@holo-js/broadcast 0.1.4 → 0.1.5

package/dist/auth.mjs

@@ -5,9 +5,9 @@ import {
   renderBroadcastAuthResponse,
   resolveBroadcastWhisperSchema,
   validateBroadcastWhisperPayload
-} from "./chunk-5XRABYQH.mjs";
-import "./chunk-742LGR5P.mjs";
-import "./chunk-QW6MHEWS.mjs";
+} from "./chunk-I3KE6HDH.mjs";
+import "./chunk-QYXS4X72.mjs";
+import "./chunk-DHKMBH25.mjs";
 export {
   authorizeBroadcastChannel,
   broadcastAuthInternals,

package/dist/{chunk-QW6MHEWS.mjs → chunk-DHKMBH25.mjs}

@@ -33,7 +33,13 @@ function normalizeDelayValue(value) {
   return value;
 }
 function normalizeJsonValue(value, path) {
-  if (value === null || typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(`[Holo Broadcast] ${path} must be JSON-serializable.`);
+    }
+    return value;
+  }
+  if (value === null || typeof value === "string" || typeof value === "boolean") {
     return value;
   }
   if (Array.isArray(value)) {
@@ -92,6 +98,16 @@ function normalizePatternSegment(segment, label) {
   }
   return segment;
 }
+function normalizeChannelTargetParamValue(pattern, key, value) {
+  const normalized = String(value).trim();
+  if (!normalized) {
+    throw new Error(`[Holo Broadcast] Channel target param "${key}" for "${pattern}" must be a non-empty channel segment.`);
+  }
+  if (!/^[A-Za-z0-9_-]+$/.test(normalized)) {
+    throw new Error(`[Holo Broadcast] Channel target param "${key}" for "${pattern}" contains invalid segment "${normalized}".`);
+  }
+  return normalized;
+}
 function extractChannelPatternParamNames(pattern) {
   const normalized = normalizeChannelPattern(pattern, "Channel pattern");
   const params = normalized.split(".").map((segment) => segment.match(/^\{([A-Za-z_][A-Za-z0-9_]*)\}$/)?.[1]).filter((value) => typeof value === "string");
@@ -115,7 +131,7 @@ function normalizeTargetParams(pattern, params) {
     if (!normalizedKey) {
       throw new Error("[Holo Broadcast] Channel target params must not include empty keys.");
     }
-    return [normalizedKey, String(value)];
+    return [normalizedKey, normalizeChannelTargetParamValue(pattern, normalizedKey, value)];
   });
   const provided = Object.freeze(Object.fromEntries(providedEntries));
   const providedNames = Object.keys(provided);

package/dist/{chunk-5XRABYQH.mjs → chunk-I3KE6HDH.mjs}

@@ -1,9 +1,9 @@
 import {
   getBroadcastRuntimeBindings
-} from "./chunk-742LGR5P.mjs";
+} from "./chunk-QYXS4X72.mjs";
 import {
   isChannelDefinition
-} from "./chunk-QW6MHEWS.mjs";
+} from "./chunk-DHKMBH25.mjs";
 
 // src/auth.ts
 import { resolve } from "path";
@@ -41,7 +41,13 @@ function normalizeLookupChannel(channel, label) {
   return normalized;
 }
 function normalizeJsonValue(value, path) {
-  if (value === null || typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(`[@holo-js/broadcast] ${path} must be JSON-serializable.`);
+    }
+    return value;
+  }
+  if (value === null || typeof value === "string" || typeof value === "boolean") {
     return value;
   }
   if (Array.isArray(value)) {
@@ -156,7 +162,15 @@ async function loadChannelDefinitions(bindings) {
   })();
   getRuntimeState().byBindings ??= /* @__PURE__ */ new WeakMap();
   getRuntimeState().byBindings.set(bindings, pending);
-  return await pending;
+  try {
+    return await pending;
+  } catch (error) {
+    const cache = getRuntimeState().byBindings;
+    if (cache.get(bindings) === pending) {
+      cache.delete(bindings);
+    }
+    throw error;
+  }
 }
 function matchPattern(pattern, channel) {
   const patternSegments = pattern.split(".");

package/dist/{chunk-742LGR5P.mjs → chunk-QYXS4X72.mjs}

@@ -2,7 +2,7 @@ import {
   formatChannelPattern,
   isBroadcastDefinition,
   normalizeBroadcastDefinition
-} from "./chunk-QW6MHEWS.mjs";
+} from "./chunk-DHKMBH25.mjs";
 
 // src/runtime.ts
 import { randomUUID } from "crypto";
@@ -114,7 +114,13 @@ function isRecord(value) {
   return !!value && typeof value === "object" && !Array.isArray(value) && (Object.getPrototypeOf(value) === Object.prototype || Object.getPrototypeOf(value) === null);
 }
 function normalizeJsonValue(value, path) {
-  if (value === null || typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(`[@holo-js/broadcast] ${path} must be JSON-serializable.`);
+    }
+    return value;
+  }
+  if (value === null || typeof value === "string" || typeof value === "boolean") {
     return value;
   }
   if (Array.isArray(value)) {

package/dist/contracts.mjs

@@ -13,7 +13,7 @@ import {
   normalizeChannelPattern,
   presenceChannel,
   privateChannel
-} from "./chunk-QW6MHEWS.mjs";
+} from "./chunk-DHKMBH25.mjs";
 export {
   broadcastInternals,
   channel,

package/dist/index.d.ts

@@ -107,6 +107,7 @@ declare function parseSocketMessage(rawMessage: string): {
 };
 declare function normalizePublishBody(value: unknown): PublishBody;
 declare function createPusherSignature(secret: string, method: string, pathname: string, params: URLSearchParams): string;
+declare function verifyPusherSignature(providedSignature: string, expectedSignature: string): boolean;
 declare function parseChannelKind(channel: string): {
     readonly kind: 'public' | 'private' | 'presence';
     readonly canonical: string;
@@ -135,6 +136,7 @@ declare const workerInternals: {
     createScalingNodeId: typeof createScalingNodeId;
     createRedisScalingAdapter: typeof createRedisScalingAdapter;
     createPusherSignature: typeof createPusherSignature;
+    verifyPusherSignature: typeof verifyPusherSignature;
     createSocketId: typeof createSocketId;
     resolveRedisScalingConnection: typeof resolveRedisScalingConnection;
     resolveScalingEventChannel: typeof resolveScalingEventChannel;

package/dist/index.mjs

@@ -5,7 +5,7 @@ import {
   renderBroadcastAuthResponse,
   resolveBroadcastWhisperSchema,
   validateBroadcastWhisperPayload
-} from "./chunk-5XRABYQH.mjs";
+} from "./chunk-I3KE6HDH.mjs";
 import {
   broadcast,
   broadcastRaw,
@@ -19,7 +19,7 @@ import {
   registerBroadcastDriver,
   resetBroadcastDriverRegistry,
   resetBroadcastRuntime
-} from "./chunk-742LGR5P.mjs";
+} from "./chunk-QYXS4X72.mjs";
 import {
   broadcastInternals,
   channel,
@@ -29,10 +29,10 @@ import {
   isChannelDefinition,
   presenceChannel,
   privateChannel
-} from "./chunk-QW6MHEWS.mjs";
+} from "./chunk-DHKMBH25.mjs";
 
 // src/worker.ts
-import { createHash, createHmac, randomInt, randomUUID } from "crypto";
+import { createHash, createHmac, randomInt, randomUUID, timingSafeEqual } from "crypto";
 import { createServer } from "http";
 var MAX_PUBLISH_TIMESTAMP_SKEW_SECONDS = 300;
 function normalizeRequiredString(value, label) {
@@ -102,6 +102,12 @@ ${pathname}
 ${sorted}`;
   return createHmac("sha256", secret).update(payload).digest("hex");
 }
+function verifyPusherSignature(providedSignature, expectedSignature) {
+  if (providedSignature.length !== expectedSignature.length || !/^[a-f0-9]+$/i.test(providedSignature) || !/^[a-f0-9]+$/i.test(expectedSignature)) {
+    return false;
+  }
+  return timingSafeEqual(Buffer.from(providedSignature, "hex"), Buffer.from(expectedSignature, "hex"));
+}
 function logSocketMessageError(socketId, error) {
   const message = error instanceof Error ? error.message : String(error);
   console.error(`[@holo-js/broadcast] WebSocket message handling failed for socket "${socketId}": ${message}`);
@@ -918,7 +924,7 @@ function createBroadcastWorkerRuntime(options) {
       const message = error instanceof Error ? error.message : "Invalid auth signature";
       return new Response(message, { status: 401 });
     }
-    if (providedSignature !== expectedSignature) {
+    if (!verifyPusherSignature(providedSignature, expectedSignature)) {
       return new Response("Invalid auth signature", { status: 401 });
     }
     let publishBody;
@@ -1378,6 +1384,7 @@ var workerInternals = {
   createScalingNodeId,
   createRedisScalingAdapter,
   createPusherSignature,
+  verifyPusherSignature,
   createSocketId,
   resolveRedisScalingConnection,
   resolveScalingEventChannel,

package/dist/runtime.mjs

@@ -6,8 +6,8 @@ import {
   getBroadcastRuntime,
   getBroadcastRuntimeBindings,
   resetBroadcastRuntime
-} from "./chunk-742LGR5P.mjs";
-import "./chunk-QW6MHEWS.mjs";
+} from "./chunk-QYXS4X72.mjs";
+import "./chunk-DHKMBH25.mjs";
 export {
   broadcast,
   broadcastRaw,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@holo-js/broadcast",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "Holo-JS Framework - broadcast contracts, channel definitions, and driver registration seams",
   "type": "module",
   "license": "MIT",
@@ -34,16 +34,16 @@
   "scripts": {
     "build": "tsup",
     "stub": "tsup",
-    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "typecheck": "tsc -p tsconfig.json --noEmit && tsc -p tsconfig.type-tests.json --noEmit",
     "test": "vitest --run"
   },
   "dependencies": {
-    "@holo-js/config": "^0.1.4",
-    "@holo-js/validation": "^0.1.4",
+    "@holo-js/config": "^0.1.5",
+    "@holo-js/validation": "^0.1.5",
     "ws": "^8.18.3"
   },
   "peerDependencies": {
-    "ioredis": "catalog:"
+    "ioredis": "^5.4.2"
   },
   "peerDependenciesMeta": {
     "ioredis": {
@@ -53,9 +53,9 @@
   "devDependencies": {
     "@types/node": "^22.10.2",
     "@types/ws": "^8.18.1",
-    "ioredis": "catalog:",
+    "ioredis": "^5.4.2",
     "tsup": "^8.3.5",
     "typescript": "^5.7.2",
-    "vitest": "^2.1.8"
+    "vitest": "^4.1.5"
   }
 }