@drawbridge/drawbridge-utils 0.0.21 → 0.0.23

package/dist/chunk-HOA2JHXC.js

@@ -0,0 +1,10 @@
+// token.js
+import crypto from "crypto";
+var generate = (bytes = 32, encoding = "base64url") => {
+  const buf = crypto.randomBytes(bytes);
+  return encoding ? buf.toString(encoding) : buf;
+};
+
+export {
+  generate
+};

package/dist/{chunk-CUUQCM5T.js → chunk-N5EMSZLI.js}

@@ -1,9 +1,13 @@
+import {
+  generate
+} from "./chunk-HOA2JHXC.js";
+
 // encrypt.js
 import crypto from "crypto";
 var ALGORITHM = "aes-256-gcm";
 var getKey = () => Buffer.from(process.env.ENCRYPT_CONNECTION_SECRET, "hex");
 var encrypt = (value) => {
-  const iv = crypto.randomBytes(12);
+  const iv = generate(12, null);
   const cipher = crypto.createCipheriv(ALGORITHM, getKey(), iv);
   const data = Buffer.concat([
     cipher.update(JSON.stringify(value), "utf8"),

package/dist/encrypt.cjs

@@ -33,12 +33,21 @@ __export(encrypt_exports, {
   encrypt: () => encrypt
 });
 module.exports = __toCommonJS(encrypt_exports);
+var import_crypto2 = __toESM(require("crypto"), 1);
+
+// token.js
 var import_crypto = __toESM(require("crypto"), 1);
+var generate = (bytes = 32, encoding = "base64url") => {
+  const buf = import_crypto.default.randomBytes(bytes);
+  return encoding ? buf.toString(encoding) : buf;
+};
+
+// encrypt.js
 var ALGORITHM = "aes-256-gcm";
 var getKey = () => Buffer.from(process.env.ENCRYPT_CONNECTION_SECRET, "hex");
 var encrypt = (value) => {
-  const iv = import_crypto.default.randomBytes(12);
-  const cipher = import_crypto.default.createCipheriv(ALGORITHM, getKey(), iv);
+  const iv = generate(12, null);
+  const cipher = import_crypto2.default.createCipheriv(ALGORITHM, getKey(), iv);
   const data = Buffer.concat([
     cipher.update(JSON.stringify(value), "utf8"),
     cipher.final()
@@ -49,7 +58,7 @@ var encrypt = (value) => {
 var decrypt = (value) => {
   if (typeof value !== "string") return value;
   const [ivHex, tagHex, dataHex] = value.split(":");
-  const decipher = import_crypto.default.createDecipheriv(
+  const decipher = import_crypto2.default.createDecipheriv(
     ALGORITHM,
     getKey(),
     Buffer.from(ivHex, "hex")

package/dist/encrypt.d.cts

@@ -1,4 +1,5 @@
 import crypto from 'crypto';
+import { generate } from './token.cjs';
 
 const ALGORITHM = 'aes-256-gcm';
 
@@ -6,7 +7,7 @@ const getKey = () => Buffer.from( process.env.ENCRYPT_CONNECTION_SECRET, 'hex' )
 
 const encrypt = ( value ) => {
 
-	const iv = crypto.randomBytes( 12 );
+	const iv = generate( 12, null );
 	const cipher = crypto.createCipheriv( ALGORITHM, getKey(), iv );
 	const data = Buffer.concat([
 		cipher.update( JSON.stringify( value ), 'utf8' ),

package/dist/encrypt.d.ts

@@ -1,4 +1,5 @@
 import crypto from 'crypto';
+import { generate } from './token.js';
 
 const ALGORITHM = 'aes-256-gcm';
 
@@ -6,7 +7,7 @@ const getKey = () => Buffer.from( process.env.ENCRYPT_CONNECTION_SECRET, 'hex' )
 
 const encrypt = ( value ) => {
 
-	const iv = crypto.randomBytes( 12 );
+	const iv = generate( 12, null );
 	const cipher = crypto.createCipheriv( ALGORITHM, getKey(), iv );
 	const data = Buffer.concat([
 		cipher.update( JSON.stringify( value ), 'utf8' ),

package/dist/encrypt.js

@@ -1,7 +1,8 @@
 import {
   decrypt,
   encrypt
-} from "./chunk-CUUQCM5T.js";
+} from "./chunk-N5EMSZLI.js";
+import "./chunk-HOA2JHXC.js";
 export {
   decrypt,
   encrypt

package/dist/shopify.cjs

@@ -32,17 +32,30 @@ __export(shopify_exports, {
   getAdminToken: () => getAdminToken,
   ping: () => ping,
   refreshAdminToken: () => refreshAdminToken,
-  resolveConnectionSettings: () => resolveConnectionSettings
+  resolveConnectionSettings: () => resolveConnectionSettings,
+  signOAuthState: () => signOAuthState,
+  verifyOAuthCallbackHmac: () => verifyOAuthCallbackHmac,
+  verifyOAuthState: () => verifyOAuthState
 });
 module.exports = __toCommonJS(shopify_exports);
+var import_crypto3 = __toESM(require("crypto"), 1);
 
 // encrypt.js
+var import_crypto2 = __toESM(require("crypto"), 1);
+
+// token.js
 var import_crypto = __toESM(require("crypto"), 1);
+var generate = (bytes = 32, encoding = "base64url") => {
+  const buf = import_crypto.default.randomBytes(bytes);
+  return encoding ? buf.toString(encoding) : buf;
+};
+
+// encrypt.js
 var ALGORITHM = "aes-256-gcm";
 var getKey = () => Buffer.from(process.env.ENCRYPT_CONNECTION_SECRET, "hex");
 var encrypt = (value) => {
-  const iv = import_crypto.default.randomBytes(12);
-  const cipher = import_crypto.default.createCipheriv(ALGORITHM, getKey(), iv);
+  const iv = generate(12, null);
+  const cipher = import_crypto2.default.createCipheriv(ALGORITHM, getKey(), iv);
   const data = Buffer.concat([
     cipher.update(JSON.stringify(value), "utf8"),
     cipher.final()
@@ -53,7 +66,7 @@ var encrypt = (value) => {
 var decrypt = (value) => {
   if (typeof value !== "string") return value;
   const [ivHex, tagHex, dataHex] = value.split(":");
-  const decipher = import_crypto.default.createDecipheriv(
+  const decipher = import_crypto2.default.createDecipheriv(
     ALGORITHM,
     getKey(),
     Buffer.from(ivHex, "hex")
@@ -70,6 +83,48 @@ var decrypt = (value) => {
 var SHOPIFY_ADMIN_API_VERSION = "2025-01";
 var REFRESH_TOKEN_LIFETIME_MS = 90 * 24 * 60 * 60 * 1e3;
 var ACCESS_TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
+var OAUTH_STATE_TTL_MS = 5 * 60 * 1e3;
+var signOAuthState = ({ organizationId, shop }) => {
+  const payload = Buffer.from(JSON.stringify({
+    exp: Date.now() + OAUTH_STATE_TTL_MS,
+    organizationId,
+    shop
+  })).toString("base64url");
+  const signature = import_crypto3.default.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(payload).digest("base64url");
+  return payload + "." + signature;
+};
+var verifyOAuthState = (raw) => {
+  if (!raw) return null;
+  const [payload, signature] = raw.split(".");
+  if (!payload || !signature) return null;
+  const expected = import_crypto3.default.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(payload).digest("base64url");
+  if (signature.length !== expected.length) return null;
+  const valid = import_crypto3.default.timingSafeEqual(
+    Buffer.from(signature),
+    Buffer.from(expected)
+  );
+  if (!valid) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(Buffer.from(payload, "base64url").toString());
+  } catch {
+    return null;
+  }
+  ;
+  if (!(parsed == null ? void 0 : parsed.exp) || parsed.exp < Date.now()) return null;
+  return parsed;
+};
+var verifyOAuthCallbackHmac = ({ hmac, rawQuery }) => {
+  const message = (rawQuery || "").split("&").filter((pair) => !pair.startsWith("hmac=")).sort((a, b) => {
+    const nameA = a.split("=")[0];
+    const nameB = b.split("=")[0];
+    return nameA < nameB ? -1 : nameA > nameB ? 1 : 0;
+  }).join("&");
+  const digest = import_crypto3.default.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(message).digest("hex");
+  const digestBuf = Buffer.from(digest);
+  const hmacBuf = Buffer.from(hmac || "");
+  return digestBuf.length === hmacBuf.length && import_crypto3.default.timingSafeEqual(digestBuf, hmacBuf);
+};
 var shopifyOAuthFetch = async (url, body) => {
   const response = await fetch(url, {
     method: "POST",
@@ -190,5 +245,8 @@ var getAdminToken = async ({ connection, controller }) => {
   getAdminToken,
   ping,
   refreshAdminToken,
-  resolveConnectionSettings
+  resolveConnectionSettings,
+  signOAuthState,
+  verifyOAuthCallbackHmac,
+  verifyOAuthState
 });

package/dist/shopify.d.cts

@@ -1,9 +1,100 @@
+import crypto from 'crypto';
 import { decrypt, encrypt } from './encrypt.cjs';
-import 'crypto';
+import './token.cjs';
 
 const SHOPIFY_ADMIN_API_VERSION = '2025-01';
 const REFRESH_TOKEN_LIFETIME_MS = 90 * 24 * 60 * 60 * 1000;
 const ACCESS_TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1000;
+const OAUTH_STATE_TTL_MS = 5 * 60 * 1000;
+
+const signOAuthState = ({ organizationId, shop }) => {
+
+	const payload = Buffer.from( JSON.stringify({
+		exp : Date.now() + OAUTH_STATE_TTL_MS,
+		organizationId,
+		shop
+	}) ).toString( 'base64url' );
+
+	const signature = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( payload )
+		.digest( 'base64url' );
+
+	return payload + '.' + signature;
+
+};
+
+const verifyOAuthState = ( raw ) => {
+
+	if( ! raw ) return null;
+
+	const [ payload, signature ] = raw.split( '.' );
+
+	if( ! payload || ! signature ) return null;
+
+	const expected = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( payload )
+		.digest( 'base64url' );
+
+	if( signature.length !== expected.length ) return null;
+
+	const valid = crypto.timingSafeEqual(
+		Buffer.from( signature ),
+		Buffer.from( expected )
+	);
+
+	if( ! valid ) return null;
+
+	let parsed;
+
+	try {
+
+		parsed = JSON.parse( Buffer.from( payload, 'base64url' ).toString() );
+
+	} catch {
+
+		return null;
+
+	}
+	if( ! parsed?.exp || parsed.exp < Date.now() ) return null;
+
+	return parsed;
+
+};
+
+// Verifies the HMAC Shopify includes on OAuth callback query strings. Sort by
+// parameter NAME (not full key=value pair) per Shopify spec — matches the
+// official @shopify/shopify-api SDK. A plain .sort() compares whole strings,
+// which would diverge when one name is a prefix of another and the next char
+// sorts before '=' in ASCII (e.g. `state` vs `state2`).
+const verifyOAuthCallbackHmac = ({ hmac, rawQuery }) => {
+
+	const message = ( rawQuery || '' )
+		.split( '&' )
+		.filter( pair => ! pair.startsWith( 'hmac=' ) )
+		.sort( ( a, b ) => {
+
+			const nameA = a.split( '=' )[ 0 ];
+			const nameB = b.split( '=' )[ 0 ];
+
+			return nameA < nameB ? -1 : nameA > nameB ? 1 : 0;
+
+		})
+		.join( '&' );
+
+	const digest = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( message )
+		.digest( 'hex' );
+
+	const digestBuf = Buffer.from( digest );
+	const hmacBuf = Buffer.from( hmac || '' );
+
+	return digestBuf.length === hmacBuf.length
+		&& crypto.timingSafeEqual( digestBuf, hmacBuf );
+
+};
 
 const shopifyOAuthFetch = async ( url, body ) => {
 
@@ -165,4 +256,4 @@ const getAdminToken = async ({ connection, controller }) => {
 
 };
 
-export { getAdminToken, ping, refreshAdminToken, resolveConnectionSettings };
+export { getAdminToken, ping, refreshAdminToken, resolveConnectionSettings, signOAuthState, verifyOAuthCallbackHmac, verifyOAuthState };

package/dist/shopify.d.ts

@@ -1,9 +1,100 @@
+import crypto from 'crypto';
 import { decrypt, encrypt } from './encrypt.js';
-import 'crypto';
+import './token.js';
 
 const SHOPIFY_ADMIN_API_VERSION = '2025-01';
 const REFRESH_TOKEN_LIFETIME_MS = 90 * 24 * 60 * 60 * 1000;
 const ACCESS_TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1000;
+const OAUTH_STATE_TTL_MS = 5 * 60 * 1000;
+
+const signOAuthState = ({ organizationId, shop }) => {
+
+	const payload = Buffer.from( JSON.stringify({
+		exp : Date.now() + OAUTH_STATE_TTL_MS,
+		organizationId,
+		shop
+	}) ).toString( 'base64url' );
+
+	const signature = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( payload )
+		.digest( 'base64url' );
+
+	return payload + '.' + signature;
+
+};
+
+const verifyOAuthState = ( raw ) => {
+
+	if( ! raw ) return null;
+
+	const [ payload, signature ] = raw.split( '.' );
+
+	if( ! payload || ! signature ) return null;
+
+	const expected = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( payload )
+		.digest( 'base64url' );
+
+	if( signature.length !== expected.length ) return null;
+
+	const valid = crypto.timingSafeEqual(
+		Buffer.from( signature ),
+		Buffer.from( expected )
+	);
+
+	if( ! valid ) return null;
+
+	let parsed;
+
+	try {
+
+		parsed = JSON.parse( Buffer.from( payload, 'base64url' ).toString() );
+
+	} catch {
+
+		return null;
+
+	}
+	if( ! parsed?.exp || parsed.exp < Date.now() ) return null;
+
+	return parsed;
+
+};
+
+// Verifies the HMAC Shopify includes on OAuth callback query strings. Sort by
+// parameter NAME (not full key=value pair) per Shopify spec — matches the
+// official @shopify/shopify-api SDK. A plain .sort() compares whole strings,
+// which would diverge when one name is a prefix of another and the next char
+// sorts before '=' in ASCII (e.g. `state` vs `state2`).
+const verifyOAuthCallbackHmac = ({ hmac, rawQuery }) => {
+
+	const message = ( rawQuery || '' )
+		.split( '&' )
+		.filter( pair => ! pair.startsWith( 'hmac=' ) )
+		.sort( ( a, b ) => {
+
+			const nameA = a.split( '=' )[ 0 ];
+			const nameB = b.split( '=' )[ 0 ];
+
+			return nameA < nameB ? -1 : nameA > nameB ? 1 : 0;
+
+		})
+		.join( '&' );
+
+	const digest = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( message )
+		.digest( 'hex' );
+
+	const digestBuf = Buffer.from( digest );
+	const hmacBuf = Buffer.from( hmac || '' );
+
+	return digestBuf.length === hmacBuf.length
+		&& crypto.timingSafeEqual( digestBuf, hmacBuf );
+
+};
 
 const shopifyOAuthFetch = async ( url, body ) => {
 
@@ -165,4 +256,4 @@ const getAdminToken = async ({ connection, controller }) => {
 
 };
 
-export { getAdminToken, ping, refreshAdminToken, resolveConnectionSettings };
+export { getAdminToken, ping, refreshAdminToken, resolveConnectionSettings, signOAuthState, verifyOAuthCallbackHmac, verifyOAuthState };

package/dist/shopify.js

@@ -1,12 +1,56 @@
 import {
   decrypt,
   encrypt
-} from "./chunk-CUUQCM5T.js";
+} from "./chunk-N5EMSZLI.js";
+import "./chunk-HOA2JHXC.js";
 
 // shopify.js
+import crypto from "crypto";
 var SHOPIFY_ADMIN_API_VERSION = "2025-01";
 var REFRESH_TOKEN_LIFETIME_MS = 90 * 24 * 60 * 60 * 1e3;
 var ACCESS_TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
+var OAUTH_STATE_TTL_MS = 5 * 60 * 1e3;
+var signOAuthState = ({ organizationId, shop }) => {
+  const payload = Buffer.from(JSON.stringify({
+    exp: Date.now() + OAUTH_STATE_TTL_MS,
+    organizationId,
+    shop
+  })).toString("base64url");
+  const signature = crypto.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(payload).digest("base64url");
+  return payload + "." + signature;
+};
+var verifyOAuthState = (raw) => {
+  if (!raw) return null;
+  const [payload, signature] = raw.split(".");
+  if (!payload || !signature) return null;
+  const expected = crypto.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(payload).digest("base64url");
+  if (signature.length !== expected.length) return null;
+  const valid = crypto.timingSafeEqual(
+    Buffer.from(signature),
+    Buffer.from(expected)
+  );
+  if (!valid) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(Buffer.from(payload, "base64url").toString());
+  } catch {
+    return null;
+  }
+  ;
+  if (!(parsed == null ? void 0 : parsed.exp) || parsed.exp < Date.now()) return null;
+  return parsed;
+};
+var verifyOAuthCallbackHmac = ({ hmac, rawQuery }) => {
+  const message = (rawQuery || "").split("&").filter((pair) => !pair.startsWith("hmac=")).sort((a, b) => {
+    const nameA = a.split("=")[0];
+    const nameB = b.split("=")[0];
+    return nameA < nameB ? -1 : nameA > nameB ? 1 : 0;
+  }).join("&");
+  const digest = crypto.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(message).digest("hex");
+  const digestBuf = Buffer.from(digest);
+  const hmacBuf = Buffer.from(hmac || "");
+  return digestBuf.length === hmacBuf.length && crypto.timingSafeEqual(digestBuf, hmacBuf);
+};
 var shopifyOAuthFetch = async (url, body) => {
   const response = await fetch(url, {
     method: "POST",
@@ -126,5 +170,8 @@ export {
   getAdminToken,
   ping,
   refreshAdminToken,
-  resolveConnectionSettings
+  resolveConnectionSettings,
+  signOAuthState,
+  verifyOAuthCallbackHmac,
+  verifyOAuthState
 };

package/dist/token.cjs

@@ -0,0 +1,43 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// token.js
+var token_exports = {};
+__export(token_exports, {
+  generate: () => generate
+});
+module.exports = __toCommonJS(token_exports);
+var import_crypto = __toESM(require("crypto"), 1);
+var generate = (bytes = 32, encoding = "base64url") => {
+  const buf = import_crypto.default.randomBytes(bytes);
+  return encoding ? buf.toString(encoding) : buf;
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  generate
+});

package/dist/token.d.cts

@@ -0,0 +1,22 @@
+import crypto from 'crypto';
+
+// Cryptographically secure random bytes. Defaults to 32 bytes encoded as
+// base64url — the shape used for unguessable shared secrets (preview tokens,
+// admin tokens, share-link tokens, etc.). Pass `null` (or empty string) as
+// `encoding` to receive the raw Buffer instead — used by encrypt.js for the
+// AES-GCM IV.
+//
+// Usage:
+//   const { generate } = require( '@drawbridge/drawbridge-utils/token' );
+//   const tokenString = generate();              // 43-char base64url string
+//   const iv = generate( 12, null );             // 12-byte Buffer
+
+const generate = ( bytes = 32, encoding = 'base64url' ) => {
+
+	const buf = crypto.randomBytes( bytes );
+
+	return encoding ? buf.toString( encoding ) : buf;
+
+};
+
+export { generate };

package/dist/token.d.ts

@@ -0,0 +1,22 @@
+import crypto from 'crypto';
+
+// Cryptographically secure random bytes. Defaults to 32 bytes encoded as
+// base64url — the shape used for unguessable shared secrets (preview tokens,
+// admin tokens, share-link tokens, etc.). Pass `null` (or empty string) as
+// `encoding` to receive the raw Buffer instead — used by encrypt.js for the
+// AES-GCM IV.
+//
+// Usage:
+//   const { generate } = require( '@drawbridge/drawbridge-utils/token' );
+//   const tokenString = generate();              // 43-char base64url string
+//   const iv = generate( 12, null );             // 12-byte Buffer
+
+const generate = ( bytes = 32, encoding = 'base64url' ) => {
+
+	const buf = crypto.randomBytes( bytes );
+
+	return encoding ? buf.toString( encoding ) : buf;
+
+};
+
+export { generate };

package/dist/token.js

@@ -0,0 +1,6 @@
+import {
+  generate
+} from "./chunk-HOA2JHXC.js";
+export {
+  generate
+};

package/package.json

@@ -64,6 +64,11 @@
       "types": "./dist/slugify.d.ts",
       "import": "./dist/slugify.js",
       "require": "./dist/slugify.cjs"
+    },
+    "./token": {
+      "types": "./dist/token.d.ts",
+      "import": "./dist/token.js",
+      "require": "./dist/token.cjs"
     }
   },
   "files": [
@@ -81,5 +86,5 @@
     "build": "tsup && npm publish"
   },
   "types": "dist/index.d.ts",
-  "version": "0.0.21"
+  "version": "0.0.23"
 }