npm - @crewhaus/channel-adapter-discord - Versions diffs - 0.1.1 → 0.1.2 - Mend

@crewhaus/channel-adapter-discord 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +6 -11
package/src/index.test.ts +45 -1
package/src/index.ts +23 -12
package/src/verify.crypto-throw.test.ts +61 -0
package/src/verify.ts +29 -7

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@crewhaus/channel-adapter-discord",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "type": "module",
   "description": "Discord channel adapter: Ed25519 signature verification + slash-command/button/modal interaction parsing + interaction-response API (Section 33)",
   "main": "src/index.ts",
@@ -12,13 +12,13 @@
     "test": "bun test src"
   },
   "dependencies": {
-    "@crewhaus/errors": "0.1.1"
+    "@crewhaus/errors": "0.1.2"
   },
   "license": "Apache-2.0",
   "author": {
     "name": "Max Meier",
-    "email": "max@studiomax.io",
-    "url": "https://studiomax.io"
+    "email": "max@crewhaus.ai",
+    "url": "https://crewhaus.ai"
   },
   "repository": {
     "type": "git",
@@ -30,12 +30,7 @@
     "url": "https://github.com/crewhaus/factory/issues"
   },
   "publishConfig": {
-    "access": "restricted"
+    "access": "public"
   },
-  "files": [
-    "src",
-    "README.md",
-    "LICENSE",
-    "NOTICE"
-  ]
+  "files": ["src", "README.md", "LICENSE", "NOTICE"]
 }

package/src/index.test.ts CHANGED Viewed

@@ -30,7 +30,7 @@ beforeAll(() => {
   otherPublicKeyHex = generateEd25519Keypair().publicKeyHex;
 });
-function signedHeaders(body: string, ts: string | number = "1700000000"): Headers {
+function signedHeaders(body: string, ts: string | number = Math.floor(Date.now() / 1000)): Headers {
   const sig = signDiscordBody({ body, timestamp: ts, privateKeyPem });
   const h = new Headers();
   h.set("X-Signature-Ed25519", sig);
@@ -117,6 +117,34 @@ describe("verifyDiscordSignature (T8)", () => {
     expect(verifyDiscordSignature({ headers, body, publicKeyHex })).toBe(false);
   });
+  // SECURITY: the timestamp is signed but was never checked against the clock,
+  // so a captured interaction replayed indefinitely (after a daemon restart or
+  // LRU dedup eviction). Reject stale/future timestamps, mirroring Slack.
+  test("rejects an expired timestamp (replay window)", () => {
+    const body = fixture("ping");
+    const oldTs = Math.floor(Date.now() / 1000) - 10 * 60; // 10 minutes ago
+    expect(
+      verifyDiscordSignature({ headers: signedHeaders(body, oldTs), body, publicKeyHex }),
+    ).toBe(false);
+  });
+  test("rejects a future timestamp", () => {
+    const body = fixture("ping");
+    const futureTs = Math.floor(Date.now() / 1000) + 10 * 60;
+    expect(
+      verifyDiscordSignature({ headers: signedHeaders(body, futureTs), body, publicKeyHex }),
+    ).toBe(false);
+  });
+  test("a stale-but-validly-signed triple verifies when now() is pinned (gate is freshness, not signature)", () => {
+    const body = fixture("ping");
+    const ts = 1700000000;
+    const headers = signedHeaders(body, ts);
+    expect(verifyDiscordSignature({ headers, body, publicKeyHex }, { now: () => ts * 1000 })).toBe(
+      true,
+    );
+  });
   test("rejects malformed publicKeyHex", () => {
     const body = fixture("ping");
     expect(
@@ -287,6 +315,22 @@ describe("sendReply / setTyping (T3)", () => {
     expect(calls.length).toBe(1);
     expect(calls[0]?.url).toBe("https://test.discord.local/channels/300000000000000001/typing");
   });
+  test("setTyping swallows network rejection (best-effort)", async () => {
+    // A failed typing indicator must never reject and break the reply flow.
+    const f = (async () => {
+      throw new Error("network down");
+    }) as unknown as typeof fetch;
+    const a = adapter({ fetch: f });
+    await expect(a.setTyping({ event })).resolves.toBeUndefined();
+  });
+  test("setTyping ignores non-2xx responses (best-effort)", async () => {
+    const f = (async () =>
+      new Response("nope", { status: 500, statusText: "Internal" })) as unknown as typeof fetch;
+    const a = adapter({ fetch: f });
+    await expect(a.setTyping({ event })).resolves.toBeUndefined();
+  });
 });
 describe("createDiscordAdapter.verify()", () => {

package/src/index.ts CHANGED Viewed

@@ -94,6 +94,8 @@ export type DiscordAdapterConfig = {
 export type DiscordAdapterOptions = {
   readonly apiBaseUrl?: string;
   readonly fetch?: typeof fetch;
+  /** Clock injection for the signature replay-window check (tests). */
+  readonly now?: () => number;
 };
 const DEFAULT_API_BASE_URL = "https://discord.com/api/v10";
@@ -110,11 +112,14 @@ export function createDiscordAdapter(
     id: "discord",
     verify(req: RawRequest): boolean {
-      return verifyDiscordSignature({
-        headers: req.headers,
-        body: req.body,
-        publicKeyHex: config.publicKeyHex,
-      });
+      return verifyDiscordSignature(
+        {
+          headers: req.headers,
+          body: req.body,
+          publicKeyHex: config.publicKeyHex,
+        },
+        opts.now !== undefined ? { now: opts.now } : {},
+      );
     },
     parseInbound(req: RawRequest): ParsedInbound {
@@ -192,13 +197,19 @@ export function createDiscordAdapter(
     async setTyping(args: { event: InboundEvent }): Promise<void> {
       const url = `${apiBaseUrl}/channels/${args.event.channelId}/typing`;
-      await doFetch(url, {
-        method: "POST",
-        headers: {
-          Authorization: `Bot ${config.botToken}`,
-        },
-      });
-      // Best-effort — do not surface failures.
+      // Best-effort — do not surface failures. A failed typing indicator must
+      // never reject and break the caller's reply flow, so we swallow both
+      // network rejections (DNS/abort/connection) and non-2xx responses.
+      try {
+        await doFetch(url, {
+          method: "POST",
+          headers: {
+            Authorization: `Bot ${config.botToken}`,
+          },
+        });
+      } catch {
+        // ignore — typing indicator is non-essential.
+      }
     },
   };
 }

package/src/verify.crypto-throw.test.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Isolated test for the defensive `catch` around Node's `crypto.verify` in
+ * `verifyDiscordSignature`.
+ *
+ * With a valid Ed25519 key and a 64-byte signature, OpenSSL's `verify` returns
+ * `false` rather than throwing, so the catch is unreachable through ordinary
+ * inputs. It is still legitimate defensive code: `crypto.verify(null, …)` can
+ * throw `ERR_OSSL_*` for unexpected key/state combinations. We exercise it by
+ * stubbing `node:crypto.verify` to throw and asserting the function degrades to
+ * `false` instead of propagating.
+ *
+ * `mock.module` mutates the module registry for the REST OF THE PROCESS —
+ * `bun test` runs every test file in one process and does NOT give each file
+ * a fresh module graph, and file execution order is nondeterministic. If this
+ * file runs before `index.test.ts` without the `afterAll` restore below, the
+ * throwing stub leaks into it and every valid-signature test fails (observed
+ * intermittently in CI). The restore is load-bearing; keep it.
+ */
+import { afterAll, expect, mock, test } from "bun:test";
+const realCrypto = require("node:crypto") as typeof import("node:crypto");
+mock.module("node:crypto", () => ({
+  ...realCrypto,
+  // Force the verification path to throw the way OpenSSL can under
+  // unexpected conditions (e.g. ERR_OSSL_NO_DEFAULT_DIGEST).
+  verify: () => {
+    throw new Error("ERR_OSSL synthetic failure");
+  },
+}));
+afterAll(() => {
+  // Bun has no mock.module restore API; re-mocking with the real exports is
+  // the documented way to undo a module mock. This updates live bindings in
+  // already-loaded importers (verify.ts), so files that run after this one
+  // see the real `crypto.verify` again.
+  mock.module("node:crypto", () => realCrypto);
+});
+// Import the module under test *after* the stub is registered so its
+// `import { verify } from "node:crypto"` binding resolves to the stub.
+const { verifyDiscordSignature, generateEd25519Keypair, signDiscordBody } = await import(
+  "./verify.js"
+);
+test("verifyDiscordSignature returns false when crypto.verify throws", () => {
+  // Keypair generation + signing still use the real crypto (spread above).
+  const { publicKeyHex, privateKeyPem } = generateEd25519Keypair();
+  const body = JSON.stringify({ type: 1 });
+  const timestamp = "1700000000";
+  const sig = signDiscordBody({ body, timestamp, privateKeyPem });
+  const headers = new Headers();
+  headers.set("X-Signature-Ed25519", sig);
+  headers.set("X-Signature-Timestamp", timestamp);
+  // Every guard (hex regex, timestamp regex, 64-byte length, public-key
+  // construction) passes, so control reaches the `verify(...)` call — which
+  // now throws — and the catch must convert it to a clean `false`.
+  expect(verifyDiscordSignature({ headers, body, publicKeyHex })).toBe(false);
+});

package/src/verify.ts CHANGED Viewed

@@ -25,19 +25,41 @@ export type DiscordVerifyArgs = {
   readonly publicKeyHex: string;
 };
-export function verifyDiscordSignature(args: DiscordVerifyArgs): boolean {
+export type DiscordVerifyOptions = {
+  readonly now?: () => number;
+  readonly toleranceMs?: number;
+};
+// Discord recommends rejecting interactions whose timestamp is too far from
+// now; 5 minutes matches the Slack adapter's replay-window cap.
+const DEFAULT_TOLERANCE_MS = 5 * 60 * 1000;
+export function verifyDiscordSignature(
+  args: DiscordVerifyArgs,
+  opts: DiscordVerifyOptions = {},
+): boolean {
+  const now = opts.now ?? (() => Date.now());
+  const tolerance = opts.toleranceMs ?? DEFAULT_TOLERANCE_MS;
   const sigHex = args.headers.get("x-signature-ed25519");
   const timestamp = args.headers.get("x-signature-timestamp");
   if (!sigHex || !timestamp) return false;
   if (!/^[0-9a-f]{128}$/i.test(sigHex)) return false;
   if (!/^\d+$/.test(timestamp)) return false;
-  let signature: Buffer;
-  try {
-    signature = Buffer.from(sigHex, "hex");
-  } catch {
-    return false;
-  }
+  // Replay-window: the timestamp is folded into the signed payload, so a
+  // captured (timestamp, body, signature) triple verifies indefinitely
+  // without this freshness bound. Reject stale/future timestamps (seconds
+  // since epoch), mirroring the Slack adapter.
+  const tsNum = Number.parseInt(timestamp, 10);
+  if (!Number.isFinite(tsNum)) return false;
+  if (Math.abs(now() - tsNum * 1000) > tolerance) return false;
+  // `sigHex` is regex-validated above to be exactly 128 hex chars, so
+  // `Buffer.from(_, "hex")` always yields exactly 64 bytes and never throws
+  // (`Buffer.from` silently drops invalid hex rather than throwing). The
+  // length re-check below is a cheap, defensive belt for that invariant.
+  const signature = Buffer.from(sigHex, "hex");
   if (signature.length !== 64) return false;
   let publicKey: ReturnType<typeof ed25519PublicKeyFromHex>;