@hypermid/sdk 1.2.0

package/dist/webhook-verify.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Webhook signature verification utility.
+ *
+ * When HyperMid sends a webhook, it includes:
+ *   - `X-Hypermid-Signature`: HMAC-SHA256 hex digest of the raw body
+ *   - `X-Hypermid-Event`: event type (e.g. "swap.completed")
+ *
+ * Use `verifyWebhookSignature()` to validate incoming webhooks.
+ *
+ * @example Express / Node.js
+ * ```ts
+ * import { verifyWebhookSignature } from "@hypermid/sdk";
+ *
+ * app.post("/webhooks/hypermid", express.raw({ type: "application/json" }), (req, res) => {
+ *   const signature = req.headers["x-hypermid-signature"] as string;
+ *   const isValid = verifyWebhookSignature(req.body, signature, WEBHOOK_SECRET);
+ *
+ *   if (!isValid) {
+ *     return res.status(401).send("Invalid signature");
+ *   }
+ *
+ *   const event = req.headers["x-hypermid-event"];
+ *   const payload = JSON.parse(req.body.toString());
+ *   // Handle event...
+ *   res.sendStatus(200);
+ * });
+ * ```
+ */
+/**
+ * Verify a webhook signature using HMAC-SHA256.
+ *
+ * Works in both Node.js (using `crypto`) and edge runtimes (using `SubtleCrypto`).
+ *
+ * @param body - The raw request body (string or Buffer/Uint8Array)
+ * @param signature - The `X-Hypermid-Signature` header value
+ * @param secret - Your webhook signing secret (from webhook creation)
+ * @returns `true` if the signature is valid
+ */
+export declare function verifyWebhookSignature(body: string | Uint8Array, signature: string, secret: string): Promise<boolean>;
+//# sourceMappingURL=webhook-verify.d.ts.map

package/dist/webhook-verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook-verify.d.ts","sourceRoot":"","sources":["../src/webhook-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH;;;;;;;;;GASG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,MAAM,GAAG,UAAU,EACzB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAgClB"}

package/dist/webhook-verify.js

@@ -0,0 +1,76 @@
+/**
+ * Webhook signature verification utility.
+ *
+ * When HyperMid sends a webhook, it includes:
+ *   - `X-Hypermid-Signature`: HMAC-SHA256 hex digest of the raw body
+ *   - `X-Hypermid-Event`: event type (e.g. "swap.completed")
+ *
+ * Use `verifyWebhookSignature()` to validate incoming webhooks.
+ *
+ * @example Express / Node.js
+ * ```ts
+ * import { verifyWebhookSignature } from "@hypermid/sdk";
+ *
+ * app.post("/webhooks/hypermid", express.raw({ type: "application/json" }), (req, res) => {
+ *   const signature = req.headers["x-hypermid-signature"] as string;
+ *   const isValid = verifyWebhookSignature(req.body, signature, WEBHOOK_SECRET);
+ *
+ *   if (!isValid) {
+ *     return res.status(401).send("Invalid signature");
+ *   }
+ *
+ *   const event = req.headers["x-hypermid-event"];
+ *   const payload = JSON.parse(req.body.toString());
+ *   // Handle event...
+ *   res.sendStatus(200);
+ * });
+ * ```
+ */
+/**
+ * Verify a webhook signature using HMAC-SHA256.
+ *
+ * Works in both Node.js (using `crypto`) and edge runtimes (using `SubtleCrypto`).
+ *
+ * @param body - The raw request body (string or Buffer/Uint8Array)
+ * @param signature - The `X-Hypermid-Signature` header value
+ * @param secret - Your webhook signing secret (from webhook creation)
+ * @returns `true` if the signature is valid
+ */
+export async function verifyWebhookSignature(body, signature, secret) {
+    const bodyStr = typeof body === "string" ? body : new TextDecoder().decode(body);
+    // Try Node.js crypto first (synchronous, faster)
+    try {
+        const crypto = await import("node:crypto");
+        const expected = crypto
+            .createHmac("sha256", secret)
+            .update(bodyStr)
+            .digest("hex");
+        return timingSafeEqual(expected, signature);
+    }
+    catch {
+        // Not in Node.js — use SubtleCrypto (edge runtimes, Deno, Bun)
+    }
+    try {
+        const encoder = new TextEncoder();
+        const key = await globalThis.crypto.subtle.importKey("raw", encoder.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+        const sig = await globalThis.crypto.subtle.sign("HMAC", key, encoder.encode(bodyStr));
+        const expected = Array.from(new Uint8Array(sig))
+            .map((b) => b.toString(16).padStart(2, "0"))
+            .join("");
+        return timingSafeEqual(expected, signature);
+    }
+    catch {
+        return false;
+    }
+}
+/** Constant-time string comparison to prevent timing attacks */
+function timingSafeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+//# sourceMappingURL=webhook-verify.js.map

package/dist/webhook-verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook-verify.js","sourceRoot":"","sources":["../src/webhook-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAyB,EACzB,SAAiB,EACjB,MAAc;IAEd,MAAM,OAAO,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAEjF,iDAAiD;IACjD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,MAAM;aACpB,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC;aAC5B,MAAM,CAAC,OAAO,CAAC;aACf,MAAM,CAAC,KAAK,CAAC,CAAC;QACjB,OAAO,eAAe,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAClD,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QACtF,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;aAC7C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,OAAO,eAAe,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,gEAAgE;AAChE,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,MAAM,KAAK,CAAC,CAAC;AACtB,CAAC"}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@hypermid/sdk",
+  "version": "1.2.0",
+  "description": "TypeScript SDK for the HyperMid Partner API — swap, bridge & on-ramp across 90+ chains",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "clean": "rm -rf dist",
+    "prepublishOnly": "npm run clean && npm run build"
+  },
+  "keywords": [
+    "hypermid",
+    "swap",
+    "bridge",
+    "cross-chain",
+    "defi",
+    "lifi",
+    "near-intents",
+    "onramp",
+    "web3"
+  ],
+  "author": "HyperMid",
+  "license": "MIT",
+  "devDependencies": {
+    "@types/node": "^25.5.0",
+    "typescript": "^5.5.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}