@iqauth/sdk 2.3.0 → 2.5.0

package/dist/chunk-LIZYFXH7.mjs

@@ -0,0 +1,90 @@
+import {
+  IQAuthError
+} from "./chunk-6I6RM4MN.mjs";
+
+// src/browser/reverify.ts
+var PRIOR_SESSION_STORAGE_KEY = "iqauth_prior_admin_session";
+function enterImpersonation(manager, actorAccessToken) {
+  if (typeof window === "undefined") return;
+  const current = manager.getSnapshot().accessToken;
+  if (current) {
+    const envelope = { accessToken: current, savedAt: Date.now() };
+    try {
+      window.sessionStorage.setItem(PRIOR_SESSION_STORAGE_KEY, JSON.stringify(envelope));
+    } catch {
+    }
+  }
+  manager.applyAccessToken(actorAccessToken);
+}
+function exitImpersonation(manager) {
+  if (typeof window === "undefined") return false;
+  let raw = null;
+  try {
+    raw = window.sessionStorage.getItem(PRIOR_SESSION_STORAGE_KEY);
+  } catch {
+    return false;
+  }
+  if (!raw) return false;
+  try {
+    const envelope = JSON.parse(raw);
+    if (!envelope?.accessToken) return false;
+    manager.applyAccessToken(envelope.accessToken);
+    return true;
+  } catch {
+    return false;
+  } finally {
+    try {
+      window.sessionStorage.removeItem(PRIOR_SESSION_STORAGE_KEY);
+    } catch {
+    }
+  }
+}
+var DEFAULT_REVERIFY_PATH = "/api/v1/auth/reverify";
+async function reverify(manager, input, options = {}) {
+  if (input.level === "password" && !input.password) {
+    throw new IQAuthError("MISSING_PASSWORD", "password is required for level=password");
+  }
+  if (input.level === "mfa" && !input.totp) {
+    throw new IQAuthError("MISSING_CODE", "totp code is required for level=mfa");
+  }
+  const issuer = manager.issuerUrl.replace(/\/$/, "");
+  const url = `${issuer}${options.path ?? DEFAULT_REVERIFY_PATH}`;
+  const res = await manager.fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(input)
+  });
+  let payload = null;
+  try {
+    payload = await res.json();
+  } catch {
+  }
+  if (!res.ok || !payload?.success) {
+    const code = payload?.error?.code ?? "REVERIFICATION_FAILED";
+    const message = payload?.error?.message ?? `reverification failed (${res.status})`;
+    throw new IQAuthError(code, message);
+  }
+  return {
+    token: payload.data.reverificationToken,
+    level: payload.data.level,
+    expiresAt: new Date(payload.data.expiresAt)
+  };
+}
+function withReverification(manager, token) {
+  let used = false;
+  return async (input, init = {}) => {
+    if (used) throw new IQAuthError("REVERIFICATION_USED", "Reverification token already consumed");
+    used = true;
+    const headers = new Headers(init.headers);
+    headers.set("X-Reverification-Token", token);
+    return manager.fetch(input, { ...init, headers });
+  };
+}
+
+export {
+  PRIOR_SESSION_STORAGE_KEY,
+  enterImpersonation,
+  exitImpersonation,
+  reverify,
+  withReverification
+};

package/dist/chunk-MKKZULZR.mjs

@@ -0,0 +1,241 @@
+import {
+  encodePublishableKey
+} from "./chunk-WQWBJSSS.mjs";
+
+// src/test.ts
+import { createServer } from "http";
+import { generateKeyPairSync, randomBytes, createPublicKey } from "crypto";
+import jwt from "jsonwebtoken";
+function jwkFromPublicKey(publicKey, kid) {
+  const jwk = publicKey.export({ format: "jwk" });
+  return { kty: "RSA", use: "sig", alg: "RS256", kid, n: jwk.n, e: jwk.e };
+}
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (c) => chunks.push(c));
+    req.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+    req.on("error", reject);
+  });
+}
+function parseFormOrJson(raw, contentType) {
+  if (!raw) return {};
+  if (contentType && contentType.includes("application/json")) {
+    try {
+      const obj = JSON.parse(raw);
+      const out2 = {};
+      for (const [k, v] of Object.entries(obj || {})) {
+        if (typeof v === "string") out2[k] = v;
+        else if (v != null) out2[k] = String(v);
+      }
+      return out2;
+    } catch {
+      return {};
+    }
+  }
+  const out = {};
+  for (const part of raw.split("&")) {
+    if (!part) continue;
+    const eq = part.indexOf("=");
+    const k = decodeURIComponent(eq === -1 ? part : part.slice(0, eq)).replace(/\+/g, " ");
+    const v = eq === -1 ? "" : decodeURIComponent(part.slice(eq + 1)).replace(/\+/g, " ");
+    out[k] = v;
+  }
+  return out;
+}
+function send(res, status, body, headers = {}) {
+  const payload = typeof body === "string" ? body : JSON.stringify(body);
+  res.writeHead(status, {
+    "Content-Type": typeof body === "string" ? "text/plain; charset=utf-8" : "application/json; charset=utf-8",
+    "Content-Length": Buffer.byteLength(payload),
+    ...headers
+  });
+  res.end(payload);
+}
+async function createTestIssuer(options = {}) {
+  const host = options.host ?? "127.0.0.1";
+  const port = options.port ?? 0;
+  const tenantId = options.tenantId ?? "tenant-test";
+  const appId = options.appId ?? "app-test";
+  const kid = options.kid ?? `test-${randomBytes(6).toString("hex")}`;
+  const defaultAudience = options.defaultAudience ?? ["dispositioniq"];
+  const { privateKey, publicKey } = generateKeyPairSync("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: "spki", format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" }
+  });
+  const publicKeyObj = createPublicKey(publicKey);
+  const jwk = jwkFromPublicKey(publicKeyObj, kid);
+  const pendingCodes = /* @__PURE__ */ new Map();
+  let baseUrl = "";
+  const buildToken = (opts) => {
+    const payload = {
+      sub: opts.sub ?? "test-user",
+      email: opts.email ?? "test@example.com",
+      name: opts.name ?? "Test User",
+      tenantId: opts.tenantId ?? tenantId,
+      vendorId: opts.vendorId ?? null,
+      roles: opts.roles ?? [],
+      entitlements: opts.entitlements ?? [],
+      sessionId: opts.sessionId ?? `sess-${randomBytes(4).toString("hex")}`,
+      jti: opts.jti ?? `jti-${randomBytes(4).toString("hex")}`
+    };
+    if (opts.scopeContext !== void 0) payload.scopeContext = opts.scopeContext;
+    if (opts.loginMethod !== void 0) payload.loginMethod = opts.loginMethod;
+    for (const [k, v] of Object.entries(opts)) {
+      if (["sub", "email", "name", "tenantId", "vendorId", "roles", "entitlements", "sessionId", "jti", "scopeContext", "loginMethod", "audience", "issuer", "expiresInSeconds", "iat"].includes(k))
+        continue;
+      payload[k] = v;
+    }
+    const audience = opts.audience ?? defaultAudience;
+    const issuer = opts.issuer ?? baseUrl;
+    const expiresIn = opts.expiresInSeconds ?? 900;
+    const signOpts = {
+      algorithm: "RS256",
+      keyid: kid,
+      issuer,
+      audience
+    };
+    if (opts.iat !== void 0) {
+      payload.iat = opts.iat;
+      payload.exp = opts.iat + expiresIn;
+    } else {
+      signOpts.expiresIn = expiresIn;
+    }
+    return jwt.sign(payload, privateKey, signOpts);
+  };
+  const handler = async (req, res) => {
+    try {
+      const url = new URL(req.url || "/", baseUrl || `http://${host}`);
+      const path = url.pathname;
+      if (req.method === "OPTIONS") {
+        res.writeHead(204, {
+          "Access-Control-Allow-Origin": "*",
+          "Access-Control-Allow-Methods": "GET,POST,OPTIONS",
+          "Access-Control-Allow-Headers": "Authorization,Content-Type"
+        });
+        return res.end();
+      }
+      const cors = { "Access-Control-Allow-Origin": "*" };
+      if (req.method === "GET" && path === "/.well-known/openid-configuration") {
+        return send(res, 200, {
+          issuer: baseUrl,
+          jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+          authorization_endpoint: `${baseUrl}/oidc/authorize`,
+          token_endpoint: `${baseUrl}/oidc/token`,
+          userinfo_endpoint: `${baseUrl}/api/v1/auth/me`,
+          response_types_supported: ["code"],
+          grant_types_supported: ["authorization_code", "refresh_token"],
+          subject_types_supported: ["public"],
+          id_token_signing_alg_values_supported: ["RS256"],
+          code_challenge_methods_supported: ["S256"]
+        }, cors);
+      }
+      if (req.method === "GET" && path === "/.well-known/jwks.json") {
+        return send(res, 200, { keys: [jwk] }, { ...cors, "Cache-Control": "public, max-age=3600" });
+      }
+      if (req.method === "POST" && path === "/oidc/token") {
+        const raw = await readBody(req);
+        const params = parseFormOrJson(raw, req.headers["content-type"]);
+        const grant = params.grant_type;
+        if (grant === "authorization_code") {
+          const code = params.code;
+          const pending = code ? pendingCodes.get(code) : void 0;
+          if (!pending) {
+            return send(res, 400, { error: "invalid_grant", error_description: "Unknown or expired code" }, cors);
+          }
+          pendingCodes.delete(code);
+          const accessToken = buildToken(pending.claims);
+          return send(res, 200, {
+            access_token: accessToken,
+            refresh_token: pending.refreshToken,
+            id_token: accessToken,
+            token_type: "Bearer",
+            expires_in: pending.claims.expiresInSeconds ?? 900
+          }, cors);
+        }
+        if (grant === "refresh_token") {
+          const accessToken = buildToken({ sub: "test-user" });
+          return send(res, 200, {
+            access_token: accessToken,
+            refresh_token: params.refresh_token || `rt-${randomBytes(8).toString("hex")}`,
+            token_type: "Bearer",
+            expires_in: 900
+          }, cors);
+        }
+        return send(res, 400, { error: "unsupported_grant_type" }, cors);
+      }
+      if (req.method === "GET" && path === "/api/v1/auth/me") {
+        const auth = req.headers.authorization || "";
+        if (!/^Bearer /i.test(auth)) {
+          return send(res, 401, { success: false, error: { code: "TOKEN_INVALID", message: "Missing bearer" } }, cors);
+        }
+        const token = auth.slice(7).trim();
+        try {
+          const decoded = jwt.verify(token, publicKey, {
+            algorithms: ["RS256"],
+            issuer: baseUrl,
+            audience: defaultAudience
+          });
+          return send(res, 200, {
+            success: true,
+            data: {
+              id: decoded.sub,
+              email: decoded.email,
+              name: decoded.name,
+              tenantId: decoded.tenantId,
+              roles: decoded.roles,
+              entitlements: decoded.entitlements
+            }
+          }, cors);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : "verify failed";
+          return send(res, 401, { success: false, error: { code: "TOKEN_INVALID", message: msg } }, cors);
+        }
+      }
+      send(res, 404, { error: "not_found", path }, cors);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : "internal error";
+      send(res, 500, { error: "internal", message: msg });
+    }
+  };
+  const server = createServer((req, res) => {
+    void handler(req, res);
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(port, host, () => {
+      server.off("error", reject);
+      resolve();
+    });
+  });
+  const addr = server.address();
+  const boundPort = typeof addr === "object" && addr ? addr.port : port;
+  baseUrl = `http://${host}:${boundPort}`;
+  const publishableKey = encodePublishableKey("test", {
+    iss: baseUrl,
+    appId,
+    tenantId,
+    kid
+  });
+  return {
+    baseUrl,
+    publishableKey,
+    kid,
+    publicKey,
+    mintToken: (opts = {}) => buildToken(opts),
+    mintAuthCode: (opts = {}) => {
+      const code = `code-${randomBytes(12).toString("hex")}`;
+      const refreshToken = opts.refreshToken ?? `rt-${randomBytes(12).toString("hex")}`;
+      pendingCodes.set(code, { claims: opts, refreshToken });
+      return code;
+    },
+    close: () => new Promise((resolve, reject) => {
+      server.close((err) => err ? reject(err) : resolve());
+    })
+  };
+}
+
+export {
+  createTestIssuer
+};

package/dist/chunk-SL3KRS4W.mjs

@@ -0,0 +1,54 @@
+// src/server/provisioningBridge.ts
+function defaultIsUniqueViolation(err) {
+  if (!err || typeof err !== "object") return false;
+  const e = err;
+  if (e.code === "23505") return true;
+  if (typeof e.code === "string" && e.code.startsWith("SQLITE_CONSTRAINT")) return true;
+  if (typeof e.message === "string" && /unique constraint|duplicate key/i.test(e.message)) return true;
+  return false;
+}
+function createProvisioningBridge(options) {
+  const { storage } = options;
+  const isUniqueViolation = options.isUniqueViolation ?? defaultIsUniqueViolation;
+  const roleOf = (claims) => {
+    try {
+      return options.roleMapper?.(claims) ?? null;
+    } catch {
+      return null;
+    }
+  };
+  const ensureUser = async (claims) => {
+    if (!claims?.sub) {
+      throw new Error("createProvisioningBridge: claims.sub is required");
+    }
+    const byId = await storage.findByIqAuthUserId(claims.sub);
+    if (byId) return { user: byId, claims, created: false, adopted: false };
+    if (claims.email) {
+      const byEmail = await storage.findByEmail(claims.email);
+      if (byEmail) {
+        if (storage.adoptByEmail) {
+          const adopted = await storage.adoptByEmail(byEmail, claims, roleOf(claims));
+          return { user: adopted, claims, created: false, adopted: true };
+        }
+      }
+    }
+    try {
+      const created = await storage.insertFromClaims(claims, roleOf(claims));
+      return { user: created, claims, created: true, adopted: false };
+    } catch (err) {
+      if (!isUniqueViolation(err)) throw err;
+      const after = await storage.findByIqAuthUserId(claims.sub);
+      if (after) return { user: after, claims, created: false, adopted: false };
+      if (claims.email) {
+        const byEmail = await storage.findByEmail(claims.email);
+        if (byEmail) return { user: byEmail, claims, created: false, adopted: true };
+      }
+      throw err;
+    }
+  };
+  return { ensureUser };
+}
+
+export {
+  createProvisioningBridge
+};

package/dist/chunk-TKZTCPEK.mjs

@@ -0,0 +1,232 @@
+// src/browser/pkce.ts
+function getCrypto() {
+  if (typeof globalThis !== "undefined" && globalThis.crypto) {
+    return globalThis.crypto;
+  }
+  throw new Error("WebCrypto is not available in this environment");
+}
+function base64UrlEncode(bytes) {
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function randomUrlSafe(byteLength = 32) {
+  const bytes = new Uint8Array(byteLength);
+  getCrypto().getRandomValues(bytes);
+  return base64UrlEncode(bytes);
+}
+async function s256Challenge(verifier) {
+  const data = new TextEncoder().encode(verifier);
+  const digest = await getCrypto().subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+async function createPkcePair() {
+  const codeVerifier = randomUrlSafe(32);
+  const codeChallenge = await s256Challenge(codeVerifier);
+  const state = randomUrlSafe(16);
+  const nonce = randomUrlSafe(16);
+  return { codeVerifier, codeChallenge, state, nonce };
+}
+
+// src/browser/storage.ts
+var REFRESH_COOKIE = "iqauth_rt";
+var PKCE_STORAGE_PREFIX = "iqauth.pkce.";
+function isBrowser() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+function setCookie(name, value, opts = {}) {
+  if (!isBrowser()) return;
+  const parts = [`${name}=${encodeURIComponent(value)}`];
+  parts.push(`Path=${opts.path ?? "/"}`);
+  if (opts.maxAgeSeconds !== void 0) parts.push(`Max-Age=${opts.maxAgeSeconds}`);
+  if (opts.domain) parts.push(`Domain=${opts.domain}`);
+  if (opts.secure ?? location.protocol === "https:") parts.push("Secure");
+  parts.push(`SameSite=${opts.sameSite ?? "lax"}`);
+  document.cookie = parts.join("; ");
+}
+function getCookie(name) {
+  if (!isBrowser()) return null;
+  const target = `${name}=`;
+  const segments = document.cookie ? document.cookie.split(";") : [];
+  for (const seg of segments) {
+    const trimmed = seg.trim();
+    if (trimmed.startsWith(target)) {
+      try {
+        return decodeURIComponent(trimmed.slice(target.length));
+      } catch {
+        return null;
+      }
+    }
+  }
+  return null;
+}
+function clearCookie(name, opts = {}) {
+  setCookie(name, "", { ...opts, maxAgeSeconds: 0 });
+}
+function savePkce(record) {
+  if (!isBrowser()) return;
+  try {
+    sessionStorage.setItem(PKCE_STORAGE_PREFIX + record.state, JSON.stringify(record));
+  } catch {
+  }
+}
+function loadPkce(state) {
+  if (!isBrowser()) return null;
+  try {
+    const raw = sessionStorage.getItem(PKCE_STORAGE_PREFIX + state);
+    if (!raw) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function clearPkce(state) {
+  if (!isBrowser()) return;
+  try {
+    sessionStorage.removeItem(PKCE_STORAGE_PREFIX + state);
+  } catch {
+  }
+}
+
+// src/browser/signIn.ts
+var DEFAULT_SIGN_IN_PATH = "/sign-in";
+var DEFAULT_LOGOUT_PATH = "/api/v1/auth/logout";
+var DEFAULT_SSO_LOGOUT_PATH = "/oidc/sso-logout";
+var DEFAULT_TOKEN_PATH = "/oidc/token";
+var DEFAULT_CALLBACK_PATH = "/auth/callback";
+function defaultRedirectUri() {
+  if (typeof window === "undefined") {
+    throw new Error("redirectToSignIn requires a browser environment (window)");
+  }
+  return `${window.location.origin}${DEFAULT_CALLBACK_PATH}`;
+}
+function defaultReturnTo() {
+  if (typeof window === "undefined") return "/";
+  return window.location.href;
+}
+async function buildSignInUrl(manager, opts = {}) {
+  const pkce = await createPkcePair();
+  const redirectUri = opts.redirectUri ?? defaultRedirectUri();
+  const returnTo = opts.returnTo ?? defaultReturnTo();
+  savePkce({
+    codeVerifier: pkce.codeVerifier,
+    state: pkce.state,
+    nonce: pkce.nonce,
+    redirectUri,
+    appKey: manager.publishableKey.raw,
+    returnTo,
+    createdAt: Date.now()
+  });
+  const url = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("app", manager.appKey);
+  url.searchParams.set("publishable_key", manager.publishableKey.raw);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("state", pkce.state);
+  url.searchParams.set("nonce", pkce.nonce);
+  url.searchParams.set("code_challenge", pkce.codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("scope", opts.scope ?? "openid profile email");
+  url.searchParams.set("return_to", returnTo);
+  if (opts.prompt) url.searchParams.set("prompt", opts.prompt);
+  return url.toString();
+}
+async function redirectToSignIn(manager, opts = {}) {
+  const url = await buildSignInUrl(manager, opts);
+  if (typeof window === "undefined") {
+    throw new Error("redirectToSignIn requires a browser environment");
+  }
+  window.location.assign(url);
+}
+async function signIn(manager, opts = {}) {
+  return redirectToSignIn(manager, opts);
+}
+async function handleAuthCallback(manager, options = {}) {
+  const url = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
+  const code = url.searchParams.get("code");
+  const state = url.searchParams.get("state");
+  const errorParam = url.searchParams.get("error");
+  if (errorParam) {
+    return { ok: false, returnTo: "/", error: errorParam };
+  }
+  if (!code || !state) {
+    return { ok: false, returnTo: "/", error: "missing_code_or_state" };
+  }
+  const record = loadPkce(state);
+  if (!record) {
+    return { ok: false, returnTo: "/", error: "unknown_state" };
+  }
+  clearPkce(state);
+  const fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : null);
+  if (!fetchImpl) {
+    return { ok: false, returnTo: record.returnTo, error: "no_fetch" };
+  }
+  const tokenUrl = `${manager.issuerUrl}${options.tokenPath ?? DEFAULT_TOKEN_PATH}`;
+  const res = await fetchImpl(tokenUrl, {
+    method: "POST",
+    credentials: "include",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: record.redirectUri,
+      client_id: manager.appKey,
+      code_verifier: record.codeVerifier
+    })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    const desc = body.error_description ?? body.error ?? "token_exchange_failed";
+    return { ok: false, returnTo: record.returnTo, error: desc };
+  }
+  const tokens = body;
+  if (!tokens.access_token) {
+    return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
+  }
+  if (tokens.refresh_token) {
+    const cookieName = options.cookieNames?.refresh ?? manager.refreshCookie ?? REFRESH_COOKIE;
+    setCookie(cookieName, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
+  }
+  manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
+  return { ok: true, returnTo: record.returnTo };
+}
+async function signOut(manager, opts = {}) {
+  if (!opts.localOnly) {
+    const issuer = manager.issuerUrl.replace(/\/$/, "");
+    try {
+      const url = `${issuer}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
+      await manager.fetch(url, { method: "POST" }).catch(() => void 0);
+    } catch {
+    }
+    if (opts.endSsoSession !== false) {
+      try {
+        await fetch(`${issuer}${DEFAULT_SSO_LOGOUT_PATH}`, {
+          method: "POST",
+          credentials: "include"
+        }).catch(() => void 0);
+      } catch {
+      }
+    }
+  }
+  clearCookie(manager.refreshCookie ?? REFRESH_COOKIE);
+  manager.signOutLocal();
+  if (opts.returnTo && typeof window !== "undefined") {
+    window.location.assign(opts.returnTo);
+  }
+}
+
+export {
+  REFRESH_COOKIE,
+  setCookie,
+  getCookie,
+  clearCookie,
+  randomUrlSafe,
+  s256Challenge,
+  createPkcePair,
+  buildSignInUrl,
+  redirectToSignIn,
+  signIn,
+  handleAuthCallback,
+  signOut
+};

package/dist/chunk-UKZLOHZG.mjs

@@ -0,0 +1,83 @@
+// src/webhooks.ts
+import crypto from "crypto";
+var WebhookSignatureError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "WebhookSignatureError";
+    this.code = code;
+  }
+};
+function toBuffer(p) {
+  if (typeof p === "string") return Buffer.from(p, "utf8");
+  if (Buffer.isBuffer(p)) return p;
+  return Buffer.from(p);
+}
+function parseHeader(header) {
+  let t = NaN;
+  const v1 = [];
+  for (const part of header.split(",")) {
+    const [k, v] = part.split("=", 2);
+    if (!k || v === void 0) continue;
+    const key = k.trim();
+    const value = v.trim();
+    if (key === "t") t = Number(value);
+    else if (key === "v1") v1.push(value);
+  }
+  return { t, v1 };
+}
+function timingSafeEqualHex(a, b) {
+  if (a.length !== b.length) return false;
+  try {
+    return crypto.timingSafeEqual(Buffer.from(a, "hex"), Buffer.from(b, "hex"));
+  } catch {
+    return false;
+  }
+}
+function verifyWebhookSignature(opts) {
+  const headerRaw = Array.isArray(opts.header) ? opts.header[0] : opts.header;
+  if (!headerRaw || typeof headerRaw !== "string") {
+    throw new WebhookSignatureError("MISSING_HEADER", "Missing X-IQAuth-Signature header");
+  }
+  if (!opts.secret) {
+    throw new WebhookSignatureError("MISSING_SECRET", "secret is required");
+  }
+  const { t, v1 } = parseHeader(headerRaw);
+  if (!Number.isFinite(t) || v1.length === 0) {
+    throw new WebhookSignatureError("MALFORMED_HEADER", `Could not parse signature header: ${headerRaw}`);
+  }
+  const tolerance = opts.toleranceSeconds ?? 300;
+  const now = opts.nowSeconds ?? Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - t) > tolerance) {
+    throw new WebhookSignatureError(
+      "TIMESTAMP_OUT_OF_TOLERANCE",
+      `Signature timestamp ${t} is outside the ${tolerance}s tolerance window (now=${now})`
+    );
+  }
+  const body = toBuffer(opts.payload);
+  const expected = crypto.createHmac("sha256", opts.secret).update(`${t}.`).update(body).digest("hex");
+  const matched = v1.some((sig) => timingSafeEqualHex(sig, expected));
+  if (!matched) {
+    throw new WebhookSignatureError("SIGNATURE_MISMATCH", "Webhook signature does not match expected value");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body.toString("utf8"));
+  } catch {
+    throw new WebhookSignatureError("MALFORMED_BODY", "Webhook body is not valid JSON");
+  }
+  return parsed;
+}
+function isValidWebhookSignature(opts) {
+  try {
+    verifyWebhookSignature(opts);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export {
+  WebhookSignatureError,
+  verifyWebhookSignature,
+  isValidWebhookSignature
+};