@iqauth/sdk 2.6.4 → 2.8.1

package/dist/chunk-VYQ3ETCK.mjs

@@ -0,0 +1,244 @@
+// src/webhooks.ts
+import crypto from "crypto";
+var WebhookSignatureError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "WebhookSignatureError";
+    this.code = code;
+  }
+};
+var IQAUTH_SIGNATURE_HEADER = "x-iqauth-signature";
+var LEGACY_SIGNATURE_HEADERS = [
+  "x-webhook-signature",
+  "x-iq-auth-signature",
+  "x-signature"
+];
+function toBuffer(p) {
+  if (typeof p === "string") return Buffer.from(p, "utf8");
+  if (Buffer.isBuffer(p)) return p;
+  return Buffer.from(p);
+}
+function parseHeader(header) {
+  let t = NaN;
+  const v1 = [];
+  const trimmed = header.trim();
+  if (/^[0-9a-f]+$/i.test(trimmed)) {
+    v1.push(trimmed.toLowerCase());
+    return { t, v1 };
+  }
+  for (const part of trimmed.split(",")) {
+    const eqIdx = part.indexOf("=");
+    if (eqIdx === -1) continue;
+    const key = part.slice(0, eqIdx).trim().toLowerCase();
+    const value = part.slice(eqIdx + 1).trim();
+    if (!value) continue;
+    if (key === "t") t = Number(value);
+    else if (key === "v1") v1.push(value.toLowerCase());
+  }
+  return { t, v1 };
+}
+function timingSafeEqualHex(a, b) {
+  if (a.length !== b.length) return false;
+  try {
+    return crypto.timingSafeEqual(Buffer.from(a, "hex"), Buffer.from(b, "hex"));
+  } catch {
+    return false;
+  }
+}
+function computeSignatures(secret, body, t) {
+  const modern = crypto.createHmac("sha256", secret).update(body).digest("hex");
+  const legacy = Number.isFinite(t) ? crypto.createHmac("sha256", secret).update(`${t}.`).update(body).digest("hex") : null;
+  return { modern, legacy };
+}
+function verifyWebhookSignature(opts) {
+  const headerRaw = Array.isArray(opts.header) ? opts.header[0] : opts.header;
+  if (!headerRaw || typeof headerRaw !== "string") {
+    throw new WebhookSignatureError("MISSING_HEADER", "Missing X-IQAuth-Signature header");
+  }
+  if (!opts.secret) {
+    throw new WebhookSignatureError("MISSING_SECRET", "secret is required");
+  }
+  const { t, v1 } = parseHeader(headerRaw);
+  if (v1.length === 0) {
+    throw new WebhookSignatureError("MALFORMED_HEADER", `Could not parse signature header: ${headerRaw}`);
+  }
+  const tolerance = opts.toleranceSeconds ?? 300;
+  if (Number.isFinite(t)) {
+    const now = opts.nowSeconds ?? Math.floor(Date.now() / 1e3);
+    if (Math.abs(now - t) > tolerance) {
+      throw new WebhookSignatureError(
+        "TIMESTAMP_OUT_OF_TOLERANCE",
+        `Signature timestamp ${t} is outside the ${tolerance}s tolerance window (now=${now})`
+      );
+    }
+  }
+  const body = toBuffer(opts.payload);
+  const { modern, legacy } = computeSignatures(opts.secret, body, t);
+  const expected = Number.isFinite(t) ? legacy : modern;
+  const matched = expected !== null && v1.some((sig) => timingSafeEqualHex(sig.toLowerCase(), expected));
+  if (!matched) {
+    throw new WebhookSignatureError("SIGNATURE_MISMATCH", "Webhook signature does not match expected value");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body.toString("utf8"));
+  } catch {
+    throw new WebhookSignatureError("MALFORMED_BODY", "Webhook body is not valid JSON");
+  }
+  if (!Number.isFinite(t) && !opts.allowMissingTimestamp) {
+    const rawTime = parsed.time;
+    if (typeof rawTime !== "string" || !rawTime) {
+      throw new WebhookSignatureError(
+        "MISSING_TIMESTAMP",
+        "Modern webhook delivery has no header `t=` and no envelope `time`; cannot enforce replay protection. Use parseWebhookEvent, or set allowMissingTimestamp:true (insecure)."
+      );
+    }
+    const eventMs = Date.parse(rawTime);
+    if (!Number.isFinite(eventMs)) {
+      throw new WebhookSignatureError(
+        "MALFORMED_TIMESTAMP",
+        `Envelope \`time\` is not a valid ISO timestamp: ${rawTime}`
+      );
+    }
+    const nowMs = (opts.nowSeconds ?? Math.floor(Date.now() / 1e3)) * 1e3;
+    if (Math.abs(nowMs - eventMs) > tolerance * 1e3) {
+      throw new WebhookSignatureError(
+        "TIMESTAMP_OUT_OF_TOLERANCE",
+        `Envelope time ${rawTime} is outside the ${tolerance}s tolerance window`
+      );
+    }
+  }
+  return parsed;
+}
+function isValidWebhookSignature(opts) {
+  try {
+    verifyWebhookSignature(opts);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function readHeader(headers, name) {
+  if (typeof headers.get === "function") {
+    return headers.get(name);
+  }
+  const lower = name.toLowerCase();
+  const obj = headers;
+  if (lower in obj) return obj[lower];
+  for (const [k, v] of Object.entries(obj)) {
+    if (k.toLowerCase() === lower) return v;
+  }
+  return void 0;
+}
+function pickHeaderValue(value) {
+  if (value == null) return null;
+  if (Array.isArray(value)) return value[0] ?? null;
+  return value;
+}
+function envelopeError(message) {
+  throw new WebhookSignatureError("MALFORMED_ENVELOPE", message);
+}
+function parseWebhookEvent(rawBody, headers, secrets, opts = {}) {
+  if (!Array.isArray(secrets) || secrets.length === 0 || secrets.every((s) => !s)) {
+    throw new WebhookSignatureError("MISSING_SECRET", "At least one signing secret is required");
+  }
+  let headerValue = pickHeaderValue(readHeader(headers, IQAUTH_SIGNATURE_HEADER));
+  let usedHeader = IQAUTH_SIGNATURE_HEADER;
+  if (!headerValue) {
+    for (const legacy of LEGACY_SIGNATURE_HEADERS) {
+      const v = pickHeaderValue(readHeader(headers, legacy));
+      if (v) {
+        headerValue = v;
+        usedHeader = legacy;
+        const log = opts.onDeprecation ?? ((m) => console.warn(m));
+        log(
+          `[iqauth] deprecation: webhook delivery used legacy header "${legacy}"; migrate sender to "X-IQAuth-Signature" (back-compat removed in next minor).`
+        );
+        break;
+      }
+    }
+  }
+  if (!headerValue) {
+    throw new WebhookSignatureError(
+      "MISSING_HEADER",
+      `Missing webhook signature header. Expected "X-IQAuth-Signature" (or one of: ${LEGACY_SIGNATURE_HEADERS.join(", ")}).`
+    );
+  }
+  const { t, v1 } = parseHeader(headerValue);
+  if (v1.length === 0) {
+    throw new WebhookSignatureError(
+      "MALFORMED_HEADER",
+      `Could not parse "${usedHeader}" header value: ${headerValue}`
+    );
+  }
+  const body = toBuffer(rawBody);
+  let verifiedIdx = -1;
+  for (let i = 0; i < secrets.length; i++) {
+    const secret = secrets[i];
+    if (!secret) continue;
+    const { modern, legacy } = computeSignatures(secret, body, t);
+    const expected = Number.isFinite(t) ? legacy : modern;
+    const ok = expected !== null && v1.some((sig) => timingSafeEqualHex(sig.toLowerCase(), expected));
+    if (ok) {
+      verifiedIdx = i;
+      break;
+    }
+  }
+  if (verifiedIdx === -1) {
+    throw new WebhookSignatureError(
+      "SIGNATURE_MISMATCH",
+      "Webhook signature does not match any provided secret"
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body.toString("utf8"));
+  } catch {
+    throw new WebhookSignatureError("MALFORMED_BODY", "Webhook body is not valid JSON");
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    envelopeError("Webhook body must be a JSON object");
+  }
+  const { id, type, subject, time, data, tenantId, specversion } = parsed;
+  if (specversion !== "1.0") {
+    envelopeError(`Envelope \`specversion\` must be "1.0" (got: ${JSON.stringify(specversion)})`);
+  }
+  if (typeof id !== "string" || !id) envelopeError("Envelope missing required string `id`");
+  if (typeof type !== "string" || !type) envelopeError("Envelope missing required string `type`");
+  if (typeof subject !== "string" || !subject) envelopeError("Envelope missing required string `subject`");
+  if (typeof time !== "string" || !time) envelopeError("Envelope missing required string `time`");
+  if (typeof tenantId !== "string" || !tenantId) envelopeError("Envelope missing required string `tenantId`");
+  if (data === void 0 || data === null || typeof data !== "object" || Array.isArray(data)) {
+    envelopeError("Envelope `data` must be an object");
+  }
+  const tolerance = opts.toleranceSeconds ?? 300;
+  const eventMs = Date.parse(time);
+  if (!Number.isFinite(eventMs)) envelopeError(`Envelope \`time\` is not a valid ISO timestamp: ${time}`);
+  const nowMs = opts.nowMs ?? Date.now();
+  if (Math.abs(nowMs - eventMs) > tolerance * 1e3) {
+    throw new WebhookSignatureError(
+      "TIMESTAMP_OUT_OF_TOLERANCE",
+      `Envelope time ${time} is outside the ${tolerance}s tolerance window (now=${new Date(nowMs).toISOString()})`
+    );
+  }
+  return {
+    specversion: "1.0",
+    id,
+    type,
+    subject,
+    time,
+    tenantId,
+    data,
+    idempotencyKey: id,
+    verifiedWithSecretIndex: verifiedIdx
+  };
+}
+
+export {
+  WebhookSignatureError,
+  IQAUTH_SIGNATURE_HEADER,
+  LEGACY_SIGNATURE_HEADERS,
+  verifyWebhookSignature,
+  isValidWebhookSignature,
+  parseWebhookEvent
+};

package/dist/{chunk-3JULWS6F.mjs → chunk-WCELYTJ3.mjs}

@@ -1,12 +1,12 @@
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   TokensModule
-} from "./chunk-UNYDG2L4.mjs";
+} from "./chunk-NUO2I65G.mjs";
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 
 // src/ws.ts
 var DEFAULT_COOKIE = "iqauth_at";