@hookflo/tern 2.2.0 → 2.2.3

package/README.md

@@ -218,7 +218,7 @@ const result = await WebhookVerificationService.verify(request, stripeConfig);
 - **WooCommerce**: HMAC-SHA256 (base64 signature)
 - **ReplicateAI**: HMAC-SHA256 (Standard Webhooks style)
 - **fal.ai**: ED25519 (`x-fal-webhook-signature`)
-- **Shopify**: HMAC-SHA256
+- **Shopify**: HMAC-SHA256 (base64 signature)
 - **Vercel**: HMAC-SHA256
 - **Polar**: HMAC-SHA256
 - **Supabase**: Token-based authentication

package/dist/adapters/cloudflare.js

@@ -12,7 +12,7 @@ function createWebhookHandler(options) {
             }
             const result = await index_1.WebhookVerificationService.verifyWithPlatformConfig(request, options.platform, secret, options.toleranceInSeconds, options.normalize);
             if (!result.isValid) {
-                return Response.json({ error: result.error, platform: result.platform }, { status: 400 });
+                return Response.json({ error: result.error, errorCode: result.errorCode, platform: result.platform, metadata: result.metadata }, { status: 400 });
             }
             const data = await options.handler(result.payload, env, result.metadata || {});
             return Response.json(data);

package/dist/adapters/express.js

@@ -9,7 +9,7 @@ function createWebhookMiddleware(options) {
             const webRequest = await (0, shared_1.toWebRequest)(req);
             const result = await index_1.WebhookVerificationService.verifyWithPlatformConfig(webRequest, options.platform, options.secret, options.toleranceInSeconds, options.normalize);
             if (!result.isValid) {
-                res.status(400).json({ error: result.error, platform: result.platform });
+                res.status(400).json({ error: result.error, errorCode: result.errorCode, platform: result.platform, metadata: result.metadata });
                 return;
             }
             req.webhook = result;

package/dist/adapters/nextjs.js

@@ -7,7 +7,7 @@ function createWebhookHandler(options) {
         try {
             const result = await index_1.WebhookVerificationService.verifyWithPlatformConfig(request, options.platform, options.secret, options.toleranceInSeconds, options.normalize);
             if (!result.isValid) {
-                return Response.json({ error: result.error, platform: result.platform }, { status: 400 });
+                return Response.json({ error: result.error, errorCode: result.errorCode, platform: result.platform, metadata: result.metadata }, { status: 400 });
             }
             const data = await options.handler(result.payload, result.metadata || {});
             return Response.json(data);

package/dist/index.js

@@ -79,6 +79,7 @@ class WebhookVerificationService {
         if (detectedPlatform !== 'unknown' && secrets[detectedPlatform]) {
             return this.verifyWithPlatformConfig(requestClone, detectedPlatform, secrets[detectedPlatform], toleranceInSeconds, normalize);
         }
+        const failedAttempts = [];
         for (const [platform, secret] of Object.entries(secrets)) {
             if (!secret) {
                 continue;
@@ -87,12 +88,25 @@ class WebhookVerificationService {
             if (result.isValid) {
                 return result;
             }
+            failedAttempts.push({
+                platform: platform.toLowerCase(),
+                error: result.error,
+                errorCode: result.errorCode,
+            });
         }
+        const details = failedAttempts
+            .map((attempt) => `${attempt.platform}: ${attempt.error || 'verification failed'}`)
+            .join('; ');
         return {
             isValid: false,
-            error: 'Unable to verify webhook with provided platform secrets',
-            errorCode: 'VERIFICATION_ERROR',
+            error: details
+                ? `Unable to verify webhook with provided platform secrets. Attempts -> ${details}`
+                : 'Unable to verify webhook with provided platform secrets',
+            errorCode: failedAttempts.find((attempt) => attempt.errorCode)?.errorCode || 'VERIFICATION_ERROR',
             platform: detectedPlatform,
+            metadata: {
+                attempts: failedAttempts,
+            },
         };
     }
     static detectPlatform(request) {
@@ -107,6 +121,8 @@ class WebhookVerificationService {
             return 'workos';
         if (headers.has('webhook-signature')) {
             const userAgent = headers.get('user-agent')?.toLowerCase() || '';
+            if (userAgent.includes('polar'))
+                return 'polar';
             if (userAgent.includes('replicate'))
                 return 'replicateai';
             return 'dodopayments';

package/dist/platforms/algorithms.js

@@ -76,10 +76,13 @@ exports.platformAlgorithmConfigs = {
             algorithm: 'hmac-sha256',
             headerName: 'x-shopify-hmac-sha256',
             headerFormat: 'raw',
-            timestampHeader: 'x-shopify-shop-domain',
             payloadFormat: 'raw',
+            customConfig: {
+                encoding: 'base64',
+                secretEncoding: 'utf8',
+            },
         },
-        description: 'Shopify webhooks use HMAC-SHA256',
+        description: 'Shopify webhooks use HMAC-SHA256 with base64 encoded signature',
     },
     vercel: {
         platform: 'vercel',
@@ -97,13 +100,20 @@ exports.platformAlgorithmConfigs = {
         platform: 'polar',
         signatureConfig: {
             algorithm: 'hmac-sha256',
-            headerName: 'x-polar-signature',
+            headerName: 'webhook-signature',
             headerFormat: 'raw',
-            timestampHeader: 'x-polar-timestamp',
+            timestampHeader: 'webhook-timestamp',
             timestampFormat: 'unix',
-            payloadFormat: 'raw',
+            payloadFormat: 'custom',
+            customConfig: {
+                signatureFormat: 'v1={signature}',
+                payloadFormat: '{id}.{timestamp}.{body}',
+                encoding: 'base64',
+                secretEncoding: 'base64',
+                idHeader: 'webhook-id',
+            },
         },
-        description: 'Polar webhooks use HMAC-SHA256',
+        description: 'Polar webhooks use HMAC-SHA256 with Standard Webhooks format',
     },
     supabase: {
         platform: 'supabase',

package/dist/test.js

@@ -49,6 +49,11 @@ function createPaddleSignature(body, secret, timestamp) {
     hmac.update(signedPayload);
     return `ts=${timestamp};h1=${hmac.digest('hex')}`;
 }
+function createShopifySignature(body, secret) {
+    const hmac = (0, crypto_1.createHmac)('sha256', secret);
+    hmac.update(body);
+    return hmac.digest('base64');
+}
 function createWooCommerceSignature(body, secret) {
     const hmac = (0, crypto_1.createHmac)('sha256', secret);
     hmac.update(body);
@@ -277,6 +282,24 @@ async function runTests() {
     catch (error) {
         console.log('   ❌ verifyAny test failed:', error);
     }
+    // Test 10.5: verifyAny error diagnostics
+    console.log('\n10.5. Testing verifyAny error diagnostics...');
+    try {
+        const unknownRequest = createMockRequest({
+            'content-type': 'application/json',
+        });
+        const invalidVerifyAny = await index_1.WebhookVerificationService.verifyAny(unknownRequest, {
+            stripe: testSecret,
+            shopify: testSecret,
+        });
+        const hasDetailedErrors = Boolean(invalidVerifyAny.error
+            && invalidVerifyAny.error.includes('Attempts ->')
+            && invalidVerifyAny.metadata?.attempts?.length === 2);
+        console.log('   ✅ verifyAny diagnostics:', hasDetailedErrors ? 'PASSED' : 'FAILED');
+    }
+    catch (error) {
+        console.log('   ❌ verifyAny diagnostics test failed:', error);
+    }
     // Test 11: Normalization for Stripe
     console.log('\n11. Testing payload normalization...');
     try {
@@ -396,6 +419,23 @@ async function runTests() {
     catch (error) {
         console.log('   ❌ WorkOS test failed:', error);
     }
+    // Test 17.5: Shopify
+    console.log('\n17.5. Testing Shopify webhook...');
+    try {
+        const signature = createShopifySignature(testBody, testSecret);
+        const request = createMockRequest({
+            'x-shopify-hmac-sha256': signature,
+            'content-type': 'application/json',
+        });
+        const result = await index_1.WebhookVerificationService.verifyWithPlatformConfig(request, 'shopify', testSecret);
+        console.log('   ✅ Shopify:', result.isValid ? 'PASSED' : 'FAILED');
+        if (!result.isValid) {
+            console.log('   ❌ Error:', result.error);
+        }
+    }
+    catch (error) {
+        console.log('   ❌ Shopify test failed:', error);
+    }
     // Test 18: WooCommerce
     console.log('\n18. Testing WooCommerce webhook...');
     try {
@@ -410,6 +450,28 @@ async function runTests() {
     catch (error) {
         console.log('   ❌ WooCommerce test failed:', error);
     }
+    // Test 18.5: Polar (Standard Webhooks)
+    console.log('\n18.5. Testing Polar webhook...');
+    try {
+        const secret = `whsec_${Buffer.from(testSecret).toString('base64')}`;
+        const webhookId = 'polar-webhook-id-1';
+        const timestamp = Math.floor(Date.now() / 1000);
+        const signature = createStandardWebhooksSignature(testBody, secret, webhookId, timestamp);
+        const request = createMockRequest({
+            'webhook-signature': signature,
+            'webhook-id': webhookId,
+            'webhook-timestamp': timestamp.toString(),
+            'user-agent': 'Polar.sh Webhooks',
+            'content-type': 'application/json',
+        });
+        const result = await index_1.WebhookVerificationService.verifyWithPlatformConfig(request, 'polar', secret);
+        const detectedPlatform = index_1.WebhookVerificationService.detectPlatform(request);
+        console.log('   ✅ Polar verification:', result.isValid ? 'PASSED' : 'FAILED');
+        console.log('   ✅ Polar auto-detect:', detectedPlatform === 'polar' ? 'PASSED' : 'FAILED');
+    }
+    catch (error) {
+        console.log('   ❌ Polar test failed:', error);
+    }
     // Test 19: Replicate
     console.log('\n19. Testing Replicate webhook...');
     try {

package/dist/utils.js

@@ -152,6 +152,12 @@ function detectPlatformFromHeaders(headers) {
     if (headerMap.has('x-polar-signature')) {
         return 'polar';
     }
+    if (headerMap.has('webhook-signature')) {
+        const userAgent = (headerMap.get('user-agent') || '').toLowerCase();
+        if (userAgent.includes('polar')) {
+            return 'polar';
+        }
+    }
     // Supabase
     if (headerMap.has('x-webhook-token')) {
         return 'supabase';

package/dist/verifiers/algorithms.js

@@ -135,9 +135,13 @@ class AlgorithmBasedVerifier extends base_1.WebhookVerifier {
     }
     verifyHMACWithBase64(payload, signature, algorithm = 'sha256') {
         const secretEncoding = this.config.customConfig?.secretEncoding || 'base64';
-        const secretMaterial = secretEncoding === 'base64'
-            ? new Uint8Array(Buffer.from(this.secret.includes('_') ? this.secret.split('_')[1] : this.secret, 'base64'))
-            : this.secret;
+        let secretMaterial = this.secret;
+        if (secretEncoding === 'base64') {
+            const base64Secret = this.secret.includes('_')
+                ? this.secret.split('_').slice(1).join('_')
+                : this.secret;
+            secretMaterial = new Uint8Array(Buffer.from(base64Secret, 'base64'));
+        }
         const hmac = (0, crypto_1.createHmac)(algorithm, secretMaterial);
         hmac.update(payload);
         const expectedSignature = hmac.digest('base64');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hookflo/tern",
-  "version": "2.2.0",
+  "version": "2.2.3",
   "description": "A robust, scalable webhook verification framework supporting multiple platforms and signature algorithms",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",