCmssyLocale(config, path) {
   return react.splitLocaleFromPath(path, siteLocales);
 }
 async function getCmssyLocale(config) {
-  const { headers: headers2 } = await import('next/headers');
-  const headerList = await headers2();
+  const { headers: headers3 } = await import('next/headers');
+  const headerList = await headers3();
   const fromHeader = headerList.get(CMSSY_LOCALE_HEADER);
   if (fromHeader) return fromHeader;
   const { defaultLocale } = await react.resolveSiteLocales(config);
@@ -362,11 +362,11 @@ function decodeAccessClaims(accessToken) {
   try {
     const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
     const bytes = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
-    const json3 = JSON.parse(new TextDecoder().decode(bytes));
-    if (typeof json3.recordId !== "string" || typeof json3.email !== "string" || json3.type !== "site_member") {
+    const json4 = JSON.parse(new TextDecoder().decode(bytes));
+    if (typeof json4.recordId !== "string" || typeof json4.email !== "string" || json4.type !== "site_member") {
       return null;
     }
-    return { recordId: json3.recordId, email: json3.email };
+    return { recordId: json4.recordId, email: json4.email };
   } catch {
     return null;
   }
@@ -1107,11 +1107,191 @@ async function fetchProduct(config, options) {
   });
   return products[0] ?? null;
 }
+var ORDER_FIELDS = `
+  id
+  status
+  subtotal
+  tax
+  total
+  currency
+  customerEmail
+  refundedAmount
+  paymentProvider
+  paidAt
+  fulfilledAt
+  createdAt
+  items { name price currency quantity sku }
+`;
+var MY_ORDERS = `query MyOrders($workspaceId: ID!, $skip: Int, $limit: Int) {
+  myOrders(workspaceId: $workspaceId, skip: $skip, limit: $limit) {
+    total
+    hasMore
+    items { ${ORDER_FIELDS} }
+  }
+}`;
+var MY_ORDER = `query MyOrder($workspaceId: ID!, $id: ID!) {
+  myOrder(workspaceId: $workspaceId, id: $id) { ${ORDER_FIELDS} }
+}`;
+var workspaceIdCache3 = /* @__PURE__ */ new Map();
+function workspaceIdFor3(config) {
+  const key = `${config.apiUrl}::${config.workspaceSlug}`;
+  const existing = workspaceIdCache3.get(key);
+  if (existing) return existing;
+  const fresh = react.resolveWorkspaceId(config).catch((err) => {
+    workspaceIdCache3.delete(key);
+    throw err;
+  });
+  workspaceIdCache3.set(key, fresh);
+  return fresh;
+}
+function headers2(workspaceId, accessToken) {
+  return {
+    "x-workspace-id": workspaceId,
+    authorization: `Bearer ${accessToken}`
+  };
+}
+async function backendMyOrders(config, accessToken, options) {
+  const workspaceId = await workspaceIdFor3(config);
+  const data = await react.graphqlRequest(
+    config,
+    MY_ORDERS,
+    { workspaceId, skip: options.skip, limit: options.limit },
+    { headers: headers2(workspaceId, accessToken) },
+    "my orders"
+  );
+  return data.myOrders;
+}
+async function backendMyOrder(config, accessToken, id) {
+  const workspaceId = await workspaceIdFor3(config);
+  const data = await react.graphqlRequest(
+    config,
+    MY_ORDER,
+    { workspaceId, id },
+    { headers: headers2(workspaceId, accessToken) },
+    "my order"
+  );
+  return data.myOrder;
+}
+
+// src/create-orders-route.ts
+var DEFAULT_LIMIT = 20;
+var MAX_LIMIT = 100;
+function json3(body, status = 200) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": "no-store"
+    }
+  });
+}
+function createCmssyOrdersRoute(config) {
+  async function memberAccessToken() {
+    if (!config.auth) return void 0;
+    const jar = await headers.cookies();
+    const raw = jar.get(CMSSY_SESSION_COOKIE)?.value;
+    if (!raw) return void 0;
+    const session = await openSession(
+      raw,
+      config.auth.sessionSecret,
+      config.workspaceSlug
+    );
+    if (!session || isAccessExpired(session)) return void 0;
+    return session.accessToken;
+  }
+  return {
+    async GET(request2) {
+      const accessToken = await memberAccessToken();
+      if (!accessToken) {
+        return json3({ message: "Not signed in." }, 401);
+      }
+      const url = new URL(request2.url);
+      try {
+        const id = url.searchParams.get("id");
+        if (id) {
+          return json3({ order: await backendMyOrder(config, accessToken, id) });
+        }
+        const skip = Math.max(
+          0,
+          Math.floor(Number(url.searchParams.get("skip")) || 0)
+        );
+        const limitParam = Math.floor(Number(url.searchParams.get("limit")));
+        const limit = Number.isFinite(limitParam) && limitParam > 0 ? Math.min(limitParam, MAX_LIMIT) : DEFAULT_LIMIT;
+        const result = await backendMyOrders(config, accessToken, {
+          skip,
+          limit
+        });
+        return json3(result);
+      } catch (err) {
+        return json3(
+          { message: err instanceof Error ? err.message : "Orders error" },
+          502
+        );
+      }
+    }
+  };
+}
+var CmssyWebhookError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CmssyWebhookError";
+  }
+};
+var DEFAULT_TOLERANCE_SECONDS = 300;
+function parseSignatureHeader(header) {
+  let timestamp = null;
+  let signature = null;
+  for (const part of header.split(",")) {
+    const idx = part.indexOf("=");
+    if (idx === -1) continue;
+    const key = part.slice(0, idx).trim();
+    const value = part.slice(idx + 1).trim();
+    if (key === "t") timestamp = Number(value);
+    else if (key === "v1") signature = value;
+  }
+  if (timestamp === null || !Number.isFinite(timestamp) || !signature) {
+    throw new CmssyWebhookError("Malformed X-Cmssy-Signature header");
+  }
+  return { timestamp, signature };
+}
+function timingSafeHexEqual(expectedHex, providedHex) {
+  const expected = Buffer.from(expectedHex, "hex");
+  const provided = Buffer.from(providedHex, "hex");
+  if (expected.length !== provided.length) return false;
+  return crypto$1.timingSafeEqual(expected, provided);
+}
+function verifyCmssyWebhook(options) {
+  const { body, signatureHeader, secret } = options;
+  if (!signatureHeader) {
+    throw new CmssyWebhookError("Missing X-Cmssy-Signature header");
+  }
+  if (!secret) {
+    throw new CmssyWebhookError("Missing webhook secret");
+  }
+  const { timestamp, signature } = parseSignatureHeader(signatureHeader);
+  const toleranceMs = (options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS) * 1e3;
+  const now = options.now ?? Date.now();
+  if (Math.abs(now - timestamp) > toleranceMs) {
+    throw new CmssyWebhookError("Webhook timestamp outside tolerance");
+  }
+  const expected = crypto$1.createHmac("sha256", secret).update(`${timestamp}.${body}`).digest("hex");
+  if (!timingSafeHexEqual(expected, signature)) {
+    throw new CmssyWebhookError("Webhook signature mismatch");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    throw new CmssyWebhookError("Webhook body is not valid JSON");
+  }
+  return parsed;
+}
 
 exports.CMSSY_CART_COOKIE = CMSSY_CART_COOKIE;
 exports.CMSSY_EDIT_HEADER = CMSSY_EDIT_HEADER;
 exports.CMSSY_LOCALE_HEADER = CMSSY_LOCALE_HEADER;
 exports.CMSSY_SESSION_COOKIE = CMSSY_SESSION_COOKIE;
+exports.CmssyWebhookError = CmssyWebhookError;
 exports.SESSION_MAX_AGE_SECONDS = SESSION_MAX_AGE_SECONDS;
 exports.applyCmssyCsp = applyCmssyCsp;
 exports.assertAuthConfig = assertAuthConfig;
@@ -1119,6 +1299,7 @@ exports.cmssyCspHeaders = cmssyCspHeaders;
 exports.createCmssyAuthMiddleware = createCmssyAuthMiddleware;
 exports.createCmssyAuthRoute = createCmssyAuthRoute;
 exports.createCmssyCartRoute = createCmssyCartRoute;
+exports.createCmssyOrdersRoute = createCmssyOrdersRoute;
 exports.createCmssyPage = createCmssyPage;
 exports.createDraftRoute = createDraftRoute;
 exports.fetchProduct = fetchProduct;
@@ -1134,3 +1315,4 @@ exports.openSession = openSession;
 exports.sealSession = sealSession;
 exports.sessionCookieOptions = sessionCookieOptions;
 exports.splitCmssyLocale = splitCmssyLocale;
+exports.verifyCmssyWebhook = verifyCmssyWebhook;

package/dist/index.d.cts

@@ -1,6 +1,6 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ComponentType } from 'react';
-import { CmssyPageData, CmssyFormDefinition, BlockDefinition, CmssyClientConfig, CmssyProduct } from '@cmssy/react';
+import { CmssyPageData, CmssyFormDefinition, BlockDefinition, CmssyClientConfig, CmssyProduct, CmssyOrder } from '@cmssy/react';
 import { EditBridgeConfig } from '@cmssy/react/client';
 import { NextRequest, NextResponse } from 'next/server';
 
@@ -149,4 +149,77 @@ interface FetchProductOptions {
 }
 declare function fetchProduct(config: CmssyNextConfig, options: FetchProductOptions): Promise<CmssyProduct | null>;
 
-export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, type CmssyAuthConfig, type CmssyAuthMiddleware, type CmssyAuthRouteHandlers, type CmssyCartRouteHandlers, type CmssyCspOptions, type CmssyDraftRouteConfig, type CmssyEditorProps, type CmssyNextConfig, type CmssySessionPayload, type CmssySessionUser, type CreateCmssyPageOptions, type FetchProductOptions, type FetchProductsOptions, SESSION_MAX_AGE_SECONDS, type SessionCookieOptions, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyPage, createDraftRoute, fetchProduct, fetchProducts, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };
+interface CmssyOrdersRouteHandlers {
+    GET(request: Request): Promise<Response>;
+}
+declare function createCmssyOrdersRoute(config: CmssyNextConfig): CmssyOrdersRouteHandlers;
+
+interface MyOrdersResult {
+    items: CmssyOrder[];
+    total: number;
+    hasMore: boolean;
+}
+
+/**
+ * Verify + parse an inbound cmssy webhook (CMS-693 / CMS-694).
+ *
+ * cmssy signs each delivery with HMAC-SHA256 over `${timestamp}.${body}`
+ * and sends the result in the `X-Cmssy-Signature: t=<ms>,v1=<hex>`
+ * header, plus a unique `X-Cmssy-Webhook-Id`. This helper recomputes the
+ * signature (timing-safe compare), rejects stale timestamps to bound
+ * replay, and returns the typed event.
+ *
+ * IMPORTANT: pass the RAW request body string (e.g. `await req.text()`),
+ * never a re-serialized object - the signed bytes must match exactly.
+ */
+/** Serialized order carried in an order.* webhook (mirrors the backend). */
+interface CmssyWebhookOrder {
+    id: string;
+    workspaceId: string;
+    displayStatus: string;
+    paymentStatus: string;
+    fulfillmentStatus: string;
+    total: number;
+    currency: string;
+    customerId: string | null;
+    customerEmail: string;
+    paymentProvider: string | null;
+    paymentReference: string | null;
+    refundedAmount: number;
+    createdAt: string;
+    updatedAt: string;
+}
+interface CmssyWebhookEvent {
+    /** Delivery id - also sent in X-Cmssy-Webhook-Id; dedup on it. */
+    id: string;
+    /** e.g. "order.paid", "order.refunded". */
+    event: string;
+    createdAt: string;
+    data: {
+        workspaceId: string;
+        order: CmssyWebhookOrder;
+    };
+}
+interface VerifyCmssyWebhookOptions {
+    /** Raw request body string (NOT parsed JSON). */
+    body: string;
+    /** The `X-Cmssy-Signature` header value, or null if absent. */
+    signatureHeader: string | null;
+    /** The endpoint's signing secret. */
+    secret: string;
+    /** Max age of the signed timestamp, in seconds. Default 300 (5 min). */
+    toleranceSeconds?: number;
+    /** Override the current time (ms) - for tests. */
+    now?: number;
+}
+declare class CmssyWebhookError extends Error {
+    constructor(message: string);
+}
+/**
+ * Verify the signature + freshness and return the parsed event. Throws
+ * `CmssyWebhookError` on any failure (missing/malformed header, bad
+ * signature, stale timestamp, invalid JSON) - catch it and respond 400.
+ */
+declare function verifyCmssyWebhook(options: VerifyCmssyWebhookOptions): CmssyWebhookEvent;
+
+export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, type CmssyAuthConfig, type CmssyAuthMiddleware, type CmssyAuthRouteHandlers, type CmssyCartRouteHandlers, type CmssyCspOptions, type CmssyDraftRouteConfig, type CmssyEditorProps, type CmssyNextConfig, type CmssyOrdersRouteHandlers, type CmssySessionPayload, type CmssySessionUser, CmssyWebhookError, type CmssyWebhookEvent, type CmssyWebhookOrder, type CreateCmssyPageOptions, type FetchProductOptions, type FetchProductsOptions, type MyOrdersResult, SESSION_MAX_AGE_SECONDS, type SessionCookieOptions, type VerifyCmssyWebhookOptions, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyOrdersRoute, createCmssyPage, createDraftRoute, fetchProduct, fetchProducts, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale, verifyCmssyWebhook };

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ComponentType } from 'react';
-import { CmssyPageData, CmssyFormDefinition, BlockDefinition, CmssyClientConfig, CmssyProduct } from '@cmssy/react';
+import { CmssyPageData, CmssyFormDefinition, BlockDefinition, CmssyClientConfig, CmssyProduct, CmssyOrder } from '@cmssy/react';
 import { EditBridgeConfig } from '@cmssy/react/client';
 import { NextRequest, NextResponse } from 'next/server';
 
@@ -149,4 +149,77 @@ interface FetchProductOptions {
 }
 declare function fetchProduct(config: CmssyNextConfig, options: FetchProductOptions): Promise<CmssyProduct | null>;
 
-export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, type CmssyAuthConfig, type CmssyAuthMiddleware, type CmssyAuthRouteHandlers, type CmssyCartRouteHandlers, type CmssyCspOptions, type CmssyDraftRouteConfig, type CmssyEditorProps, type CmssyNextConfig, type CmssySessionPayload, type CmssySessionUser, type CreateCmssyPageOptions, type FetchProductOptions, type FetchProductsOptions, SESSION_MAX_AGE_SECONDS, type SessionCookieOptions, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyPage, createDraftRoute, fetchProduct, fetchProducts, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };
+interface CmssyOrdersRouteHandlers {
+    GET(request: Request): Promise<Response>;
+}
+declare function createCmssyOrdersRoute(config: CmssyNextConfig): CmssyOrdersRouteHandlers;
+
+interface MyOrdersResult {
+    items: CmssyOrder[];
+    total: number;
+    hasMore: boolean;
+}
+
+/**
+ * Verify + parse an inbound cmssy webhook (CMS-693 / CMS-694).
+ *
+ * cmssy signs each delivery with HMAC-SHA256 over `${timestamp}.${body}`
+ * and sends the result in the `X-Cmssy-Signature: t=<ms>,v1=<hex>`
+ * header, plus a unique `X-Cmssy-Webhook-Id`. This helper recomputes the
+ * signature (timing-safe compare), rejects stale timestamps to bound
+ * replay, and returns the typed event.
+ *
+ * IMPORTANT: pass the RAW request body string (e.g. `await req.text()`),
+ * never a re-serialized object - the signed bytes must match exactly.
+ */
+/** Serialized order carried in an order.* webhook (mirrors the backend). */
+interface CmssyWebhookOrder {
+    id: string;
+    workspaceId: string;
+    displayStatus: string;
+    paymentStatus: string;
+    fulfillmentStatus: string;
+    total: number;
+    currency: string;
+    customerId: string | null;
+    customerEmail: string;
+    paymentProvider: string | null;
+    paymentReference: string | null;
+    refundedAmount: number;
+    createdAt: string;
+    updatedAt: string;
+}
+interface CmssyWebhookEvent {
+    /** Delivery id - also sent in X-Cmssy-Webhook-Id; dedup on it. */
+    id: string;
+    /** e.g. "order.paid", "order.refunded". */
+    event: string;
+    createdAt: string;
+    data: {
+        workspaceId: string;
+        order: CmssyWebhookOrder;
+    };
+}
+interface VerifyCmssyWebhookOptions {
+    /** Raw request body string (NOT parsed JSON). */
+    body: string;
+    /** The `X-Cmssy-Signature` header value, or null if absent. */
+    signatureHeader: string | null;
+    /** The endpoint's signing secret. */
+    secret: string;
+    /** Max age of the signed timestamp, in seconds. Default 300 (5 min). */
+    toleranceSeconds?: number;
+    /** Override the current time (ms) - for tests. */
+    now?: number;
+}
+declare class CmssyWebhookError extends Error {
+    constructor(message: string);
+}
+/**
+ * Verify the signature + freshness and return the parsed event. Throws
+ * `CmssyWebhookError` on any failure (missing/malformed header, bad
+ * signature, stale timestamp, invalid JSON) - catch it and respond 400.
+ */
+declare function verifyCmssyWebhook(options: VerifyCmssyWebhookOptions): CmssyWebhookEvent;
+
+export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, type CmssyAuthConfig, type CmssyAuthMiddleware, type CmssyAuthRouteHandlers, type CmssyCartRouteHandlers, type CmssyCspOptions, type CmssyDraftRouteConfig, type CmssyEditorProps, type CmssyNextConfig, type CmssyOrdersRouteHandlers, type CmssySessionPayload, type CmssySessionUser, CmssyWebhookError, type CmssyWebhookEvent, type CmssyWebhookOrder, type CreateCmssyPageOptions, type FetchProductOptions, type FetchProductsOptions, type MyOrdersResult, SESSION_MAX_AGE_SECONDS, type SessionCookieOptions, type VerifyCmssyWebhookOptions, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyOrdersRoute, createCmssyPage, createDraftRoute, fetchProduct, fetchProducts, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale, verifyCmssyWebhook };

package/dist/index.js

@@ -2,7 +2,7 @@ import { draftMode, headers, cookies } from 'next/headers';
 import { notFound, redirect } from 'next/navigation';
 import { resolveSiteLocales, splitLocaleFromPath, fetchPage, resolveForms, CmssyServerPage, resolveWorkspaceId, graphqlRequest } from '@cmssy/react';
 import { jsx } from 'react/jsx-runtime';
-import { createHash, timingSafeEqual } from 'crypto';
+import { createHmac, createHash, timingSafeEqual } from 'crypto';
 import { EncryptJWT, jwtDecrypt } from 'jose';
 import { NextResponse } from 'next/server';
 
@@ -219,8 +219,8 @@ async function splitCmssyLocale(config, path) {
   return splitLocaleFromPath(path, siteLocales);
 }
 async function getCmssyLocale(config) {
-  const { headers: headers2 } = await import('next/headers');
-  const headerList = await headers2();
+  const { headers: headers3 } = await import('next/headers');
+  const headerList = await headers3();
   const fromHeader = headerList.get(CMSSY_LOCALE_HEADER);
   if (fromHeader) return fromHeader;
   const { defaultLocale } = await resolveSiteLocales(config);
@@ -360,11 +360,11 @@ function decodeAccessClaims(accessToken) {
   try {
     const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
     const bytes = Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
-    const json3 = JSON.parse(new TextDecoder().decode(bytes));
-    if (typeof json3.recordId !== "string" || typeof json3.email !== "string" || json3.type !== "site_member") {
+    const json4 = JSON.parse(new TextDecoder().decode(bytes));
+    if (typeof json4.recordId !== "string" || typeof json4.email !== "string" || json4.type !== "site_member") {
       return null;
     }
-    return { recordId: json3.recordId, email: json3.email };
+    return { recordId: json4.recordId, email: json4.email };
   } catch {
     return null;
   }
@@ -1105,5 +1105,184 @@ async function fetchProduct(config, options) {
   });
   return products[0] ?? null;
 }
+var ORDER_FIELDS = `
+  id
+  status
+  subtotal
+  tax
+  total
+  currency
+  customerEmail
+  refundedAmount
+  paymentProvider
+  paidAt
+  fulfilledAt
+  createdAt
+  items { name price currency quantity sku }
+`;
+var MY_ORDERS = `query MyOrders($workspaceId: ID!, $skip: Int, $limit: Int) {
+  myOrders(workspaceId: $workspaceId, skip: $skip, limit: $limit) {
+    total
+    hasMore
+    items { ${ORDER_FIELDS} }
+  }
+}`;
+var MY_ORDER = `query MyOrder($workspaceId: ID!, $id: ID!) {
+  myOrder(workspaceId: $workspaceId, id: $id) { ${ORDER_FIELDS} }
+}`;
+var workspaceIdCache3 = /* @__PURE__ */ new Map();
+function workspaceIdFor3(config) {
+  const key = `${config.apiUrl}::${config.workspaceSlug}`;
+  const existing = workspaceIdCache3.get(key);
+  if (existing) return existing;
+  const fresh = resolveWorkspaceId(config).catch((err) => {
+    workspaceIdCache3.delete(key);
+    throw err;
+  });
+  workspaceIdCache3.set(key, fresh);
+  return fresh;
+}
+function headers2(workspaceId, accessToken) {
+  return {
+    "x-workspace-id": workspaceId,
+    authorization: `Bearer ${accessToken}`
+  };
+}
+async function backendMyOrders(config, accessToken, options) {
+  const workspaceId = await workspaceIdFor3(config);
+  const data = await graphqlRequest(
+    config,
+    MY_ORDERS,
+    { workspaceId, skip: options.skip, limit: options.limit },
+    { headers: headers2(workspaceId, accessToken) },
+    "my orders"
+  );
+  return data.myOrders;
+}
+async function backendMyOrder(config, accessToken, id) {
+  const workspaceId = await workspaceIdFor3(config);
+  const data = await graphqlRequest(
+    config,
+    MY_ORDER,
+    { workspaceId, id },
+    { headers: headers2(workspaceId, accessToken) },
+    "my order"
+  );
+  return data.myOrder;
+}
+
+// src/create-orders-route.ts
+var DEFAULT_LIMIT = 20;
+var MAX_LIMIT = 100;
+function json3(body, status = 200) {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: {
+      "content-type": "application/json",
+      "cache-control": "no-store"
+    }
+  });
+}
+function createCmssyOrdersRoute(config) {
+  async function memberAccessToken() {
+    if (!config.auth) return void 0;
+    const jar = await cookies();
+    const raw = jar.get(CMSSY_SESSION_COOKIE)?.value;
+    if (!raw) return void 0;
+    const session = await openSession(
+      raw,
+      config.auth.sessionSecret,
+      config.workspaceSlug
+    );
+    if (!session || isAccessExpired(session)) return void 0;
+    return session.accessToken;
+  }
+  return {
+    async GET(request2) {
+      const accessToken = await memberAccessToken();
+      if (!accessToken) {
+        return json3({ message: "Not signed in." }, 401);
+      }
+      const url = new URL(request2.url);
+      try {
+        const id = url.searchParams.get("id");
+        if (id) {
+          return json3({ order: await backendMyOrder(config, accessToken, id) });
+        }
+        const skip = Math.max(
+          0,
+          Math.floor(Number(url.searchParams.get("skip")) || 0)
+        );
+        const limitParam = Math.floor(Number(url.searchParams.get("limit")));
+        const limit = Number.isFinite(limitParam) && limitParam > 0 ? Math.min(limitParam, MAX_LIMIT) : DEFAULT_LIMIT;
+        const result = await backendMyOrders(config, accessToken, {
+          skip,
+          limit
+        });
+        return json3(result);
+      } catch (err) {
+        return json3(
+          { message: err instanceof Error ? err.message : "Orders error" },
+          502
+        );
+      }
+    }
+  };
+}
+var CmssyWebhookError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CmssyWebhookError";
+  }
+};
+var DEFAULT_TOLERANCE_SECONDS = 300;
+function parseSignatureHeader(header) {
+  let timestamp = null;
+  let signature = null;
+  for (const part of header.split(",")) {
+    const idx = part.indexOf("=");
+    if (idx === -1) continue;
+    const key = part.slice(0, idx).trim();
+    const value = part.slice(idx + 1).trim();
+    if (key === "t") timestamp = Number(value);
+    else if (key === "v1") signature = value;
+  }
+  if (timestamp === null || !Number.isFinite(timestamp) || !signature) {
+    throw new CmssyWebhookError("Malformed X-Cmssy-Signature header");
+  }
+  return { timestamp, signature };
+}
+function timingSafeHexEqual(expectedHex, providedHex) {
+  const expected = Buffer.from(expectedHex, "hex");
+  const provided = Buffer.from(providedHex, "hex");
+  if (expected.length !== provided.length) return false;
+  return timingSafeEqual(expected, provided);
+}
+function verifyCmssyWebhook(options) {
+  const { body, signatureHeader, secret } = options;
+  if (!signatureHeader) {
+    throw new CmssyWebhookError("Missing X-Cmssy-Signature header");
+  }
+  if (!secret) {
+    throw new CmssyWebhookError("Missing webhook secret");
+  }
+  const { timestamp, signature } = parseSignatureHeader(signatureHeader);
+  const toleranceMs = (options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS) * 1e3;
+  const now = options.now ?? Date.now();
+  if (Math.abs(now - timestamp) > toleranceMs) {
+    throw new CmssyWebhookError("Webhook timestamp outside tolerance");
+  }
+  const expected = createHmac("sha256", secret).update(`${timestamp}.${body}`).digest("hex");
+  if (!timingSafeHexEqual(expected, signature)) {
+    throw new CmssyWebhookError("Webhook signature mismatch");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch {
+    throw new CmssyWebhookError("Webhook body is not valid JSON");
+  }
+  return parsed;
+}
 
-export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, SESSION_MAX_AGE_SECONDS, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyPage, createDraftRoute, fetchProduct, fetchProducts, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale };
+export { CMSSY_CART_COOKIE, CMSSY_EDIT_HEADER, CMSSY_LOCALE_HEADER, CMSSY_SESSION_COOKIE, CmssyWebhookError, SESSION_MAX_AGE_SECONDS, applyCmssyCsp, assertAuthConfig, cmssyCspHeaders, createCmssyAuthMiddleware, createCmssyAuthRoute, createCmssyCartRoute, createCmssyOrdersRoute, createCmssyPage, createDraftRoute, fetchProduct, fetchProducts, getCmssyAccessToken, getCmssyLocale, getCmssyUser, isAccessExpired, isCmssyEditMode, isCmssyEditRequest, localeForPathname, openSession, sealSession, sessionCookieOptions, splitCmssyLocale, verifyCmssyWebhook };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cmssy/next",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "description": "Next.js App Router bindings for cmssy headless sites (createCmssyPage + draft preview)",
   "keywords": [
     "cmssy",
@@ -36,7 +36,7 @@
     "dist"
   ],
   "peerDependencies": {
-    "@cmssy/react": "^0.2.2",
+    "@cmssy/react": "^0.2.4",
     "next": ">=15",
     "react": "^18.2.0 || ^19.0.0",
     "react-dom": "^18.2.0 || ^19.0.0"
@@ -49,7 +49,7 @@
     "tsup": "^8.3.0",
     "typescript": "^5.6.0",
     "vitest": "^2.1.0",
-    "@cmssy/react": "0.2.2"
+    "@cmssy/react": "0.2.4"
   },
   "dependencies": {
     "jose": "^6.2.3"