@dwk/websub 0.1.0-beta.0

package/dist/store.d.ts

@@ -0,0 +1,61 @@
+/**
+ * `@dwk/websub` — D1-backed subscription store.
+ *
+ * The set of active subscriptions is authoritative state: a stale or lost row
+ * means a subscriber stops receiving pushes (or keeps receiving them past lease
+ * expiry), which is a correctness bug, not a safe-to-be-stale cache. It therefore
+ * lives in **D1 (strongly consistent), never KV** — see
+ * `spec/non-functional-requirements.md`. A subscription is keyed on the
+ * `(callback, topic)` pair so re-subscribing renews the lease in place. Rows are
+ * written only **after** intent verification succeeds. See
+ * `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import type { D1Database } from "@cloudflare/workers-types";
+/** A verified, active subscription. */
+export interface Subscription {
+    readonly callback: string;
+    readonly topic: string;
+    /** HMAC secret to sign deliveries with, or `null` when none was registered. */
+    readonly secret: string | null;
+    /** Granted lease length, in seconds. */
+    readonly leaseSeconds: number;
+    /** Lease expiry, epoch milliseconds. After this the subscription is dead. */
+    readonly expiresAt: number;
+    /** Creation/last-renewal time, epoch milliseconds. */
+    readonly createdAt: number;
+}
+/** Fields needed to upsert (create or renew) a subscription. */
+export interface SubscriptionUpsert {
+    readonly callback: string;
+    readonly topic: string;
+    readonly secret?: string | undefined;
+    readonly leaseSeconds: number;
+    /** Now, epoch milliseconds; `expiresAt` is derived as `now + leaseSeconds*1000`. */
+    readonly now: number;
+}
+/** Persistence surface for subscriptions. */
+export interface SubscriptionStore {
+    /** Upsert (create or renew) a verified subscription, keyed on `(callback, topic)`. */
+    upsert(subscription: SubscriptionUpsert): Promise<void>;
+    /** Remove a subscription; no-op when absent. */
+    remove(callback: string, topic: string): Promise<void>;
+    /** List subscriptions for `topic` that are still within their lease at `now`. */
+    listActive(topic: string, now: number): Promise<Subscription[]>;
+    /** Look up one subscription, or `null` when absent. */
+    get(callback: string, topic: string): Promise<Subscription | null>;
+    /** Delete every subscription whose lease expired at or before `now`; returns the count removed. */
+    pruneExpired(now: number): Promise<number>;
+}
+/** Options for {@link createD1SubscriptionStore}. */
+export interface D1StoreOptions {
+    /** Table name to use; created if absent. Defaults to `websub_subscriptions`. */
+    readonly table?: string;
+}
+/**
+ * Build a D1-backed {@link SubscriptionStore}. The backing table is created on
+ * first use if it does not already exist.
+ */
+export declare function createD1SubscriptionStore(db: D1Database, options?: D1StoreOptions): SubscriptionStore;
+//# sourceMappingURL=store.d.ts.map

package/dist/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D,uCAAuC;AACvC,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,+EAA+E;IAC/E,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,wCAAwC;IACxC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,6EAA6E;IAC7E,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,sDAAsD;IACtD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,gEAAgE;AAChE,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACrC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,oFAAoF;IACpF,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IAChC,sFAAsF;IACtF,MAAM,CAAC,YAAY,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxD,gDAAgD;IAChD,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvD,iFAAiF;IACjF,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;IAChE,uDAAuD;IACvD,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;IACnE,mGAAmG;IACnG,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CAC5C;AAED,qDAAqD;AACrD,MAAM,WAAW,cAAc;IAC7B,gFAAgF;IAChF,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAsBD;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,EAAE,EAAE,UAAU,EACd,OAAO,CAAC,EAAE,cAAc,GACvB,iBAAiB,CAqGnB"}

package/dist/store.js

@@ -0,0 +1,110 @@
+/**
+ * `@dwk/websub` — D1-backed subscription store.
+ *
+ * The set of active subscriptions is authoritative state: a stale or lost row
+ * means a subscriber stops receiving pushes (or keeps receiving them past lease
+ * expiry), which is a correctness bug, not a safe-to-be-stale cache. It therefore
+ * lives in **D1 (strongly consistent), never KV** — see
+ * `spec/non-functional-requirements.md`. A subscription is keyed on the
+ * `(callback, topic)` pair so re-subscribing renews the lease in place. Rows are
+ * written only **after** intent verification succeeds. See
+ * `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+function rowToSubscription(row) {
+    return {
+        callback: row.callback,
+        topic: row.topic,
+        secret: row.secret,
+        leaseSeconds: row.lease_seconds,
+        expiresAt: row.expires_at,
+        createdAt: row.created_at,
+    };
+}
+/**
+ * Build a D1-backed {@link SubscriptionStore}. The backing table is created on
+ * first use if it does not already exist.
+ */
+export function createD1SubscriptionStore(db, options) {
+    const table = options?.table ?? "websub_subscriptions";
+    // Guard the identifier: it is interpolated into DDL, so only allow a safe
+    // set of characters rather than trusting the caller blindly.
+    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(table)) {
+        throw new Error(`@dwk/websub: invalid subscription table name "${table}".`);
+    }
+    let ready = null;
+    const ensureSchema = () => {
+        // Clear the cached promise on failure so a transient D1 error during the
+        // first call doesn't permanently wedge the store: a later operation retries
+        // the DDL instead of inheriting the cached rejection.
+        ready ??= db
+            .prepare(`CREATE TABLE IF NOT EXISTS ${table} (` +
+            `callback TEXT NOT NULL, ` +
+            `topic TEXT NOT NULL, ` +
+            `secret TEXT, ` +
+            `lease_seconds INTEGER NOT NULL, ` +
+            `expires_at INTEGER NOT NULL, ` +
+            `created_at INTEGER NOT NULL, ` +
+            `PRIMARY KEY (callback, topic))`)
+            .run()
+            .then(() => undefined)
+            .catch((err) => {
+            ready = null;
+            throw err;
+        });
+        return ready;
+    };
+    return {
+        async upsert(subscription) {
+            await ensureSchema();
+            const expiresAt = subscription.now + subscription.leaseSeconds * 1000;
+            await db
+                .prepare(`INSERT INTO ${table} ` +
+                `(callback, topic, secret, lease_seconds, expires_at, created_at) ` +
+                `VALUES (?1, ?2, ?3, ?4, ?5, ?6) ` +
+                `ON CONFLICT (callback, topic) DO UPDATE SET ` +
+                `secret = excluded.secret, ` +
+                `lease_seconds = excluded.lease_seconds, ` +
+                `expires_at = excluded.expires_at, ` +
+                `created_at = excluded.created_at`)
+                .bind(subscription.callback, subscription.topic, subscription.secret ?? null, subscription.leaseSeconds, expiresAt, subscription.now)
+                .run();
+        },
+        async remove(callback, topic) {
+            await ensureSchema();
+            await db
+                .prepare(`DELETE FROM ${table} WHERE callback = ?1 AND topic = ?2`)
+                .bind(callback, topic)
+                .run();
+        },
+        async listActive(topic, now) {
+            await ensureSchema();
+            const { results } = await db
+                .prepare(`SELECT callback, topic, secret, lease_seconds, expires_at, created_at ` +
+                `FROM ${table} WHERE topic = ?1 AND expires_at > ?2 ` +
+                `ORDER BY created_at ASC`)
+                .bind(topic, now)
+                .all();
+            return results.map(rowToSubscription);
+        },
+        async get(callback, topic) {
+            await ensureSchema();
+            const row = await db
+                .prepare(`SELECT callback, topic, secret, lease_seconds, expires_at, created_at ` +
+                `FROM ${table} WHERE callback = ?1 AND topic = ?2`)
+                .bind(callback, topic)
+                .first();
+            return row === null ? null : rowToSubscription(row);
+        },
+        async pruneExpired(now) {
+            await ensureSchema();
+            const result = await db
+                .prepare(`DELETE FROM ${table} WHERE expires_at <= ?1`)
+                .bind(now)
+                .run();
+            return result.meta.changes ?? 0;
+        },
+    };
+}
+//# sourceMappingURL=store.js.map

package/dist/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAyDH,SAAS,iBAAiB,CAAC,GAAoB;IAC7C,OAAO;QACL,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,YAAY,EAAE,GAAG,CAAC,aAAa;QAC/B,SAAS,EAAE,GAAG,CAAC,UAAU;QACzB,SAAS,EAAE,GAAG,CAAC,UAAU;KAC1B,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CACvC,EAAc,EACd,OAAwB;IAExB,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,sBAAsB,CAAC;IACvD,0EAA0E;IAC1E,6DAA6D;IAC7D,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,iDAAiD,KAAK,IAAI,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,KAAK,GAAyB,IAAI,CAAC;IACvC,MAAM,YAAY,GAAG,GAAkB,EAAE;QACvC,yEAAyE;QACzE,4EAA4E;QAC5E,sDAAsD;QACtD,KAAK,KAAK,EAAE;aACT,OAAO,CACN,8BAA8B,KAAK,IAAI;YACrC,0BAA0B;YAC1B,uBAAuB;YACvB,eAAe;YACf,kCAAkC;YAClC,+BAA+B;YAC/B,+BAA+B;YAC/B,gCAAgC,CACnC;aACA,GAAG,EAAE;aACL,IAAI,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC;aACrB,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;YACtB,KAAK,GAAG,IAAI,CAAC;YACb,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;QACL,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,CAAC,MAAM,CAAC,YAAY;YACvB,MAAM,YAAY,EAAE,CAAC;YACrB,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,GAAG,YAAY,CAAC,YAAY,GAAG,IAAI,CAAC;YACtE,MAAM,EAAE;iBACL,OAAO,CACN,eAAe,KAAK,GAAG;gBACrB,mEAAmE;gBACnE,kCAAkC;gBAClC,8CAA8C;gBAC9C,4BAA4B;gBAC5B,0CAA0C;gBAC1C,oCAAoC;gBACpC,kCAAkC,CACrC;iBACA,IAAI,CACH,YAAY,CAAC,QAAQ,EACrB,YAAY,CAAC,KAAK,EAClB,YAAY,CAAC,MAAM,IAAI,IAAI,EAC3B,YAAY,CAAC,YAAY,EACzB,SAAS,EACT,YAAY,CAAC,GAAG,CACjB;iBACA,GAAG,EAAE,CAAC;QACX,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK;YAC1B,MAAM,YAAY,EAAE,CAAC;YACrB,MAAM,EAAE;iBACL,OAAO,CAAC,eAAe,KAAK,qCAAqC,CAAC;iBAClE,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC;iBACrB,GAAG,EAAE,CAAC;QACX,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,KAAK,EAAE,GAAG;YACzB,MAAM,YAAY,EAAE,CAAC;YACrB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,EAAE;iBACzB,OAAO,CACN,wEAAwE;gBACtE,QAAQ,KAAK,wCAAwC;gBACrD,yBAAyB,CAC5B;iBACA,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC;iBAChB,GAAG,EAAmB,CAAC;YAC1B,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACxC,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK;YACvB,MAAM,YAAY,EAAE,CAAC;YACrB,MAAM,GAAG,GAAG,MAAM,EAAE;iBACjB,OAAO,CACN,wEAAwE;gBACtE,QAAQ,KAAK,qCAAqC,CACrD;iBACA,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC;iBACrB,KAAK,EAAmB,CAAC;YAC5B,OAAO,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtD,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,GAAG;YACpB,MAAM,YAAY,EAAE,CAAC;YACrB,MAAM,MAAM,GAAG,MAAM,EAAE;iBACpB,OAAO,CAAC,eAAe,KAAK,yBAAyB,CAAC;iBACtD,IAAI,CAAC,GAAG,CAAC;iBACT,GAAG,EAAE,CAAC;YACT,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC;QAClC,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/validate.d.ts

@@ -0,0 +1,67 @@
+/**
+ * `@dwk/websub` — request validation.
+ *
+ * Subscribe/unsubscribe and publish requests are validated synchronously, before
+ * any slow work is enqueued, so a malformed request gets a fast `400` and never
+ * reaches the queue. Validation is pure (no I/O) and unit-tests without a Workers
+ * runtime. Stable, machine-readable error codes are returned in place of free
+ * text. See `spec/packages/websub.md` and WebSub §5–§7.
+ *
+ * @packageDocumentation
+ */
+import type { ResolvedConfig } from "./config";
+/** WebSub §6.1.1: a `hub.secret` MUST be less than 200 bytes. */
+export declare const MAX_SECRET_BYTES = 200;
+/** Machine-readable rejection codes for a subscribe/unsubscribe request. */
+export type SubscribeError = "invalid_mode" | "callback_required" | "callback_not_url" | "topic_required" | "topic_not_url" | "topic_not_supported" | "secret_too_long" | "invalid_lease_seconds";
+/** Machine-readable rejection codes for a publish request. */
+export type PublishError = "url_required" | "url_not_url" | "topic_not_supported";
+/** Parsed, validated subscribe/unsubscribe request. */
+export interface SubscribeRequest {
+    readonly ok: true;
+    readonly mode: "subscribe" | "unsubscribe";
+    readonly callback: string;
+    readonly topic: string;
+    /** Requested lease, clamped into the hub's bounds; `undefined` left to the consumer. */
+    readonly leaseSeconds: number;
+    readonly secret?: string;
+}
+/** Parsed, validated publish request. */
+export interface PublishRequest {
+    readonly ok: true;
+    readonly mode: "publish";
+    readonly topic: string;
+}
+/** Result of validating a subscribe/unsubscribe request. */
+export type SubscribeResult = SubscribeRequest | {
+    readonly ok: false;
+    readonly error: SubscribeError;
+};
+/** Result of validating a publish request. */
+export type PublishResult = PublishRequest | {
+    readonly ok: false;
+    readonly error: PublishError;
+};
+/** The raw `hub.*` fields lifted out of a form body. */
+export interface RawHubParams {
+    readonly mode: string | null;
+    readonly callback: string | null;
+    readonly topic: string | null;
+    readonly url: string | null;
+    readonly leaseSeconds: string | null;
+    readonly secret: string | null;
+}
+/** Lift the `hub.*` fields out of a parsed form body. */
+export declare function readHubParams(form: URLSearchParams): RawHubParams;
+/**
+ * Validate a subscribe/unsubscribe request against `config`. Clamps a supplied
+ * `hub.lease_seconds` into the hub's bounds and falls back to the default lease
+ * when it is absent.
+ */
+export declare function validateSubscribe(params: RawHubParams, config: ResolvedConfig): SubscribeResult;
+/**
+ * Validate a publish request. Accepts the topic in `hub.url` (WebSub §7) and
+ * falls back to `hub.topic` for compatibility with older publishers.
+ */
+export declare function validatePublish(params: RawHubParams, config: ResolvedConfig): PublishResult;
+//# sourceMappingURL=validate.d.ts.map

package/dist/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../src/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE/C,iEAAiE;AACjE,eAAO,MAAM,gBAAgB,MAAM,CAAC;AAEpC,4EAA4E;AAC5E,MAAM,MAAM,cAAc,GACtB,cAAc,GACd,mBAAmB,GACnB,kBAAkB,GAClB,gBAAgB,GAChB,eAAe,GACf,qBAAqB,GACrB,iBAAiB,GACjB,uBAAuB,CAAC;AAE5B,8DAA8D;AAC9D,MAAM,MAAM,YAAY,GACpB,cAAc,GACd,aAAa,GACb,qBAAqB,CAAC;AAE1B,uDAAuD;AACvD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,IAAI,EAAE,WAAW,GAAG,aAAa,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,wFAAwF;IACxF,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,yCAAyC;AACzC,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED,4DAA4D;AAC5D,MAAM,MAAM,eAAe,GACvB,gBAAgB,GAChB;IAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAA;CAAE,CAAC;AAE3D,8CAA8C;AAC9C,MAAM,MAAM,aAAa,GACrB,cAAc,GACd;IAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAA;CAAE,CAAC;AAgBzD,wDAAwD;AACxD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC;AAED,yDAAyD;AACzD,wBAAgB,aAAa,CAAC,IAAI,EAAE,eAAe,GAAG,YAAY,CASjE;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,YAAY,EACpB,MAAM,EAAE,cAAc,GACrB,eAAe,CAmDjB;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,YAAY,EACpB,MAAM,EAAE,cAAc,GACrB,aAAa,CAYf"}

package/dist/validate.js

@@ -0,0 +1,106 @@
+/**
+ * `@dwk/websub` — request validation.
+ *
+ * Subscribe/unsubscribe and publish requests are validated synchronously, before
+ * any slow work is enqueued, so a malformed request gets a fast `400` and never
+ * reaches the queue. Validation is pure (no I/O) and unit-tests without a Workers
+ * runtime. Stable, machine-readable error codes are returned in place of free
+ * text. See `spec/packages/websub.md` and WebSub §5–§7.
+ *
+ * @packageDocumentation
+ */
+/** WebSub §6.1.1: a `hub.secret` MUST be less than 200 bytes. */
+export const MAX_SECRET_BYTES = 200;
+function isHttpUrl(value) {
+    let url;
+    try {
+        url = new URL(value);
+    }
+    catch {
+        return false;
+    }
+    return url.protocol === "http:" || url.protocol === "https:";
+}
+function utf8Length(value) {
+    return new TextEncoder().encode(value).length;
+}
+/** Lift the `hub.*` fields out of a parsed form body. */
+export function readHubParams(form) {
+    return {
+        mode: form.get("hub.mode"),
+        callback: form.get("hub.callback"),
+        topic: form.get("hub.topic"),
+        url: form.get("hub.url"),
+        leaseSeconds: form.get("hub.lease_seconds"),
+        secret: form.get("hub.secret"),
+    };
+}
+/**
+ * Validate a subscribe/unsubscribe request against `config`. Clamps a supplied
+ * `hub.lease_seconds` into the hub's bounds and falls back to the default lease
+ * when it is absent.
+ */
+export function validateSubscribe(params, config) {
+    if (params.mode !== "subscribe" && params.mode !== "unsubscribe") {
+        return { ok: false, error: "invalid_mode" };
+    }
+    if (params.callback === null || params.callback === "") {
+        return { ok: false, error: "callback_required" };
+    }
+    if (!isHttpUrl(params.callback)) {
+        return { ok: false, error: "callback_not_url" };
+    }
+    if (params.topic === null || params.topic === "") {
+        return { ok: false, error: "topic_required" };
+    }
+    if (!isHttpUrl(params.topic)) {
+        return { ok: false, error: "topic_not_url" };
+    }
+    if (!config.isAllowedTopic(params.topic)) {
+        return { ok: false, error: "topic_not_supported" };
+    }
+    let secret;
+    if (params.secret !== null && params.secret !== "") {
+        if (utf8Length(params.secret) >= MAX_SECRET_BYTES) {
+            return { ok: false, error: "secret_too_long" };
+        }
+        secret = params.secret;
+    }
+    let leaseSeconds = config.defaultLeaseSeconds;
+    if (params.leaseSeconds !== null && params.leaseSeconds !== "") {
+        const parsed = Number.parseInt(params.leaseSeconds, 10);
+        if (!Number.isFinite(parsed)) {
+            return { ok: false, error: "invalid_lease_seconds" };
+        }
+        // WebSub §5.1 treats `hub.lease_seconds` as a *request* the hub may clamp,
+        // not a hard constraint, so a `0` (or negative) request is clamped up to the
+        // hub minimum rather than rejected — the hub controls the granted lease.
+        leaseSeconds = Math.min(Math.max(parsed, config.minLeaseSeconds), config.maxLeaseSeconds);
+    }
+    return {
+        ok: true,
+        mode: params.mode,
+        callback: params.callback,
+        topic: params.topic,
+        leaseSeconds,
+        ...(secret !== undefined ? { secret } : {}),
+    };
+}
+/**
+ * Validate a publish request. Accepts the topic in `hub.url` (WebSub §7) and
+ * falls back to `hub.topic` for compatibility with older publishers.
+ */
+export function validatePublish(params, config) {
+    const topic = params.url ?? params.topic;
+    if (topic === null || topic === "") {
+        return { ok: false, error: "url_required" };
+    }
+    if (!isHttpUrl(topic)) {
+        return { ok: false, error: "url_not_url" };
+    }
+    if (!config.isAllowedTopic(topic)) {
+        return { ok: false, error: "topic_not_supported" };
+    }
+    return { ok: true, mode: "publish", topic };
+}
+//# sourceMappingURL=validate.js.map

package/dist/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../src/validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,iEAAiE;AACjE,MAAM,CAAC,MAAM,gBAAgB,GAAG,GAAG,CAAC;AA+CpC,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;AAC/D,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;AAChD,CAAC;AAYD,yDAAyD;AACzD,MAAM,UAAU,aAAa,CAAC,IAAqB;IACjD,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;QAC1B,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC;QAClC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;QAC5B,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;QACxB,YAAY,EAAE,IAAI,CAAC,GAAG,CAAC,mBAAmB,CAAC;QAC3C,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC;KAC/B,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAC/B,MAAoB,EACpB,MAAsB;IAEtB,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACjE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IAC9C,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,IAAI,IAAI,MAAM,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QACvD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;IAClD,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,MAAM,CAAC,KAAK,KAAK,EAAE,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC;IAChD,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;IAC/C,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACzC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,MAA0B,CAAC;IAC/B,IAAI,MAAM,CAAC,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnD,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,gBAAgB,EAAE,CAAC;YAClD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACjD,CAAC;QACD,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IACzB,CAAC;IAED,IAAI,YAAY,GAAG,MAAM,CAAC,mBAAmB,CAAC;IAC9C,IAAI,MAAM,CAAC,YAAY,KAAK,IAAI,IAAI,MAAM,CAAC,YAAY,KAAK,EAAE,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;QACvD,CAAC;QACD,2EAA2E;QAC3E,6EAA6E;QAC7E,yEAAyE;QACzE,YAAY,GAAG,IAAI,CAAC,GAAG,CACrB,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,eAAe,CAAC,EACxC,MAAM,CAAC,eAAe,CACvB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,YAAY;QACZ,GAAG,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5C,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAC7B,MAAoB,EACpB,MAAsB;IAEtB,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC;IACzC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;QACnC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IAC9C,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;IAC7C,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;IACrD,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC9C,CAAC"}

package/dist/verify.d.ts

@@ -0,0 +1,85 @@
+/**
+ * `@dwk/websub` — verification of intent.
+ *
+ * Before a hub acts on a subscribe/unsubscribe request it confirms the request
+ * was genuinely intended by the owner of the callback URL (WebSub §5.3): it
+ * issues a `GET` to the callback carrying a random `hub.challenge`, and the
+ * subscriber confirms by echoing that exact challenge back in a `2xx` response
+ * body. This stops an attacker from signing up (or tearing down) a third party's
+ * callback. The GET goes through {@link safeFetch} so a callback can't point the
+ * hub at its own network. See `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import { type Logger, type Metrics } from "@dwk/log";
+import type { FetchLike } from "./fetch";
+/** Inputs to {@link verifyIntent}. */
+export interface VerifyIntentOptions {
+    readonly mode: "subscribe" | "unsubscribe";
+    /** Lease (seconds) advertised in the challenge; included only for subscribe. */
+    readonly leaseSeconds?: number;
+    /** `fetch` implementation; defaults to global `fetch`. */
+    readonly fetch?: FetchLike;
+    /** Challenge string to send; defaults to a fresh random value (override in tests). */
+    readonly challenge?: string;
+    readonly logger?: Logger;
+    readonly metrics?: Metrics;
+}
+/** Outcome of a verification-of-intent exchange. */
+export interface VerifyIntentResult {
+    /** True when the callback echoed the exact challenge with a 2xx status. */
+    readonly confirmed: boolean;
+    /** The callback's HTTP status (`0` when the GET threw or was blocked). */
+    readonly status: number;
+}
+/** Generate a fresh, unguessable challenge value. */
+export declare function generateChallenge(): string;
+/**
+ * Build the verification callback URL, appending the `hub.*` query parameters to
+ * whatever the subscriber's callback already carries (WebSub §5.3). `hub.mode`
+ * and `hub.topic` echo the request; `hub.challenge` is the value the subscriber
+ * must return; `hub.lease_seconds` is included for a subscribe.
+ */
+export declare function buildVerificationUrl(callback: string, params: {
+    mode: "subscribe" | "unsubscribe";
+    topic: string;
+    challenge: string;
+    leaseSeconds?: number;
+}): string;
+/**
+ * Verify a subscriber's intent for `callback` / `topic`.
+ *
+ * Issues the challenge GET through {@link safeFetch} and confirms the response is
+ * `2xx` with a body whose trimmed text equals the challenge. Any throw (network,
+ * timeout, SSRF block) is treated as "not confirmed" with status `0` — the
+ * caller does not distinguish a hostile callback from an unreachable one.
+ */
+export declare function verifyIntent(callback: string, topic: string, options: VerifyIntentOptions): Promise<VerifyIntentResult>;
+/** Inputs to {@link notifyDenial}. */
+export interface NotifyDenialOptions {
+    /** Machine-readable cause echoed to the subscriber as `hub.reason` (optional). */
+    readonly reason?: string;
+    /** `fetch` implementation; defaults to global `fetch`. */
+    readonly fetch?: FetchLike;
+    readonly logger?: Logger;
+    readonly metrics?: Metrics;
+}
+/**
+ * Build the subscription-denial notification URL (WebSub §5.2): the subscriber's
+ * callback with `hub.mode=denied` and `hub.topic` appended, plus an optional
+ * `hub.reason`, preserving any query string the callback already carries.
+ */
+export declare function buildDenialUrl(callback: string, params: {
+    topic: string;
+    reason?: string;
+}): string;
+/**
+ * Tell a subscriber its subscription was denied (WebSub §5.2): issue a
+ * best-effort `GET` to the callback with `hub.mode=denied`. Never throws — a
+ * denial that cannot be delivered (unreachable callback, SSRF block) is logged,
+ * not retried, since the subscription was never created either way. The GET goes
+ * through {@link safeFetch} so a hostile callback can't point the hub at its own
+ * network.
+ */
+export declare function notifyDenial(callback: string, topic: string, options?: NotifyDenialOptions): Promise<void>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAIL,KAAK,MAAM,EACX,KAAK,OAAO,EACb,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAUzC,sCAAsC;AACtC,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,WAAW,GAAG,aAAa,CAAC;IAC3C,gFAAgF;IAChF,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,0DAA0D;IAC1D,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;IAC3B,sFAAsF;IACtF,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED,oDAAoD;AACpD,MAAM,WAAW,kBAAkB;IACjC,2EAA2E;IAC3E,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,0EAA0E;IAC1E,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,qDAAqD;AACrD,wBAAgB,iBAAiB,IAAI,MAAM,CAG1C;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE;IACN,IAAI,EAAE,WAAW,GAAG,aAAa,CAAC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,GACA,MAAM,CASR;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CAwD7B;AAED,sCAAsC;AACtC,MAAM,WAAW,mBAAmB;IAClC,kFAAkF;IAClF,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,0DAA0D;IAC1D,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GACzC,MAAM,CAQR;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAChC,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAmCf"}

package/dist/verify.js

@@ -0,0 +1,149 @@
+/**
+ * `@dwk/websub` — verification of intent.
+ *
+ * Before a hub acts on a subscribe/unsubscribe request it confirms the request
+ * was genuinely intended by the owner of the callback URL (WebSub §5.3): it
+ * issues a `GET` to the callback carrying a random `hub.challenge`, and the
+ * subscriber confirms by echoing that exact challenge back in a `2xx` response
+ * body. This stops an attacker from signing up (or tearing down) a third party's
+ * callback. The GET goes through {@link safeFetch} so a callback can't point the
+ * hub at its own network. See `spec/packages/websub.md`.
+ *
+ * @packageDocumentation
+ */
+import { hostFromUrl, noopLogger, noopMetrics, } from "@dwk/log";
+import { readBytesCapped } from "./fetch";
+import { WebSubLogEvent } from "./log";
+import { safeFetch } from "./safe-fetch";
+/** Bytes of randomness in a generated challenge (hex-encoded → twice as many chars). */
+const CHALLENGE_BYTES = 24;
+/** A confirming challenge echo is tiny; refuse to buffer more than this. */
+const MAX_CHALLENGE_ECHO_BYTES = 8 * 1024;
+/** Generate a fresh, unguessable challenge value. */
+export function generateChallenge() {
+    const bytes = crypto.getRandomValues(new Uint8Array(CHALLENGE_BYTES));
+    return [...bytes].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+/**
+ * Build the verification callback URL, appending the `hub.*` query parameters to
+ * whatever the subscriber's callback already carries (WebSub §5.3). `hub.mode`
+ * and `hub.topic` echo the request; `hub.challenge` is the value the subscriber
+ * must return; `hub.lease_seconds` is included for a subscribe.
+ */
+export function buildVerificationUrl(callback, params) {
+    const url = new URL(callback);
+    url.searchParams.append("hub.mode", params.mode);
+    url.searchParams.append("hub.topic", params.topic);
+    url.searchParams.append("hub.challenge", params.challenge);
+    if (params.mode === "subscribe" && params.leaseSeconds !== undefined) {
+        url.searchParams.append("hub.lease_seconds", String(params.leaseSeconds));
+    }
+    return url.toString();
+}
+/**
+ * Verify a subscriber's intent for `callback` / `topic`.
+ *
+ * Issues the challenge GET through {@link safeFetch} and confirms the response is
+ * `2xx` with a body whose trimmed text equals the challenge. Any throw (network,
+ * timeout, SSRF block) is treated as "not confirmed" with status `0` — the
+ * caller does not distinguish a hostile callback from an unreachable one.
+ */
+export async function verifyIntent(callback, topic, options) {
+    const doFetch = options.fetch ?? ((input, init) => fetch(input, init));
+    const logger = options.logger ?? noopLogger;
+    const metrics = options.metrics ?? noopMetrics;
+    const challenge = options.challenge ?? generateChallenge();
+    const url = buildVerificationUrl(callback, {
+        mode: options.mode,
+        topic,
+        challenge,
+        leaseSeconds: options.leaseSeconds,
+    });
+    const finish = (confirmed, status) => {
+        const fields = {
+            mode: options.mode,
+            callbackHost: hostFromUrl(callback),
+            confirmed,
+            status,
+        };
+        logger.info(WebSubLogEvent.VerifyCompleted, fields);
+        metrics.count(WebSubLogEvent.VerifyCompleted, fields);
+        return { confirmed, status };
+    };
+    let response;
+    try {
+        const result = await safeFetch(doFetch, url, { method: "GET" }, { logger, metrics });
+        response = result.response;
+    }
+    catch (err) {
+        const fields = {
+            callbackHost: hostFromUrl(callback),
+            error: err instanceof Error ? err.name : "unknown",
+        };
+        logger.warn(WebSubLogEvent.VerifyFetchFailed, fields);
+        metrics.count(WebSubLogEvent.VerifyFetchFailed, fields);
+        return finish(false, 0);
+    }
+    if (!response.ok) {
+        await response.body?.cancel().catch(() => undefined);
+        return finish(false, response.status);
+    }
+    const bytes = await readBytesCapped(response, MAX_CHALLENGE_ECHO_BYTES);
+    if (bytes === null) {
+        return finish(false, response.status);
+    }
+    const echoed = new TextDecoder().decode(bytes).trim();
+    return finish(echoed === challenge, response.status);
+}
+/**
+ * Build the subscription-denial notification URL (WebSub §5.2): the subscriber's
+ * callback with `hub.mode=denied` and `hub.topic` appended, plus an optional
+ * `hub.reason`, preserving any query string the callback already carries.
+ */
+export function buildDenialUrl(callback, params) {
+    const url = new URL(callback);
+    url.searchParams.append("hub.mode", "denied");
+    url.searchParams.append("hub.topic", params.topic);
+    if (params.reason !== undefined && params.reason !== "") {
+        url.searchParams.append("hub.reason", params.reason);
+    }
+    return url.toString();
+}
+/**
+ * Tell a subscriber its subscription was denied (WebSub §5.2): issue a
+ * best-effort `GET` to the callback with `hub.mode=denied`. Never throws — a
+ * denial that cannot be delivered (unreachable callback, SSRF block) is logged,
+ * not retried, since the subscription was never created either way. The GET goes
+ * through {@link safeFetch} so a hostile callback can't point the hub at its own
+ * network.
+ */
+export async function notifyDenial(callback, topic, options) {
+    const doFetch = options?.fetch ?? ((input, init) => fetch(input, init));
+    const logger = options?.logger ?? noopLogger;
+    const metrics = options?.metrics ?? noopMetrics;
+    const url = buildDenialUrl(callback, { topic, reason: options?.reason });
+    // The denial *decision* stands regardless of whether the subscriber's callback
+    // can be reached, so the event is always emitted — silently swallowing it when
+    // the GET is blocked (e.g. an SSRF-blocked callback) would hide exactly the
+    // probing we want a signal for. `notified` records whether the callback
+    // actually accepted the GET, so a failed delivery is visible, not faked.
+    let notified = false;
+    try {
+        const result = await safeFetch(doFetch, url, { method: "GET" }, { logger, metrics });
+        notified = result.response.ok;
+        await result.response.body?.cancel().catch(() => undefined);
+    }
+    catch {
+        // Best-effort: the subscription row was never created, so a failed denial
+        // notification leaves no inconsistent state to repair.
+    }
+    const fields = {
+        callbackHost: hostFromUrl(callback),
+        topicHost: hostFromUrl(topic),
+        notified,
+        ...(options?.reason !== undefined ? { reason: options.reason } : {}),
+    };
+    logger.info(WebSubLogEvent.SubscriptionDenied, fields);
+    metrics.count(WebSubLogEvent.SubscriptionDenied, fields);
+}
+//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,WAAW,EACX,UAAU,EACV,WAAW,GAGZ,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,wFAAwF;AACxF,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,4EAA4E;AAC5E,MAAM,wBAAwB,GAAG,CAAC,GAAG,IAAI,CAAC;AAuB1C,qDAAqD;AACrD,MAAM,UAAU,iBAAiB;IAC/B,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC;IACtE,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACzE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAgB,EAChB,MAKC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9B,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;IACjD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACnD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAC3D,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACrE,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,mBAAmB,EAAE,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,KAAa,EACb,OAA4B;IAE5B,MAAM,OAAO,GACX,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,UAAU,CAAC;IAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,WAAW,CAAC;IAC/C,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,iBAAiB,EAAE,CAAC;IAE3D,MAAM,GAAG,GAAG,oBAAoB,CAAC,QAAQ,EAAE;QACzC,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,KAAK;QACL,SAAS;QACT,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC,CAAC;IAEH,MAAM,MAAM,GAAG,CAAC,SAAkB,EAAE,MAAc,EAAsB,EAAE;QACxE,MAAM,MAAM,GAAG;YACb,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,YAAY,EAAE,WAAW,CAAC,QAAQ,CAAC;YACnC,SAAS;YACT,MAAM;SACP,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACpD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACtD,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IAC/B,CAAC,CAAC;IAEF,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,OAAO,EACP,GAAG,EACH,EAAE,MAAM,EAAE,KAAK,EAAE,EACjB,EAAE,MAAM,EAAE,OAAO,EAAE,CACpB,CAAC;QACF,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG;YACb,YAAY,EAAE,WAAW,CAAC,QAAQ,CAAC;YACnC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;SACnD,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACxD,OAAO,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QACrD,OAAO,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,QAAQ,EAAE,wBAAwB,CAAC,CAAC;IACxE,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,MAAM,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IACtD,OAAO,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AACvD,CAAC;AAYD;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAgB,EAChB,MAA0C;IAE1C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9B,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC9C,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACnD,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAgB,EAChB,KAAa,EACb,OAA6B;IAE7B,MAAM,OAAO,GACX,OAAO,EAAE,KAAK,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,UAAU,CAAC;IAC7C,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,WAAW,CAAC;IAEhD,MAAM,GAAG,GAAG,cAAc,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAEzE,+EAA+E;IAC/E,+EAA+E;IAC/E,4EAA4E;IAC5E,wEAAwE;IACxE,yEAAyE;IACzE,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B,OAAO,EACP,GAAG,EACH,EAAE,MAAM,EAAE,KAAK,EAAE,EACjB,EAAE,MAAM,EAAE,OAAO,EAAE,CACpB,CAAC;QACF,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9B,MAAM,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,0EAA0E;QAC1E,uDAAuD;IACzD,CAAC;IACD,MAAM,MAAM,GAAG;QACb,YAAY,EAAE,WAAW,CAAC,QAAQ,CAAC;QACnC,SAAS,EAAE,WAAW,CAAC,KAAK,CAAC;QAC7B,QAAQ;QACR,GAAG,CAAC,OAAO,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACrE,CAAC;IACF,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;IACvD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;AAC3D,CAAC"}