@mobilizehub/payload-plugin 0.1.0 → 0.3.0

package/dist/utils/unsubscribe-token.d.ts

@@ -0,0 +1,67 @@
+type UnsubscribeToken = {
+    timestamp: number;
+    tokenId: string;
+};
+/**
+ * Creates a secure unsubscribe token for the given token ID.
+ *
+ * ## Token Format
+ * The token consists of two parts separated by a dot:
+ * - Base64URL-encoded JSON payload containing tokenId and timestamp
+ * - HMAC-SHA256 signature of the payload
+ *
+ * ## Expiration
+ * Tokens expire after 30 days from creation
+ *
+ * ## Security Considerations
+ * - Tokens are signed with HMAC-SHA256 using PAYLOAD_SECRET
+ * - Verification uses timing-safe comparison to prevent timing attacks
+ * - Tokens cannot be forged without knowing PAYLOAD_SECRET
+ *
+ * @param args - Object containing tokenId
+ * @param args.tokenId - Unique identifier for the unsubscribe token
+ * @returns Base64URL-encoded token string in format: `{payload}.{signature}`
+ * @throws Error if PAYLOAD_SECRET environment variable is not defined
+ *
+ * @example
+ * ```typescript
+ * const token = generateUnsubscribeToken({ tokenId: 'uuid-1234' })
+ * // Returns: 'eyJ0b2tlbklkIjoidXVpZC0xMjM0IiwidGltZXN0YW1wIjoxNzAwMDAwMDAwfQ.abc123...'
+ * ```
+ */
+export declare function generateUnsubscribeToken(args: {
+    tokenId: string;
+}): string;
+/**
+ * Verifies an unsubscribe token and returns the decoded payload if valid.
+ *
+ * ## Verification Process
+ * 1. Splits token into payload and signature
+ * 2. Verifies HMAC signature using timing-safe comparison
+ * 3. Decodes and parses the JSON payload
+ * 4. Checks if token has expired (30 day limit)
+ *
+ * ## Security
+ * - Uses `crypto.timingSafeEqual()` to prevent timing attacks
+ * - Returns null for any invalid or expired token
+ * - Catches and handles all errors gracefully
+ *
+ * @param args - Object containing the token to verify
+ * @param args.token - The unsubscribe token to verify
+ * @returns Decoded token input with tokenId and timestamp if valid, null otherwise
+ * @throws Error if PAYLOAD_SECRET environment variable is not defined
+ *
+ * @example
+ * ```typescript
+ * const result = verifyUnsubscribeToken({ token: 'eyJ0b2...' })
+ * if (result) {
+ *   console.log(`Token ID: ${result.tokenId}, Created: ${new Date(result.timestamp)}`)
+ * } else {
+ *   console.log('Invalid or expired token')
+ * }
+ * ```
+ */
+export declare function verifyUnsubscribeToken(args: {
+    token: string;
+}): null | UnsubscribeToken;
+export {};

package/dist/utils/unsubscribe-token.js

@@ -0,0 +1,103 @@
+import crypto from 'crypto';
+const UNSUBSCRIBE_TOKEN_EXPIRATION = 30 * 24 * 60 * 60 * 1000 // 30 days in milliseconds
+;
+const HMAC_ALGORITHM = 'sha256';
+const TOKEN_ENCODING = 'base64url';
+/**
+ * Creates a secure unsubscribe token for the given token ID.
+ *
+ * ## Token Format
+ * The token consists of two parts separated by a dot:
+ * - Base64URL-encoded JSON payload containing tokenId and timestamp
+ * - HMAC-SHA256 signature of the payload
+ *
+ * ## Expiration
+ * Tokens expire after 30 days from creation
+ *
+ * ## Security Considerations
+ * - Tokens are signed with HMAC-SHA256 using PAYLOAD_SECRET
+ * - Verification uses timing-safe comparison to prevent timing attacks
+ * - Tokens cannot be forged without knowing PAYLOAD_SECRET
+ *
+ * @param args - Object containing tokenId
+ * @param args.tokenId - Unique identifier for the unsubscribe token
+ * @returns Base64URL-encoded token string in format: `{payload}.{signature}`
+ * @throws Error if PAYLOAD_SECRET environment variable is not defined
+ *
+ * @example
+ * ```typescript
+ * const token = generateUnsubscribeToken({ tokenId: 'uuid-1234' })
+ * // Returns: 'eyJ0b2tlbklkIjoidXVpZC0xMjM0IiwidGltZXN0YW1wIjoxNzAwMDAwMDAwfQ.abc123...'
+ * ```
+ */ export function generateUnsubscribeToken(args) {
+    const secret = process.env.PAYLOAD_SECRET;
+    if (!secret) {
+        throw new Error('PAYLOAD_SECRET environment variable is not defined');
+    }
+    const input = {
+        timestamp: Date.now(),
+        tokenId: args.tokenId
+    };
+    const inputBase64 = Buffer.from(JSON.stringify(input)).toString(TOKEN_ENCODING);
+    const hmac = crypto.createHmac(HMAC_ALGORITHM, secret);
+    hmac.update(inputBase64);
+    const signature = hmac.digest(TOKEN_ENCODING);
+    return `${inputBase64}.${signature}`;
+}
+/**
+ * Verifies an unsubscribe token and returns the decoded payload if valid.
+ *
+ * ## Verification Process
+ * 1. Splits token into payload and signature
+ * 2. Verifies HMAC signature using timing-safe comparison
+ * 3. Decodes and parses the JSON payload
+ * 4. Checks if token has expired (30 day limit)
+ *
+ * ## Security
+ * - Uses `crypto.timingSafeEqual()` to prevent timing attacks
+ * - Returns null for any invalid or expired token
+ * - Catches and handles all errors gracefully
+ *
+ * @param args - Object containing the token to verify
+ * @param args.token - The unsubscribe token to verify
+ * @returns Decoded token input with tokenId and timestamp if valid, null otherwise
+ * @throws Error if PAYLOAD_SECRET environment variable is not defined
+ *
+ * @example
+ * ```typescript
+ * const result = verifyUnsubscribeToken({ token: 'eyJ0b2...' })
+ * if (result) {
+ *   console.log(`Token ID: ${result.tokenId}, Created: ${new Date(result.timestamp)}`)
+ * } else {
+ *   console.log('Invalid or expired token')
+ * }
+ * ```
+ */ export function verifyUnsubscribeToken(args) {
+    try {
+        const secret = process.env.PAYLOAD_SECRET;
+        if (!secret) {
+            throw new Error('PAYLOAD_SECRET environment variable is not defined');
+        }
+        const parts = args.token.split('.');
+        if (parts.length !== 2) {
+            return null;
+        }
+        const [inputBase64, signature] = parts;
+        const hmac = crypto.createHmac(HMAC_ALGORITHM, secret);
+        hmac.update(inputBase64);
+        const expectedSignature = hmac.digest(TOKEN_ENCODING);
+        if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature))) {
+            return null;
+        }
+        const inputJson = Buffer.from(inputBase64, TOKEN_ENCODING).toString('utf-8');
+        const input = JSON.parse(inputJson);
+        if (Date.now() - input.timestamp > UNSUBSCRIBE_TOKEN_EXPIRATION) {
+            return null;
+        }
+        return input;
+    } catch  {
+        return null;
+    }
+}
+
+//# sourceMappingURL=unsubscribe-token.js.map

package/dist/utils/unsubscribe-token.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utils/unsubscribe-token.ts"],"sourcesContent":["import crypto from 'crypto'\n\nconst UNSUBSCRIBE_TOKEN_EXPIRATION = 30 * 24 * 60 * 60 * 1000 // 30 days in milliseconds\n\nconst HMAC_ALGORITHM = 'sha256'\n\nconst TOKEN_ENCODING = 'base64url'\n\ntype UnsubscribeToken = {\n  timestamp: number\n  tokenId: string\n}\n\n/**\n * Creates a secure unsubscribe token for the given token ID.\n *\n * ## Token Format\n * The token consists of two parts separated by a dot:\n * - Base64URL-encoded JSON payload containing tokenId and timestamp\n * - HMAC-SHA256 signature of the payload\n *\n * ## Expiration\n * Tokens expire after 30 days from creation\n *\n * ## Security Considerations\n * - Tokens are signed with HMAC-SHA256 using PAYLOAD_SECRET\n * - Verification uses timing-safe comparison to prevent timing attacks\n * - Tokens cannot be forged without knowing PAYLOAD_SECRET\n *\n * @param args - Object containing tokenId\n * @param args.tokenId - Unique identifier for the unsubscribe token\n * @returns Base64URL-encoded token string in format: `{payload}.{signature}`\n * @throws Error if PAYLOAD_SECRET environment variable is not defined\n *\n * @example\n * ```typescript\n * const token = generateUnsubscribeToken({ tokenId: 'uuid-1234' })\n * // Returns: 'eyJ0b2tlbklkIjoidXVpZC0xMjM0IiwidGltZXN0YW1wIjoxNzAwMDAwMDAwfQ.abc123...'\n * ```\n */\nexport function generateUnsubscribeToken(args: { tokenId: string }): string {\n  const secret = process.env.PAYLOAD_SECRET\n  if (!secret) {\n    throw new Error('PAYLOAD_SECRET environment variable is not defined')\n  }\n\n  const input: UnsubscribeToken = {\n    timestamp: Date.now(),\n    tokenId: args.tokenId,\n  }\n\n  const inputBase64 = Buffer.from(JSON.stringify(input)).toString(TOKEN_ENCODING)\n\n  const hmac = crypto.createHmac(HMAC_ALGORITHM, secret)\n  hmac.update(inputBase64)\n  const signature = hmac.digest(TOKEN_ENCODING)\n\n  return `${inputBase64}.${signature}`\n}\n\n/**\n * Verifies an unsubscribe token and returns the decoded payload if valid.\n *\n * ## Verification Process\n * 1. Splits token into payload and signature\n * 2. Verifies HMAC signature using timing-safe comparison\n * 3. Decodes and parses the JSON payload\n * 4. Checks if token has expired (30 day limit)\n *\n * ## Security\n * - Uses `crypto.timingSafeEqual()` to prevent timing attacks\n * - Returns null for any invalid or expired token\n * - Catches and handles all errors gracefully\n *\n * @param args - Object containing the token to verify\n * @param args.token - The unsubscribe token to verify\n * @returns Decoded token input with tokenId and timestamp if valid, null otherwise\n * @throws Error if PAYLOAD_SECRET environment variable is not defined\n *\n * @example\n * ```typescript\n * const result = verifyUnsubscribeToken({ token: 'eyJ0b2...' })\n * if (result) {\n *   console.log(`Token ID: ${result.tokenId}, Created: ${new Date(result.timestamp)}`)\n * } else {\n *   console.log('Invalid or expired token')\n * }\n * ```\n */\nexport function verifyUnsubscribeToken(args: { token: string }): null | UnsubscribeToken {\n  try {\n    const secret = process.env.PAYLOAD_SECRET\n    if (!secret) {\n      throw new Error('PAYLOAD_SECRET environment variable is not defined')\n    }\n\n    const parts = args.token.split('.')\n    if (parts.length !== 2) {\n      return null\n    }\n\n    const [inputBase64, signature] = parts\n\n    const hmac = crypto.createHmac(HMAC_ALGORITHM, secret)\n    hmac.update(inputBase64)\n    const expectedSignature = hmac.digest(TOKEN_ENCODING)\n\n    if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature))) {\n      return null\n    }\n\n    const inputJson = Buffer.from(inputBase64, TOKEN_ENCODING).toString('utf-8')\n    const input: UnsubscribeToken = JSON.parse(inputJson)\n\n    if (Date.now() - input.timestamp > UNSUBSCRIBE_TOKEN_EXPIRATION) {\n      return null\n    }\n\n    return input\n  } catch {\n    return null\n  }\n}\n"],"names":["crypto","UNSUBSCRIBE_TOKEN_EXPIRATION","HMAC_ALGORITHM","TOKEN_ENCODING","generateUnsubscribeToken","args","secret","process","env","PAYLOAD_SECRET","Error","input","timestamp","Date","now","tokenId","inputBase64","Buffer","from","JSON","stringify","toString","hmac","createHmac","update","signature","digest","verifyUnsubscribeToken","parts","token","split","length","expectedSignature","timingSafeEqual","inputJson","parse"],"mappings":"AAAA,OAAOA,YAAY,SAAQ;AAE3B,MAAMC,+BAA+B,KAAK,KAAK,KAAK,KAAK,KAAK,0BAA0B;;AAExF,MAAMC,iBAAiB;AAEvB,MAAMC,iBAAiB;AAOvB;;;;;;;;;;;;;;;;;;;;;;;;;;CA0BC,GACD,OAAO,SAASC,yBAAyBC,IAAyB;IAChE,MAAMC,SAASC,QAAQC,GAAG,CAACC,cAAc;IACzC,IAAI,CAACH,QAAQ;QACX,MAAM,IAAII,MAAM;IAClB;IAEA,MAAMC,QAA0B;QAC9BC,WAAWC,KAAKC,GAAG;QACnBC,SAASV,KAAKU,OAAO;IACvB;IAEA,MAAMC,cAAcC,OAAOC,IAAI,CAACC,KAAKC,SAAS,CAACT,QAAQU,QAAQ,CAAClB;IAEhE,MAAMmB,OAAOtB,OAAOuB,UAAU,CAACrB,gBAAgBI;IAC/CgB,KAAKE,MAAM,CAACR;IACZ,MAAMS,YAAYH,KAAKI,MAAM,CAACvB;IAE9B,OAAO,GAAGa,YAAY,CAAC,EAAES,WAAW;AACtC;AAEA;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4BC,GACD,OAAO,SAASE,uBAAuBtB,IAAuB;IAC5D,IAAI;QACF,MAAMC,SAASC,QAAQC,GAAG,CAACC,cAAc;QACzC,IAAI,CAACH,QAAQ;YACX,MAAM,IAAII,MAAM;QAClB;QAEA,MAAMkB,QAAQvB,KAAKwB,KAAK,CAACC,KAAK,CAAC;QAC/B,IAAIF,MAAMG,MAAM,KAAK,GAAG;YACtB,OAAO;QACT;QAEA,MAAM,CAACf,aAAaS,UAAU,GAAGG;QAEjC,MAAMN,OAAOtB,OAAOuB,UAAU,CAACrB,gBAAgBI;QAC/CgB,KAAKE,MAAM,CAACR;QACZ,MAAMgB,oBAAoBV,KAAKI,MAAM,CAACvB;QAEtC,IAAI,CAACH,OAAOiC,eAAe,CAAChB,OAAOC,IAAI,CAACO,YAAYR,OAAOC,IAAI,CAACc,qBAAqB;YACnF,OAAO;QACT;QAEA,MAAME,YAAYjB,OAAOC,IAAI,CAACF,aAAab,gBAAgBkB,QAAQ,CAAC;QACpE,MAAMV,QAA0BQ,KAAKgB,KAAK,CAACD;QAE3C,IAAIrB,KAAKC,GAAG,KAAKH,MAAMC,SAAS,GAAGX,8BAA8B;YAC/D,OAAO;QACT;QAEA,OAAOU;IACT,EAAE,OAAM;QACN,OAAO;IACT;AACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mobilizehub/payload-plugin",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Edvocacy plugin for Payload",
   "license": "MIT",
   "private": false,
@@ -20,6 +20,16 @@
       "import": "./dist/exports/rsc.js",
       "types": "./dist/exports/rsc.d.ts",
       "default": "./dist/exports/rsc.js"
+    },
+    "./react": {
+      "import": "./dist/react/index.js",
+      "types": "./dist/react/index.d.ts",
+      "default": "./dist/react/index.js"
+    },
+    "./adapters": {
+      "import": "./dist/adapters/index.js",
+      "types": "./dist/adapters/index.d.ts",
+      "default": "./dist/adapters/index.js"
     }
   },
   "main": "./dist/index.js",
@@ -30,12 +40,12 @@
   "devDependencies": {
     "@changesets/cli": "^2.29.8",
     "@eslint/eslintrc": "^3.2.0",
-    "@payloadcms/db-postgres": "3.37.0",
-    "@payloadcms/db-sqlite": "3.37.0",
+    "@payloadcms/db-postgres": "3.68.5",
+    "@payloadcms/db-sqlite": "3.68.5",
     "@payloadcms/eslint-config": "3.9.0",
-    "@payloadcms/next": "3.37.0",
-    "@payloadcms/richtext-lexical": "3.37.0",
-    "@payloadcms/ui": "3.37.0",
+    "@payloadcms/next": "3.68.5",
+    "@payloadcms/richtext-lexical": "3.68.5",
+    "@payloadcms/ui": "3.68.5",
     "@playwright/test": "1.56.1",
     "@swc-node/register": "1.10.9",
     "@swc/cli": "0.6.0",
@@ -50,7 +60,7 @@
     "husky": "^9.1.7",
     "next": "15.4.10",
     "open": "^10.1.0",
-    "payload": "3.37.0",
+    "payload": "3.68.5",
     "prettier": "^3.4.2",
     "qs-esm": "7.0.2",
     "react": "19.2.1",
@@ -63,7 +73,7 @@
     "vitest": "^3.1.2"
   },
   "peerDependencies": {
-    "payload": "^3.37.0"
+    "payload": "^3.68.5"
   },
   "engines": {
     "node": "^18.20.2 || >=20.9.0",
@@ -71,7 +81,8 @@
   },
   "registry": "https://registry.npmjs.org/",
   "dependencies": {
-    "i18n-iso-countries": "^7.14.0"
+    "i18n-iso-countries": "^7.14.0",
+    "zod": "^4.2.1"
   },
   "scripts": {
     "build": "pnpm copyfiles && pnpm build:types && pnpm build:swc",