npm - @hookflo/tern - Versions diffs - 1.0.4 → 1.0.5 - Mend

@hookflo/tern 1.0.4 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +62 -1
package/dist/platforms/algorithms.js +6 -23
package/dist/test.js +25 -5
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -109,6 +109,67 @@ const result = await WebhookVerificationService.verify(request, stripeConfig);
 - **Polar**: HMAC-SHA256
 - **Supabase**: Token-based authentication
+## Custom Platform Configuration
+This framework is fully configuration-driven. You can verify webhooks from any provider—even if it is not built-in—by supplying a custom configuration object. This allows you to support new or proprietary platforms instantly, without waiting for a library update.
+### Example: Standard HMAC-SHA256 Webhook
+```typescript
+import { WebhookVerificationService } from '@hookflo/tern';
+const acmeConfig = {
+  platform: 'acmepay',
+  secret: 'acme_secret',
+  signatureConfig: {
+    algorithm: 'hmac-sha256',
+    headerName: 'x-acme-signature',
+    headerFormat: 'raw',
+    timestampHeader: 'x-acme-timestamp',
+    timestampFormat: 'unix',
+    payloadFormat: 'timestamped', // signs as {timestamp}.{body}
+  }
+};
+const result = await WebhookVerificationService.verify(request, acmeConfig);
+```
+### Example: Svix/Standard Webhooks (Clerk, Dodo Payments, etc.)
+```typescript
+const svixConfig = {
+  platform: 'my-svix-platform',
+  secret: 'whsec_abc123...',
+  signatureConfig: {
+    algorithm: 'hmac-sha256',
+    headerName: 'webhook-signature',
+    headerFormat: 'raw',
+    timestampHeader: 'webhook-timestamp',
+    timestampFormat: 'unix',
+    payloadFormat: 'custom',
+    customConfig: {
+      payloadFormat: '{id}.{timestamp}.{body}',
+      idHeader: 'webhook-id',
+      // encoding: 'base64' // only if the provider uses base64, otherwise omit
+    }
+  }
+};
+const result = await WebhookVerificationService.verify(request, svixConfig);
+```
+You can configure any combination of algorithm, header, payload, and encoding. See the `SignatureConfig` type for all options.
+## Webhook Verification OK Tested Platforms
+- **Stripe**
+- **Supabase**
+- **Github**
+- **Clerk**
+- **Dodo Payments**
+- **Other Platforms** : Yet to verify....
 ## Custom Configurations
 ### Custom HMAC-SHA256
@@ -301,4 +362,4 @@ MIT License - see [LICENSE](./LICENSE) for details.
 - [Documentation](./USAGE.md)
 - [Framework Summary](./FRAMEWORK_SUMMARY.md)
-- [Issues](https://github.com/your-repo/tern/issues)
+- [Issues](https://github.com/Hookflo/tern/issues)

package/dist/platforms/algorithms.js CHANGED Viewed

@@ -5,9 +5,7 @@ exports.getPlatformAlgorithmConfig = getPlatformAlgorithmConfig;
 exports.platformUsesAlgorithm = platformUsesAlgorithm;
 exports.getPlatformsUsingAlgorithm = getPlatformsUsingAlgorithm;
 exports.validateSignatureConfig = validateSignatureConfig;
-// Platform to algorithm mapping configuration
 exports.platformAlgorithmConfigs = {
-    // GitHub uses HMAC-SHA256 with prefixed signature
     github: {
         platform: "github",
         signatureConfig: {
@@ -15,19 +13,18 @@ exports.platformAlgorithmConfigs = {
             headerName: "x-hub-signature-256",
             headerFormat: "prefixed",
             prefix: "sha256=",
-            timestampHeader: undefined, // GitHub doesn't use timestamp validation
+            timestampHeader: undefined,
             payloadFormat: "raw",
         },
         description: "GitHub webhooks use HMAC-SHA256 with sha256= prefix",
     },
-    // Stripe uses HMAC-SHA256 with comma-separated format
     stripe: {
         platform: "stripe",
         signatureConfig: {
             algorithm: "hmac-sha256",
             headerName: "stripe-signature",
             headerFormat: "comma-separated",
-            timestampHeader: undefined, // Timestamp is embedded in signature
+            timestampHeader: undefined,
             payloadFormat: "timestamped",
             customConfig: {
                 signatureFormat: "t={timestamp},v1={signature}",
@@ -35,7 +32,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Stripe webhooks use HMAC-SHA256 with comma-separated format",
     },
-    // Clerk uses HMAC-SHA256 with custom base64 encoding
     clerk: {
         platform: "clerk",
         signatureConfig: {
@@ -54,7 +50,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Clerk webhooks use HMAC-SHA256 with base64 encoding",
     },
-    // Dodo Payments uses HMAC-SHA256
     dodopayments: {
         platform: "dodopayments",
         signatureConfig: {
@@ -67,13 +62,11 @@ exports.platformAlgorithmConfigs = {
             customConfig: {
                 signatureFormat: "v1={signature}",
                 payloadFormat: "{id}.{timestamp}.{body}",
-                encoding: "base64",
                 idHeader: "webhook-id",
             },
         },
-        description: "Dodo Payments webhooks use HMAC-SHA256",
+        description: "Dodo Payments webhooks use HMAC-SHA256 with svix-style format (Standard Webhooks)",
     },
-    // Shopify uses HMAC-SHA256
     shopify: {
         platform: "shopify",
         signatureConfig: {
@@ -85,7 +78,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Shopify webhooks use HMAC-SHA256",
     },
-    // Vercel uses HMAC-SHA256
     vercel: {
         platform: "vercel",
         signatureConfig: {
@@ -98,7 +90,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Vercel webhooks use HMAC-SHA256",
     },
-    // Polar uses HMAC-SHA256
     polar: {
         platform: "polar",
         signatureConfig: {
@@ -111,7 +102,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Polar webhooks use HMAC-SHA256",
     },
-    // Supabase uses simple token-based authentication
     supabase: {
         platform: "supabase",
         signatureConfig: {
@@ -126,7 +116,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Supabase webhooks use token-based authentication",
     },
-    // Custom platform - can be configured per instance
     custom: {
         platform: "custom",
         signatureConfig: {
@@ -141,7 +130,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Custom webhook configuration",
     },
-    // Unknown platform - fallback
     unknown: {
         platform: "unknown",
         signatureConfig: {
@@ -153,37 +141,32 @@ exports.platformAlgorithmConfigs = {
         description: "Unknown platform - using default HMAC-SHA256",
     },
 };
-// Helper function to get algorithm config for a platform
 function getPlatformAlgorithmConfig(platform) {
     return exports.platformAlgorithmConfigs[platform] || exports.platformAlgorithmConfigs.unknown;
 }
-// Helper function to check if a platform uses a specific algorithm
 function platformUsesAlgorithm(platform, algorithm) {
     const config = getPlatformAlgorithmConfig(platform);
     return config.signatureConfig.algorithm === algorithm;
 }
-// Helper function to get all platforms using a specific algorithm
 function getPlatformsUsingAlgorithm(algorithm) {
     return Object.entries(exports.platformAlgorithmConfigs)
         .filter(([_, config]) => config.signatureConfig.algorithm === algorithm)
         .map(([platform, _]) => platform);
 }
-// Helper function to validate signature config
 function validateSignatureConfig(config) {
     if (!config.algorithm || !config.headerName) {
         return false;
     }
-    // Validate algorithm-specific requirements
     switch (config.algorithm) {
         case "hmac-sha256":
         case "hmac-sha1":
         case "hmac-sha512":
-            return true; // These algorithms only need headerName
+            return true;
         case "rsa-sha256":
         case "ed25519":
-            return !!config.customConfig?.publicKey; // These need public key
+            return !!config.customConfig?.publicKey;
         case "custom":
-            return !!config.customConfig; // Custom needs custom config
+            return !!config.customConfig;
         default:
             return false;
     }

package/dist/test.js CHANGED Viewed

@@ -3,10 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.runTests = runTests;
 const crypto_1 = require("crypto");
 const index_1 = require("./index");
-// Test data
 const testSecret = 'whsec_test_secret_key_12345';
 const testBody = JSON.stringify({ event: 'test', data: { id: '123' } });
-// Helper function to create a mock request
 function createMockRequest(headers, body = testBody) {
     return new Request('https://example.com/webhook', {
         method: 'POST',
@@ -14,7 +12,6 @@ function createMockRequest(headers, body = testBody) {
         body,
     });
 }
-// Helper function to create Stripe signature
 function createStripeSignature(body, secret, timestamp) {
     const signedPayload = `${timestamp}.${body}`;
     const hmac = (0, crypto_1.createHmac)('sha256', secret);
@@ -22,13 +19,11 @@ function createStripeSignature(body, secret, timestamp) {
     const signature = hmac.digest('hex');
     return `t=${timestamp},v1=${signature}`;
 }
-// Helper function to create GitHub signature
 function createGitHubSignature(body, secret) {
     const hmac = (0, crypto_1.createHmac)('sha256', secret);
     hmac.update(body);
     return `sha256=${hmac.digest('hex')}`;
 }
-// Helper function to create Clerk signature
 function createClerkSignature(body, secret, id, timestamp) {
     const signedContent = `${id}.${timestamp}.${body}`;
     const secretBytes = new Uint8Array(Buffer.from(secret.split('_')[1], 'base64'));
@@ -118,6 +113,31 @@ async function runTests() {
     catch (error) {
         console.log('   ❌ Generic test failed:', error);
     }
+    // Test 4.5: Dodo Payments (Standard Webhooks / svix-style)
+    console.log('\n4.5. Testing Dodo Payments...');
+    try {
+        const webhookId = 'test-webhook-id-123';
+        const timestamp = Math.floor(Date.now() / 1000);
+        // Create svix-style signature: {webhook-id}.{webhook-timestamp}.{payload}
+        const signedContent = `${webhookId}.${timestamp}.${testBody}`;
+        const hmac = (0, crypto_1.createHmac)('sha256', testSecret);
+        hmac.update(signedContent);
+        const signature = hmac.digest('hex');
+        const dodoRequest = createMockRequest({
+            'webhook-signature': signature,
+            'webhook-id': webhookId,
+            'webhook-timestamp': timestamp.toString(),
+            'content-type': 'application/json',
+        });
+        const dodoResult = await index_1.WebhookVerificationService.verifyWithPlatformConfig(dodoRequest, 'dodopayments', testSecret);
+        console.log('   ✅ Dodo Payments:', dodoResult.isValid ? 'PASSED' : 'FAILED');
+        if (!dodoResult.isValid) {
+            console.log('   ❌ Error:', dodoResult.error);
+        }
+    }
+    catch (error) {
+        console.log('   ❌ Dodo Payments test failed:', error);
+    }
     // Test 5: Token-based (Supabase)
     console.log('\n5. Testing Token-based Authentication...');
     try {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hookflo/tern",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "A robust, scalable webhook verification framework supporting multiple platforms and signature algorithms",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",