@hookflo/tern 1.0.4 → 1.0.6

package/README.md

@@ -109,6 +109,67 @@ const result = await WebhookVerificationService.verify(request, stripeConfig);
 - **Polar**: HMAC-SHA256
 - **Supabase**: Token-based authentication
 
+## Custom Platform Configuration
+
+This framework is fully configuration-driven. You can verify webhooks from any provider—even if it is not built-in—by supplying a custom configuration object. This allows you to support new or proprietary platforms instantly, without waiting for a library update.
+
+### Example: Standard HMAC-SHA256 Webhook
+
+```typescript
+import { WebhookVerificationService } from '@hookflo/tern';
+
+const acmeConfig = {
+  platform: 'acmepay',
+  secret: 'acme_secret',
+  signatureConfig: {
+    algorithm: 'hmac-sha256',
+    headerName: 'x-acme-signature',
+    headerFormat: 'raw',
+    timestampHeader: 'x-acme-timestamp',
+    timestampFormat: 'unix',
+    payloadFormat: 'timestamped', // signs as {timestamp}.{body}
+  }
+};
+
+const result = await WebhookVerificationService.verify(request, acmeConfig);
+```
+
+### Example: Svix/Standard Webhooks (Clerk, Dodo Payments, etc.)
+
+```typescript
+const svixConfig = {
+  platform: 'my-svix-platform',
+  secret: 'whsec_abc123...',
+  signatureConfig: {
+    algorithm: 'hmac-sha256',
+    headerName: 'webhook-signature',
+    headerFormat: 'raw',
+    timestampHeader: 'webhook-timestamp',
+    timestampFormat: 'unix',
+    payloadFormat: 'custom',
+    customConfig: {
+      payloadFormat: '{id}.{timestamp}.{body}',
+      idHeader: 'webhook-id',
+      // encoding: 'base64' // only if the provider uses base64, otherwise omit
+    }
+  }
+};
+
+const result = await WebhookVerificationService.verify(request, svixConfig);
+```
+
+You can configure any combination of algorithm, header, payload, and encoding. See the `SignatureConfig` type for all options.
+
+## Webhook Verification OK Tested Platforms
+- **Stripe**
+- **Supabase**
+- **Github**
+- **Clerk**
+- **Dodo Payments**
+
+- **Other Platforms** : Yet to verify....
+
+
 ## Custom Configurations
 
 ### Custom HMAC-SHA256
@@ -301,4 +362,4 @@ MIT License - see [LICENSE](./LICENSE) for details.
 
 - [Documentation](./USAGE.md)
 - [Framework Summary](./FRAMEWORK_SUMMARY.md)
-- [Issues](https://github.com/your-repo/tern/issues)
+- [Issues](https://github.com/Hookflo/tern/issues)

package/dist/platforms/algorithms.js

@@ -5,9 +5,7 @@ exports.getPlatformAlgorithmConfig = getPlatformAlgorithmConfig;
 exports.platformUsesAlgorithm = platformUsesAlgorithm;
 exports.getPlatformsUsingAlgorithm = getPlatformsUsingAlgorithm;
 exports.validateSignatureConfig = validateSignatureConfig;
-// Platform to algorithm mapping configuration
 exports.platformAlgorithmConfigs = {
-    // GitHub uses HMAC-SHA256 with prefixed signature
     github: {
         platform: "github",
         signatureConfig: {
@@ -15,19 +13,18 @@ exports.platformAlgorithmConfigs = {
             headerName: "x-hub-signature-256",
             headerFormat: "prefixed",
             prefix: "sha256=",
-            timestampHeader: undefined, // GitHub doesn't use timestamp validation
+            timestampHeader: undefined,
             payloadFormat: "raw",
         },
         description: "GitHub webhooks use HMAC-SHA256 with sha256= prefix",
     },
-    // Stripe uses HMAC-SHA256 with comma-separated format
     stripe: {
         platform: "stripe",
         signatureConfig: {
             algorithm: "hmac-sha256",
             headerName: "stripe-signature",
             headerFormat: "comma-separated",
-            timestampHeader: undefined, // Timestamp is embedded in signature
+            timestampHeader: undefined,
             payloadFormat: "timestamped",
             customConfig: {
                 signatureFormat: "t={timestamp},v1={signature}",
@@ -35,7 +32,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Stripe webhooks use HMAC-SHA256 with comma-separated format",
     },
-    // Clerk uses HMAC-SHA256 with custom base64 encoding
     clerk: {
         platform: "clerk",
         signatureConfig: {
@@ -54,7 +50,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Clerk webhooks use HMAC-SHA256 with base64 encoding",
     },
-    // Dodo Payments uses HMAC-SHA256
     dodopayments: {
         platform: "dodopayments",
         signatureConfig: {
@@ -71,9 +66,8 @@ exports.platformAlgorithmConfigs = {
                 idHeader: "webhook-id",
             },
         },
-        description: "Dodo Payments webhooks use HMAC-SHA256",
+        description: "Dodo Payments webhooks use HMAC-SHA256 with svix-style format (Standard Webhooks)",
     },
-    // Shopify uses HMAC-SHA256
     shopify: {
         platform: "shopify",
         signatureConfig: {
@@ -85,7 +79,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Shopify webhooks use HMAC-SHA256",
     },
-    // Vercel uses HMAC-SHA256
     vercel: {
         platform: "vercel",
         signatureConfig: {
@@ -98,7 +91,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Vercel webhooks use HMAC-SHA256",
     },
-    // Polar uses HMAC-SHA256
     polar: {
         platform: "polar",
         signatureConfig: {
@@ -111,7 +103,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Polar webhooks use HMAC-SHA256",
     },
-    // Supabase uses simple token-based authentication
     supabase: {
         platform: "supabase",
         signatureConfig: {
@@ -126,7 +117,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Supabase webhooks use token-based authentication",
     },
-    // Custom platform - can be configured per instance
     custom: {
         platform: "custom",
         signatureConfig: {
@@ -141,7 +131,6 @@ exports.platformAlgorithmConfigs = {
         },
         description: "Custom webhook configuration",
     },
-    // Unknown platform - fallback
     unknown: {
         platform: "unknown",
         signatureConfig: {
@@ -153,37 +142,32 @@ exports.platformAlgorithmConfigs = {
         description: "Unknown platform - using default HMAC-SHA256",
     },
 };
-// Helper function to get algorithm config for a platform
 function getPlatformAlgorithmConfig(platform) {
     return exports.platformAlgorithmConfigs[platform] || exports.platformAlgorithmConfigs.unknown;
 }
-// Helper function to check if a platform uses a specific algorithm
 function platformUsesAlgorithm(platform, algorithm) {
     const config = getPlatformAlgorithmConfig(platform);
     return config.signatureConfig.algorithm === algorithm;
 }
-// Helper function to get all platforms using a specific algorithm
 function getPlatformsUsingAlgorithm(algorithm) {
     return Object.entries(exports.platformAlgorithmConfigs)
         .filter(([_, config]) => config.signatureConfig.algorithm === algorithm)
         .map(([platform, _]) => platform);
 }
-// Helper function to validate signature config
 function validateSignatureConfig(config) {
     if (!config.algorithm || !config.headerName) {
         return false;
     }
-    // Validate algorithm-specific requirements
     switch (config.algorithm) {
         case "hmac-sha256":
         case "hmac-sha1":
         case "hmac-sha512":
-            return true; // These algorithms only need headerName
+            return true;
         case "rsa-sha256":
         case "ed25519":
-            return !!config.customConfig?.publicKey; // These need public key
+            return !!config.customConfig?.publicKey;
         case "custom":
-            return !!config.customConfig; // Custom needs custom config
+            return !!config.customConfig;
         default:
             return false;
     }

package/dist/test.js

@@ -3,10 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.runTests = runTests;
 const crypto_1 = require("crypto");
 const index_1 = require("./index");
-// Test data
 const testSecret = 'whsec_test_secret_key_12345';
 const testBody = JSON.stringify({ event: 'test', data: { id: '123' } });
-// Helper function to create a mock request
 function createMockRequest(headers, body = testBody) {
     return new Request('https://example.com/webhook', {
         method: 'POST',
@@ -14,7 +12,6 @@ function createMockRequest(headers, body = testBody) {
         body,
     });
 }
-// Helper function to create Stripe signature
 function createStripeSignature(body, secret, timestamp) {
     const signedPayload = `${timestamp}.${body}`;
     const hmac = (0, crypto_1.createHmac)('sha256', secret);
@@ -22,13 +19,11 @@ function createStripeSignature(body, secret, timestamp) {
     const signature = hmac.digest('hex');
     return `t=${timestamp},v1=${signature}`;
 }
-// Helper function to create GitHub signature
 function createGitHubSignature(body, secret) {
     const hmac = (0, crypto_1.createHmac)('sha256', secret);
     hmac.update(body);
     return `sha256=${hmac.digest('hex')}`;
 }
-// Helper function to create Clerk signature
 function createClerkSignature(body, secret, id, timestamp) {
     const signedContent = `${id}.${timestamp}.${body}`;
     const secretBytes = new Uint8Array(Buffer.from(secret.split('_')[1], 'base64'));
@@ -118,6 +113,36 @@ async function runTests() {
     catch (error) {
         console.log('   ❌ Generic test failed:', error);
     }
+    // Test 4.5: Dodo Payments (Standard Webhooks / svix-style)
+    console.log('\n4.5. Testing Dodo Payments...');
+    try {
+        const webhookId = 'test-webhook-id-123';
+        const timestamp = Math.floor(Date.now() / 1000);
+        // Create a proper secret format for Standard Webhooks (whsec_ + base64 encoded secret)
+        const base64Secret = Buffer.from(testSecret).toString('base64');
+        const dodoSecret = `whsec_${base64Secret}`;
+        // Create svix-style signature: {webhook-id}.{webhook-timestamp}.{payload}
+        const signedContent = `${webhookId}.${timestamp}.${testBody}`;
+        // Use the base64-decoded secret for HMAC (like the Standard Webhooks library)
+        const secretBytes = new Uint8Array(Buffer.from(base64Secret, 'base64'));
+        const hmac = (0, crypto_1.createHmac)('sha256', secretBytes);
+        hmac.update(signedContent);
+        const signature = `v1,${hmac.digest('base64')}`;
+        const dodoRequest = createMockRequest({
+            'webhook-signature': signature,
+            'webhook-id': webhookId,
+            'webhook-timestamp': timestamp.toString(),
+            'content-type': 'application/json',
+        });
+        const dodoResult = await index_1.WebhookVerificationService.verifyWithPlatformConfig(dodoRequest, 'dodopayments', dodoSecret);
+        console.log('   ✅ Dodo Payments:', dodoResult.isValid ? 'PASSED' : 'FAILED');
+        if (!dodoResult.isValid) {
+            console.log('   ❌ Error:', dodoResult.error);
+        }
+    }
+    catch (error) {
+        console.log('   ❌ Dodo Payments test failed:', error);
+    }
     // Test 5: Token-based (Supabase)
     console.log('\n5. Testing Token-based Authentication...');
     try {

package/dist/verifiers/algorithms.js

@@ -31,8 +31,7 @@ class AlgorithmBasedVerifier extends base_1.WebhookVerifier {
                 return sigMap.v1 || sigMap.signature || null;
             case "raw":
             default:
-                // For Clerk, handle space-separated signatures
-                if (this.platform === "clerk") {
+                if (this.platform === "clerk" || this.platform === "dodopayments") {
                     const signatures = headerValue.split(" ");
                     for (const sig of signatures) {
                         const [version, signature] = sig.split(",");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hookflo/tern",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "A robust, scalable webhook verification framework supporting multiple platforms and signature algorithms",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",