@nvwa-app/sdk-functions 6.1.0 → 6.3.0

package/dist/index.d.mts

@@ -57,6 +57,21 @@ interface GetOrderResult {
     currency: string;
     raw: Record<string, unknown>;
 }
+declare const PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER = "X-Payment-Gateway-Signature";
+interface PaymentSuccessNotifyPayload {
+    platformOrderId: string;
+    bizOrderId: string;
+    status: "succeeded";
+    amount: number;
+    currency: string;
+    providerId: string;
+    providerOrderId?: string;
+    timestamp: string;
+    paidAt: string;
+}
+declare function verifySuccessNotifySignature(rawBody: string, signature: string | null | undefined, secret: string): Promise<boolean>;
+declare function parseSuccessNotifyPayload(rawBody: string): PaymentSuccessNotifyPayload;
+declare function verifyAndParseSuccessNotifyRequest(request: Request, secret: string): Promise<PaymentSuccessNotifyPayload>;
 interface PaymentGatewayClient {
     createOrder(params: CreateOrderParams): Promise<CreateOrderResult>;
     getOrder(platformOrderId: string): Promise<GetOrderResult>;
@@ -92,4 +107,4 @@ interface CapabilityExecuteResponse<Data = unknown> {
  */
 declare function executeCapability<Result = unknown>(capabilityName: string, param?: unknown, options?: ExecuteCapabilityOptions): Promise<Result | undefined>;
 
-export { type AuthUser, type CapabilityExecuteResponse, type CreateOrderParams, type CreateOrderResult, type ExecuteCapabilityOptions, type GetAvailableProvidersOptions, type GetOrderResult, type PaymentGatewayClient, type PaymentGatewayClientOptions, type PaymentPlatform, createPaymentClient, executeCapability, filterProvidersByPlatform, getAvailableProviders, getConfiguredProviders, getDb, getPayment, getRequestUser, providerSupportedPlatforms };
+export { type AuthUser, type CapabilityExecuteResponse, type CreateOrderParams, type CreateOrderResult, type ExecuteCapabilityOptions, type GetAvailableProvidersOptions, type GetOrderResult, PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER, type PaymentGatewayClient, type PaymentGatewayClientOptions, type PaymentPlatform, type PaymentSuccessNotifyPayload, createPaymentClient, executeCapability, filterProvidersByPlatform, getAvailableProviders, getConfiguredProviders, getDb, getPayment, getRequestUser, parseSuccessNotifyPayload, providerSupportedPlatforms, verifyAndParseSuccessNotifyRequest, verifySuccessNotifySignature };

package/dist/index.d.ts

@@ -57,6 +57,21 @@ interface GetOrderResult {
     currency: string;
     raw: Record<string, unknown>;
 }
+declare const PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER = "X-Payment-Gateway-Signature";
+interface PaymentSuccessNotifyPayload {
+    platformOrderId: string;
+    bizOrderId: string;
+    status: "succeeded";
+    amount: number;
+    currency: string;
+    providerId: string;
+    providerOrderId?: string;
+    timestamp: string;
+    paidAt: string;
+}
+declare function verifySuccessNotifySignature(rawBody: string, signature: string | null | undefined, secret: string): Promise<boolean>;
+declare function parseSuccessNotifyPayload(rawBody: string): PaymentSuccessNotifyPayload;
+declare function verifyAndParseSuccessNotifyRequest(request: Request, secret: string): Promise<PaymentSuccessNotifyPayload>;
 interface PaymentGatewayClient {
     createOrder(params: CreateOrderParams): Promise<CreateOrderResult>;
     getOrder(platformOrderId: string): Promise<GetOrderResult>;
@@ -92,4 +107,4 @@ interface CapabilityExecuteResponse<Data = unknown> {
  */
 declare function executeCapability<Result = unknown>(capabilityName: string, param?: unknown, options?: ExecuteCapabilityOptions): Promise<Result | undefined>;
 
-export { type AuthUser, type CapabilityExecuteResponse, type CreateOrderParams, type CreateOrderResult, type ExecuteCapabilityOptions, type GetAvailableProvidersOptions, type GetOrderResult, type PaymentGatewayClient, type PaymentGatewayClientOptions, type PaymentPlatform, createPaymentClient, executeCapability, filterProvidersByPlatform, getAvailableProviders, getConfiguredProviders, getDb, getPayment, getRequestUser, providerSupportedPlatforms };
+export { type AuthUser, type CapabilityExecuteResponse, type CreateOrderParams, type CreateOrderResult, type ExecuteCapabilityOptions, type GetAvailableProvidersOptions, type GetOrderResult, PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER, type PaymentGatewayClient, type PaymentGatewayClientOptions, type PaymentPlatform, type PaymentSuccessNotifyPayload, createPaymentClient, executeCapability, filterProvidersByPlatform, getAvailableProviders, getConfiguredProviders, getDb, getPayment, getRequestUser, parseSuccessNotifyPayload, providerSupportedPlatforms, verifyAndParseSuccessNotifyRequest, verifySuccessNotifySignature };

package/dist/index.js

@@ -30,6 +30,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER: () => PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER,
   createPaymentClient: () => createPaymentClient,
   executeCapability: () => executeCapability,
   filterProvidersByPlatform: () => filterProvidersByPlatform,
@@ -38,7 +39,10 @@ __export(index_exports, {
   getDb: () => getDb,
   getPayment: () => getPayment,
   getRequestUser: () => getRequestUser,
-  providerSupportedPlatforms: () => providerSupportedPlatforms
+  parseSuccessNotifyPayload: () => parseSuccessNotifyPayload,
+  providerSupportedPlatforms: () => providerSupportedPlatforms,
+  verifyAndParseSuccessNotifyRequest: () => verifyAndParseSuccessNotifyRequest,
+  verifySuccessNotifySignature: () => verifySuccessNotifySignature
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -103,6 +107,69 @@ var PROVIDER_SUPPORTED_PLATFORMS = {
   "alipay-miniprogram": ["alipay-miniprogram"],
   "stripe": ["web"]
 };
+var PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER = "X-Payment-Gateway-Signature";
+function decodeBase64ToBytes(input) {
+  try {
+    return Uint8Array.from(atob(input), (char) => char.charCodeAt(0));
+  } catch {
+    throw new Error("Invalid base64 signature");
+  }
+}
+function isPaymentSuccessNotifyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const payload = value;
+  return typeof payload.platformOrderId === "string" && payload.platformOrderId.length > 0 && typeof payload.bizOrderId === "string" && payload.bizOrderId.length > 0 && payload.status === "succeeded" && typeof payload.amount === "number" && Number.isFinite(payload.amount) && typeof payload.currency === "string" && payload.currency.length > 0 && typeof payload.providerId === "string" && payload.providerId.length > 0 && typeof payload.timestamp === "string" && payload.timestamp.length > 0 && typeof payload.paidAt === "string" && payload.paidAt.length > 0 && (payload.providerOrderId == null || typeof payload.providerOrderId === "string");
+}
+async function signHmacSha256Bytes(message, secret) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(message)
+  );
+  return new Uint8Array(signature);
+}
+function timingSafeEqualBytes(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i += 1) {
+    diff |= a[i] ^ b[i];
+  }
+  return diff === 0;
+}
+async function verifySuccessNotifySignature(rawBody, signature, secret) {
+  if (!signature || !secret) return false;
+  const expected = await signHmacSha256Bytes(rawBody, secret);
+  const actual = decodeBase64ToBytes(signature);
+  return timingSafeEqualBytes(expected, actual);
+}
+function parseSuccessNotifyPayload(rawBody) {
+  let parsed;
+  try {
+    parsed = JSON.parse(rawBody);
+  } catch {
+    throw new Error("Invalid success notify JSON body");
+  }
+  if (!isPaymentSuccessNotifyPayload(parsed)) {
+    throw new Error("Invalid success notify payload");
+  }
+  return parsed;
+}
+async function verifyAndParseSuccessNotifyRequest(request, secret) {
+  const rawBody = await request.text();
+  const signature = request.headers.get(PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER);
+  const verified = await verifySuccessNotifySignature(rawBody, signature, secret);
+  if (!verified) {
+    throw new Error("Invalid payment notify signature");
+  }
+  return parseSuccessNotifyPayload(rawBody);
+}
 function resolveBaseUrl(explicit) {
   const url = explicit ?? getEnv("PAYMENT_GATEWAY_URL");
   if (!url) throw new Error("PAYMENT_GATEWAY_URL is not set; payment gateway client requires it");
@@ -303,6 +370,7 @@ ${projectCode}`;
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER,
   createPaymentClient,
   executeCapability,
   filterProvidersByPlatform,
@@ -311,5 +379,8 @@ ${projectCode}`;
   getDb,
   getPayment,
   getRequestUser,
-  providerSupportedPlatforms
+  parseSuccessNotifyPayload,
+  providerSupportedPlatforms,
+  verifyAndParseSuccessNotifyRequest,
+  verifySuccessNotifySignature
 });

package/dist/index.mjs

@@ -59,6 +59,69 @@ var PROVIDER_SUPPORTED_PLATFORMS = {
   "alipay-miniprogram": ["alipay-miniprogram"],
   "stripe": ["web"]
 };
+var PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER = "X-Payment-Gateway-Signature";
+function decodeBase64ToBytes(input) {
+  try {
+    return Uint8Array.from(atob(input), (char) => char.charCodeAt(0));
+  } catch {
+    throw new Error("Invalid base64 signature");
+  }
+}
+function isPaymentSuccessNotifyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const payload = value;
+  return typeof payload.platformOrderId === "string" && payload.platformOrderId.length > 0 && typeof payload.bizOrderId === "string" && payload.bizOrderId.length > 0 && payload.status === "succeeded" && typeof payload.amount === "number" && Number.isFinite(payload.amount) && typeof payload.currency === "string" && payload.currency.length > 0 && typeof payload.providerId === "string" && payload.providerId.length > 0 && typeof payload.timestamp === "string" && payload.timestamp.length > 0 && typeof payload.paidAt === "string" && payload.paidAt.length > 0 && (payload.providerOrderId == null || typeof payload.providerOrderId === "string");
+}
+async function signHmacSha256Bytes(message, secret) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    new TextEncoder().encode(message)
+  );
+  return new Uint8Array(signature);
+}
+function timingSafeEqualBytes(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i += 1) {
+    diff |= a[i] ^ b[i];
+  }
+  return diff === 0;
+}
+async function verifySuccessNotifySignature(rawBody, signature, secret) {
+  if (!signature || !secret) return false;
+  const expected = await signHmacSha256Bytes(rawBody, secret);
+  const actual = decodeBase64ToBytes(signature);
+  return timingSafeEqualBytes(expected, actual);
+}
+function parseSuccessNotifyPayload(rawBody) {
+  let parsed;
+  try {
+    parsed = JSON.parse(rawBody);
+  } catch {
+    throw new Error("Invalid success notify JSON body");
+  }
+  if (!isPaymentSuccessNotifyPayload(parsed)) {
+    throw new Error("Invalid success notify payload");
+  }
+  return parsed;
+}
+async function verifyAndParseSuccessNotifyRequest(request, secret) {
+  const rawBody = await request.text();
+  const signature = request.headers.get(PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER);
+  const verified = await verifySuccessNotifySignature(rawBody, signature, secret);
+  if (!verified) {
+    throw new Error("Invalid payment notify signature");
+  }
+  return parseSuccessNotifyPayload(rawBody);
+}
 function resolveBaseUrl(explicit) {
   const url = explicit ?? getEnv("PAYMENT_GATEWAY_URL");
   if (!url) throw new Error("PAYMENT_GATEWAY_URL is not set; payment gateway client requires it");
@@ -258,6 +321,7 @@ ${projectCode}`;
   return responseBody.data;
 }
 export {
+  PAYMENT_SUCCESS_NOTIFY_SIGNATURE_HEADER,
   createPaymentClient,
   executeCapability,
   filterProvidersByPlatform,
@@ -266,5 +330,8 @@ export {
   getDb,
   getPayment,
   getRequestUser,
-  providerSupportedPlatforms
+  parseSuccessNotifyPayload,
+  providerSupportedPlatforms,
+  verifyAndParseSuccessNotifyRequest,
+  verifySuccessNotifySignature
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nvwa-app/sdk-functions",
-  "version": "6.1.0",
+  "version": "6.3.0",
   "description": "NVWA Edge Functions SDK: db, payment gateway, auth, provider list. Use in Deno: import from 'npm:@nvwa-app/sdk-functions'.",
   "main": "dist/index.js",
   "module": "dist/index.mjs",