npm - @notifykit/sdk - Versions diffs - 1.1.0 → 1.2.0 - Mend

@notifykit/sdk 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,3 +1,5 @@
 export { NotifyKitClient } from "./client";
 export * from "./types";
 export * from "./errors";
+export { verifyWebhookSignature } from "./webhooks";
+export type { VerifyWebhookSignatureOptions } from "./webhooks";

package/dist/index.js CHANGED Viewed

@@ -14,8 +14,10 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.NotifyKitClient = void 0;
+exports.verifyWebhookSignature = exports.NotifyKitClient = void 0;
 var client_1 = require("./client");
 Object.defineProperty(exports, "NotifyKitClient", { enumerable: true, get: function () { return client_1.NotifyKitClient; } });
 __exportStar(require("./types"), exports);
 __exportStar(require("./errors"), exports);
+var webhooks_1 = require("./webhooks");
+Object.defineProperty(exports, "verifyWebhookSignature", { enumerable: true, get: function () { return webhooks_1.verifyWebhookSignature; } });

package/dist/types.d.ts CHANGED Viewed

@@ -16,15 +16,7 @@ export interface SendEmailOptions {
     from?: string;
     priority?: 1 | 5 | 10;
     idempotencyKey?: string;
-    /**
-     * Force this email through a specific configured provider (paid plans only).
-     * If unset, the customer's priority order with full failover applies.
-     */
     provider?: EmailProvider;
-    /**
-     * Fallback provider to try if `provider` fails. Ignored unless `provider`
-     * is set. Other configured providers are not tried.
-     */
     fallback?: EmailProvider;
 }
 export interface SendWebhookOptions {

package/dist/webhooks.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+export interface VerifyWebhookSignatureOptions {
+    /** Raw request body as a string — do NOT pass a parsed object. */
+    payload: string;
+    /** Value of the X-Webhook-Timestamp header. */
+    timestamp: string;
+    /** Value of the X-Webhook-Signature header (format: t=<ts>,v1=<hex>). */
+    signature: string;
+    /** Plaintext webhook signing secret from your NotifyKit dashboard. */
+    secret: string;
+    /**
+     * Maximum age of the request in seconds before it is rejected as a replay.
+     * Defaults to 300 (5 minutes).
+     */
+    tolerance?: number;
+}
+/**
+ * Verify an incoming webhook signature from NotifyKit.
+ *
+ * NotifyKit signs outgoing webhook requests with HMAC-SHA256 when a signing
+ * secret is configured. Call this on your receiving endpoint to confirm the
+ * request is genuine and has not been replayed.
+ *
+ * @returns `true` if the signature is valid and the request is within the
+ *   tolerance window, `false` otherwise.
+ *
+ * @example
+ * ```ts
+ * app.post('/webhook', (req, res) => {
+ *   const valid = verifyWebhookSignature({
+ *     payload: req.rawBody,           // raw string, not parsed JSON
+ *     timestamp: req.headers['x-webhook-timestamp'],
+ *     signature: req.headers['x-webhook-signature'],
+ *     secret: process.env.NOTIFYKIT_WEBHOOK_SECRET,
+ *   });
+ *   if (!valid) return res.status(401).send('Invalid signature');
+ *   // ...
+ * });
+ * ```
+ */
+export declare function verifyWebhookSignature(options: VerifyWebhookSignatureOptions): boolean;

package/dist/webhooks.js ADDED Viewed

@@ -0,0 +1,102 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyWebhookSignature = verifyWebhookSignature;
+const crypto = __importStar(require("crypto"));
+/**
+ * Verify an incoming webhook signature from NotifyKit.
+ *
+ * NotifyKit signs outgoing webhook requests with HMAC-SHA256 when a signing
+ * secret is configured. Call this on your receiving endpoint to confirm the
+ * request is genuine and has not been replayed.
+ *
+ * @returns `true` if the signature is valid and the request is within the
+ *   tolerance window, `false` otherwise.
+ *
+ * @example
+ * ```ts
+ * app.post('/webhook', (req, res) => {
+ *   const valid = verifyWebhookSignature({
+ *     payload: req.rawBody,           // raw string, not parsed JSON
+ *     timestamp: req.headers['x-webhook-timestamp'],
+ *     signature: req.headers['x-webhook-signature'],
+ *     secret: process.env.NOTIFYKIT_WEBHOOK_SECRET,
+ *   });
+ *   if (!valid) return res.status(401).send('Invalid signature');
+ *   // ...
+ * });
+ * ```
+ */
+function verifyWebhookSignature(options) {
+    const { payload, timestamp, signature, secret, tolerance = 300 } = options;
+    let v1;
+    let headerTs;
+    for (const part of signature.split(",")) {
+        const eq = part.indexOf("=");
+        if (eq === -1)
+            continue;
+        const key = part.slice(0, eq).trim();
+        const val = part.slice(eq + 1).trim();
+        if (key === "v1")
+            v1 = val;
+        if (key === "t")
+            headerTs = val;
+    }
+    if (!v1 || !headerTs)
+        return false;
+    if (headerTs !== timestamp)
+        return false;
+    const ts = parseInt(timestamp, 10);
+    if (!Number.isFinite(ts))
+        return false;
+    const age = Math.floor(Date.now() / 1000) - ts;
+    if (age < 0 || age > tolerance)
+        return false;
+    const signed = `${timestamp}.${payload}`;
+    const expected = crypto
+        .createHmac("sha256", secret)
+        .update(signed)
+        .digest("hex");
+    try {
+        const expectedBuf = Buffer.from(expected, "hex");
+        const actualBuf = Buffer.from(v1, "hex");
+        if (expectedBuf.length !== actualBuf.length)
+            return false;
+        return crypto.timingSafeEqual(expectedBuf, actualBuf);
+    }
+    catch {
+        return false;
+    }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@notifykit/sdk",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Official NotifyKit SDK for Node.js",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",