npm - @drawbridge/drawbridge-utils - Versions diffs - 0.0.22 → 0.0.23 - Mend

@drawbridge/drawbridge-utils 0.0.22 → 0.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/shopify.cjs CHANGED Viewed

@@ -32,9 +32,13 @@ __export(shopify_exports, {
   getAdminToken: () => getAdminToken,
   ping: () => ping,
   refreshAdminToken: () => refreshAdminToken,
-  resolveConnectionSettings: () => resolveConnectionSettings
+  resolveConnectionSettings: () => resolveConnectionSettings,
+  signOAuthState: () => signOAuthState,
+  verifyOAuthCallbackHmac: () => verifyOAuthCallbackHmac,
+  verifyOAuthState: () => verifyOAuthState
 });
 module.exports = __toCommonJS(shopify_exports);
+var import_crypto3 = __toESM(require("crypto"), 1);
 // encrypt.js
 var import_crypto2 = __toESM(require("crypto"), 1);
@@ -79,6 +83,48 @@ var decrypt = (value) => {
 var SHOPIFY_ADMIN_API_VERSION = "2025-01";
 var REFRESH_TOKEN_LIFETIME_MS = 90 * 24 * 60 * 60 * 1e3;
 var ACCESS_TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
+var OAUTH_STATE_TTL_MS = 5 * 60 * 1e3;
+var signOAuthState = ({ organizationId, shop }) => {
+  const payload = Buffer.from(JSON.stringify({
+    exp: Date.now() + OAUTH_STATE_TTL_MS,
+    organizationId,
+    shop
+  })).toString("base64url");
+  const signature = import_crypto3.default.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(payload).digest("base64url");
+  return payload + "." + signature;
+};
+var verifyOAuthState = (raw) => {
+  if (!raw) return null;
+  const [payload, signature] = raw.split(".");
+  if (!payload || !signature) return null;
+  const expected = import_crypto3.default.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(payload).digest("base64url");
+  if (signature.length !== expected.length) return null;
+  const valid = import_crypto3.default.timingSafeEqual(
+    Buffer.from(signature),
+    Buffer.from(expected)
+  );
+  if (!valid) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(Buffer.from(payload, "base64url").toString());
+  } catch {
+    return null;
+  }
+  ;
+  if (!(parsed == null ? void 0 : parsed.exp) || parsed.exp < Date.now()) return null;
+  return parsed;
+};
+var verifyOAuthCallbackHmac = ({ hmac, rawQuery }) => {
+  const message = (rawQuery || "").split("&").filter((pair) => !pair.startsWith("hmac=")).sort((a, b) => {
+    const nameA = a.split("=")[0];
+    const nameB = b.split("=")[0];
+    return nameA < nameB ? -1 : nameA > nameB ? 1 : 0;
+  }).join("&");
+  const digest = import_crypto3.default.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(message).digest("hex");
+  const digestBuf = Buffer.from(digest);
+  const hmacBuf = Buffer.from(hmac || "");
+  return digestBuf.length === hmacBuf.length && import_crypto3.default.timingSafeEqual(digestBuf, hmacBuf);
+};
 var shopifyOAuthFetch = async (url, body) => {
   const response = await fetch(url, {
     method: "POST",
@@ -199,5 +245,8 @@ var getAdminToken = async ({ connection, controller }) => {
   getAdminToken,
   ping,
   refreshAdminToken,
-  resolveConnectionSettings
+  resolveConnectionSettings,
+  signOAuthState,
+  verifyOAuthCallbackHmac,
+  verifyOAuthState
 });

package/dist/shopify.d.cts CHANGED Viewed

@@ -1,10 +1,100 @@
+import crypto from 'crypto';
 import { decrypt, encrypt } from './encrypt.cjs';
-import 'crypto';
 import './token.cjs';
 const SHOPIFY_ADMIN_API_VERSION = '2025-01';
 const REFRESH_TOKEN_LIFETIME_MS = 90 * 24 * 60 * 60 * 1000;
 const ACCESS_TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1000;
+const OAUTH_STATE_TTL_MS = 5 * 60 * 1000;
+const signOAuthState = ({ organizationId, shop }) => {
+	const payload = Buffer.from( JSON.stringify({
+		exp : Date.now() + OAUTH_STATE_TTL_MS,
+		organizationId,
+		shop
+	}) ).toString( 'base64url' );
+	const signature = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( payload )
+		.digest( 'base64url' );
+	return payload + '.' + signature;
+};
+const verifyOAuthState = ( raw ) => {
+	if( ! raw ) return null;
+	const [ payload, signature ] = raw.split( '.' );
+	if( ! payload || ! signature ) return null;
+	const expected = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( payload )
+		.digest( 'base64url' );
+	if( signature.length !== expected.length ) return null;
+	const valid = crypto.timingSafeEqual(
+		Buffer.from( signature ),
+		Buffer.from( expected )
+	);
+	if( ! valid ) return null;
+	let parsed;
+	try {
+		parsed = JSON.parse( Buffer.from( payload, 'base64url' ).toString() );
+	} catch {
+		return null;
+	}
+	if( ! parsed?.exp || parsed.exp < Date.now() ) return null;
+	return parsed;
+};
+// Verifies the HMAC Shopify includes on OAuth callback query strings. Sort by
+// parameter NAME (not full key=value pair) per Shopify spec — matches the
+// official @shopify/shopify-api SDK. A plain .sort() compares whole strings,
+// which would diverge when one name is a prefix of another and the next char
+// sorts before '=' in ASCII (e.g. `state` vs `state2`).
+const verifyOAuthCallbackHmac = ({ hmac, rawQuery }) => {
+	const message = ( rawQuery || '' )
+		.split( '&' )
+		.filter( pair => ! pair.startsWith( 'hmac=' ) )
+		.sort( ( a, b ) => {
+			const nameA = a.split( '=' )[ 0 ];
+			const nameB = b.split( '=' )[ 0 ];
+			return nameA < nameB ? -1 : nameA > nameB ? 1 : 0;
+		})
+		.join( '&' );
+	const digest = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( message )
+		.digest( 'hex' );
+	const digestBuf = Buffer.from( digest );
+	const hmacBuf = Buffer.from( hmac || '' );
+	return digestBuf.length === hmacBuf.length
+		&& crypto.timingSafeEqual( digestBuf, hmacBuf );
+};
 const shopifyOAuthFetch = async ( url, body ) => {
@@ -166,4 +256,4 @@ const getAdminToken = async ({ connection, controller }) => {
 };
-export { getAdminToken, ping, refreshAdminToken, resolveConnectionSettings };
+export { getAdminToken, ping, refreshAdminToken, resolveConnectionSettings, signOAuthState, verifyOAuthCallbackHmac, verifyOAuthState };

package/dist/shopify.d.ts CHANGED Viewed

@@ -1,10 +1,100 @@
+import crypto from 'crypto';
 import { decrypt, encrypt } from './encrypt.js';
-import 'crypto';
 import './token.js';
 const SHOPIFY_ADMIN_API_VERSION = '2025-01';
 const REFRESH_TOKEN_LIFETIME_MS = 90 * 24 * 60 * 60 * 1000;
 const ACCESS_TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1000;
+const OAUTH_STATE_TTL_MS = 5 * 60 * 1000;
+const signOAuthState = ({ organizationId, shop }) => {
+	const payload = Buffer.from( JSON.stringify({
+		exp : Date.now() + OAUTH_STATE_TTL_MS,
+		organizationId,
+		shop
+	}) ).toString( 'base64url' );
+	const signature = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( payload )
+		.digest( 'base64url' );
+	return payload + '.' + signature;
+};
+const verifyOAuthState = ( raw ) => {
+	if( ! raw ) return null;
+	const [ payload, signature ] = raw.split( '.' );
+	if( ! payload || ! signature ) return null;
+	const expected = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( payload )
+		.digest( 'base64url' );
+	if( signature.length !== expected.length ) return null;
+	const valid = crypto.timingSafeEqual(
+		Buffer.from( signature ),
+		Buffer.from( expected )
+	);
+	if( ! valid ) return null;
+	let parsed;
+	try {
+		parsed = JSON.parse( Buffer.from( payload, 'base64url' ).toString() );
+	} catch {
+		return null;
+	}
+	if( ! parsed?.exp || parsed.exp < Date.now() ) return null;
+	return parsed;
+};
+// Verifies the HMAC Shopify includes on OAuth callback query strings. Sort by
+// parameter NAME (not full key=value pair) per Shopify spec — matches the
+// official @shopify/shopify-api SDK. A plain .sort() compares whole strings,
+// which would diverge when one name is a prefix of another and the next char
+// sorts before '=' in ASCII (e.g. `state` vs `state2`).
+const verifyOAuthCallbackHmac = ({ hmac, rawQuery }) => {
+	const message = ( rawQuery || '' )
+		.split( '&' )
+		.filter( pair => ! pair.startsWith( 'hmac=' ) )
+		.sort( ( a, b ) => {
+			const nameA = a.split( '=' )[ 0 ];
+			const nameB = b.split( '=' )[ 0 ];
+			return nameA < nameB ? -1 : nameA > nameB ? 1 : 0;
+		})
+		.join( '&' );
+	const digest = crypto
+		.createHmac( 'sha256', process.env.SHOPIFY_API_SECRET )
+		.update( message )
+		.digest( 'hex' );
+	const digestBuf = Buffer.from( digest );
+	const hmacBuf = Buffer.from( hmac || '' );
+	return digestBuf.length === hmacBuf.length
+		&& crypto.timingSafeEqual( digestBuf, hmacBuf );
+};
 const shopifyOAuthFetch = async ( url, body ) => {
@@ -166,4 +256,4 @@ const getAdminToken = async ({ connection, controller }) => {
 };
-export { getAdminToken, ping, refreshAdminToken, resolveConnectionSettings };
+export { getAdminToken, ping, refreshAdminToken, resolveConnectionSettings, signOAuthState, verifyOAuthCallbackHmac, verifyOAuthState };

package/dist/shopify.js CHANGED Viewed

@@ -5,9 +5,52 @@ import {
 import "./chunk-HOA2JHXC.js";
 // shopify.js
+import crypto from "crypto";
 var SHOPIFY_ADMIN_API_VERSION = "2025-01";
 var REFRESH_TOKEN_LIFETIME_MS = 90 * 24 * 60 * 60 * 1e3;
 var ACCESS_TOKEN_REFRESH_BUFFER_MS = 5 * 60 * 1e3;
+var OAUTH_STATE_TTL_MS = 5 * 60 * 1e3;
+var signOAuthState = ({ organizationId, shop }) => {
+  const payload = Buffer.from(JSON.stringify({
+    exp: Date.now() + OAUTH_STATE_TTL_MS,
+    organizationId,
+    shop
+  })).toString("base64url");
+  const signature = crypto.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(payload).digest("base64url");
+  return payload + "." + signature;
+};
+var verifyOAuthState = (raw) => {
+  if (!raw) return null;
+  const [payload, signature] = raw.split(".");
+  if (!payload || !signature) return null;
+  const expected = crypto.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(payload).digest("base64url");
+  if (signature.length !== expected.length) return null;
+  const valid = crypto.timingSafeEqual(
+    Buffer.from(signature),
+    Buffer.from(expected)
+  );
+  if (!valid) return null;
+  let parsed;
+  try {
+    parsed = JSON.parse(Buffer.from(payload, "base64url").toString());
+  } catch {
+    return null;
+  }
+  ;
+  if (!(parsed == null ? void 0 : parsed.exp) || parsed.exp < Date.now()) return null;
+  return parsed;
+};
+var verifyOAuthCallbackHmac = ({ hmac, rawQuery }) => {
+  const message = (rawQuery || "").split("&").filter((pair) => !pair.startsWith("hmac=")).sort((a, b) => {
+    const nameA = a.split("=")[0];
+    const nameB = b.split("=")[0];
+    return nameA < nameB ? -1 : nameA > nameB ? 1 : 0;
+  }).join("&");
+  const digest = crypto.createHmac("sha256", process.env.SHOPIFY_API_SECRET).update(message).digest("hex");
+  const digestBuf = Buffer.from(digest);
+  const hmacBuf = Buffer.from(hmac || "");
+  return digestBuf.length === hmacBuf.length && crypto.timingSafeEqual(digestBuf, hmacBuf);
+};
 var shopifyOAuthFetch = async (url, body) => {
   const response = await fetch(url, {
     method: "POST",
@@ -127,5 +170,8 @@ export {
   getAdminToken,
   ping,
   refreshAdminToken,
-  resolveConnectionSettings
+  resolveConnectionSettings,
+  signOAuthState,
+  verifyOAuthCallbackHmac,
+  verifyOAuthState
 };

package/package.json CHANGED Viewed

@@ -86,5 +86,5 @@
     "build": "tsup && npm publish"
   },
   "types": "dist/index.d.ts",
-  "version": "0.0.22"
+  "version": "0.0.23"
 }