@pierre/storage 0.9.2 → 1.0.0

package/src/util.ts

@@ -1,44 +1,51 @@
-export function timingSafeEqual(a: string | Uint8Array, b: string | Uint8Array): boolean {
-	const bufferA = typeof a === 'string' ? new TextEncoder().encode(a) : a;
-	const bufferB = typeof b === 'string' ? new TextEncoder().encode(b) : b;
+export function timingSafeEqual(
+  a: string | Uint8Array,
+  b: string | Uint8Array
+): boolean {
+  const bufferA = typeof a === 'string' ? new TextEncoder().encode(a) : a;
+  const bufferB = typeof b === 'string' ? new TextEncoder().encode(b) : b;
 
-	if (bufferA.length !== bufferB.length) return false;
+  if (bufferA.length !== bufferB.length) return false;
 
-	let result = 0;
-	for (let i = 0; i < bufferA.length; i++) {
-		result |= bufferA[i] ^ bufferB[i];
-	}
-	return result === 0;
+  let result = 0;
+  for (let i = 0; i < bufferA.length; i++) {
+    result |= bufferA[i] ^ bufferB[i];
+  }
+  return result === 0;
 }
 
 export async function getEnvironmentCrypto() {
-	if (!globalThis.crypto) {
-		const { webcrypto } = await import('node:crypto');
-		return webcrypto;
-	}
-	return globalThis.crypto;
+  if (!globalThis.crypto) {
+    const { webcrypto } = await import('node:crypto');
+    return webcrypto;
+  }
+  return globalThis.crypto;
 }
 
-export async function createHmac(algorithm: string, secret: string, data: string): Promise<string> {
-	if (algorithm !== 'sha256') {
-		throw new Error('Only sha256 algorithm is supported');
-	}
-	if (!secret || secret.length === 0) {
-		throw new Error('Secret is required');
-	}
+export async function createHmac(
+  algorithm: string,
+  secret: string,
+  data: string
+): Promise<string> {
+  if (algorithm !== 'sha256') {
+    throw new Error('Only sha256 algorithm is supported');
+  }
+  if (!secret || secret.length === 0) {
+    throw new Error('Secret is required');
+  }
 
-	const crypto = await getEnvironmentCrypto();
-	const encoder = new TextEncoder();
-	const key = await crypto.subtle.importKey(
-		'raw',
-		encoder.encode(secret),
-		{ name: 'HMAC', hash: 'SHA-256' },
-		false,
-		['sign'],
-	);
+  const crypto = await getEnvironmentCrypto();
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
 
-	const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
-	return Array.from(new Uint8Array(signature))
-		.map((b) => b.toString(16).padStart(2, '0'))
-		.join('');
+  const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+  return Array.from(new Uint8Array(signature))
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('');
 }

package/src/version.ts

@@ -4,5 +4,5 @@ export const PACKAGE_NAME = 'code-storage-sdk';
 export const PACKAGE_VERSION = packageJson.version;
 
 export function getUserAgent(): string {
-	return `${PACKAGE_NAME}/${PACKAGE_VERSION}`;
+  return `${PACKAGE_NAME}/${PACKAGE_VERSION}`;
 }

package/src/webhook.ts

@@ -1,16 +1,14 @@
 /**
  * Webhook validation utilities for Pierre Git Storage
  */
-
 import type {
-	ParsedWebhookSignature,
-	RawWebhookPushEvent,
-	WebhookEventPayload,
-	WebhookPushEvent,
-	WebhookValidationOptions,
-	WebhookValidationResult,
+  ParsedWebhookSignature,
+  RawWebhookPushEvent,
+  WebhookEventPayload,
+  WebhookPushEvent,
+  WebhookValidationOptions,
+  WebhookValidationResult,
 } from './types';
-
 import { createHmac, timingSafeEqual } from './util';
 
 const DEFAULT_MAX_AGE_SECONDS = 300; // 5 minutes
@@ -19,39 +17,41 @@ const DEFAULT_MAX_AGE_SECONDS = 300; // 5 minutes
  * Parse the X-Pierre-Signature header
  * Format: t=<timestamp>,sha256=<signature>
  */
-export function parseSignatureHeader(header: string): ParsedWebhookSignature | null {
-	if (!header || typeof header !== 'string') {
-		return null;
-	}
-
-	let timestamp = '';
-	let signature = '';
-
-	// Split by comma and parse each element
-	const elements = header.split(',');
-	for (const element of elements) {
-		const trimmedElement = element.trim();
-		const parts = trimmedElement.split('=', 2);
-		if (parts.length !== 2) {
-			continue;
-		}
-
-		const [key, value] = parts;
-		switch (key) {
-			case 't':
-				timestamp = value;
-				break;
-			case 'sha256':
-				signature = value;
-				break;
-		}
-	}
-
-	if (!timestamp || !signature) {
-		return null;
-	}
-
-	return { timestamp, signature };
+export function parseSignatureHeader(
+  header: string
+): ParsedWebhookSignature | null {
+  if (!header || typeof header !== 'string') {
+    return null;
+  }
+
+  let timestamp = '';
+  let signature = '';
+
+  // Split by comma and parse each element
+  const elements = header.split(',');
+  for (const element of elements) {
+    const trimmedElement = element.trim();
+    const parts = trimmedElement.split('=', 2);
+    if (parts.length !== 2) {
+      continue;
+    }
+
+    const [key, value] = parts;
+    switch (key) {
+      case 't':
+        timestamp = value;
+        break;
+      case 'sha256':
+        signature = value;
+        break;
+    }
+  }
+
+  if (!timestamp || !signature) {
+    return null;
+  }
+
+  return { timestamp, signature };
 }
 
 /**
@@ -78,94 +78,95 @@ export function parseSignatureHeader(header: string): ParsedWebhookSignature | n
  * ```
  */
 export async function validateWebhookSignature(
-	payload: string | Buffer,
-	signatureHeader: string,
-	secret: string,
-	options: WebhookValidationOptions = {},
+  payload: string | Buffer,
+  signatureHeader: string,
+  secret: string,
+  options: WebhookValidationOptions = {}
 ): Promise<WebhookValidationResult> {
-	if (!secret || secret.length === 0) {
-		return {
-			valid: false,
-			error: 'Empty secret is not allowed',
-		};
-	}
-
-	// Parse the signature header
-	const parsed = parseSignatureHeader(signatureHeader);
-	if (!parsed) {
-		return {
-			valid: false,
-			error: 'Invalid signature header format',
-		};
-	}
-
-	// Parse timestamp
-	const timestamp = Number.parseInt(parsed.timestamp, 10);
-	if (isNaN(timestamp)) {
-		return {
-			valid: false,
-			error: 'Invalid timestamp in signature',
-		};
-	}
-
-	// Validate timestamp age (prevent replay attacks)
-	const maxAge = options.maxAgeSeconds ?? DEFAULT_MAX_AGE_SECONDS;
-	if (maxAge > 0) {
-		const now = Math.floor(Date.now() / 1000);
-		const age = now - timestamp;
-
-		if (age > maxAge) {
-			return {
-				valid: false,
-				error: `Webhook timestamp too old (${age} seconds)`,
-				timestamp,
-			};
-		}
-
-		// Also reject timestamps from the future (clock skew tolerance of 60 seconds)
-		if (age < -60) {
-			return {
-				valid: false,
-				error: 'Webhook timestamp is in the future',
-				timestamp,
-			};
-		}
-	}
-
-	// Convert payload to string if it's a Buffer
-	const payloadStr = typeof payload === 'string' ? payload : payload.toString('utf8');
-
-	// Compute expected signature
-	// Format: HMAC-SHA256(secret, timestamp + "." + payload)
-	const signedData = `${parsed.timestamp}.${payloadStr}`;
-	const expectedSignature = await createHmac('sha256', secret, signedData);
-
-	// Compare signatures using constant-time comparison
-	const expectedBuffer = Buffer.from(expectedSignature);
-	const actualBuffer = Buffer.from(parsed.signature);
-
-	// Ensure both buffers are the same length for timing-safe comparison
-	if (expectedBuffer.length !== actualBuffer.length) {
-		return {
-			valid: false,
-			error: 'Invalid signature',
-			timestamp,
-		};
-	}
-
-	const signaturesMatch = timingSafeEqual(expectedBuffer, actualBuffer);
-	if (!signaturesMatch) {
-		return {
-			valid: false,
-			error: 'Invalid signature',
-			timestamp,
-		};
-	}
-
-	return {
-		valid: true,
-		timestamp,
-	};
+  if (!secret || secret.length === 0) {
+    return {
+      valid: false,
+      error: 'Empty secret is not allowed',
+    };
+  }
+
+  // Parse the signature header
+  const parsed = parseSignatureHeader(signatureHeader);
+  if (!parsed) {
+    return {
+      valid: false,
+      error: 'Invalid signature header format',
+    };
+  }
+
+  // Parse timestamp
+  const timestamp = Number.parseInt(parsed.timestamp, 10);
+  if (isNaN(timestamp)) {
+    return {
+      valid: false,
+      error: 'Invalid timestamp in signature',
+    };
+  }
+
+  // Validate timestamp age (prevent replay attacks)
+  const maxAge = options.maxAgeSeconds ?? DEFAULT_MAX_AGE_SECONDS;
+  if (maxAge > 0) {
+    const now = Math.floor(Date.now() / 1000);
+    const age = now - timestamp;
+
+    if (age > maxAge) {
+      return {
+        valid: false,
+        error: `Webhook timestamp too old (${age} seconds)`,
+        timestamp,
+      };
+    }
+
+    // Also reject timestamps from the future (clock skew tolerance of 60 seconds)
+    if (age < -60) {
+      return {
+        valid: false,
+        error: 'Webhook timestamp is in the future',
+        timestamp,
+      };
+    }
+  }
+
+  // Convert payload to string if it's a Buffer
+  const payloadStr =
+    typeof payload === 'string' ? payload : payload.toString('utf8');
+
+  // Compute expected signature
+  // Format: HMAC-SHA256(secret, timestamp + "." + payload)
+  const signedData = `${parsed.timestamp}.${payloadStr}`;
+  const expectedSignature = await createHmac('sha256', secret, signedData);
+
+  // Compare signatures using constant-time comparison
+  const expectedBuffer = Buffer.from(expectedSignature);
+  const actualBuffer = Buffer.from(parsed.signature);
+
+  // Ensure both buffers are the same length for timing-safe comparison
+  if (expectedBuffer.length !== actualBuffer.length) {
+    return {
+      valid: false,
+      error: 'Invalid signature',
+      timestamp,
+    };
+  }
+
+  const signaturesMatch = timingSafeEqual(expectedBuffer, actualBuffer);
+  if (!signaturesMatch) {
+    return {
+      valid: false,
+      error: 'Invalid signature',
+      timestamp,
+    };
+  }
+
+  return {
+    valid: true,
+    timestamp,
+  };
 }
 
 /**
@@ -196,128 +197,132 @@ export async function validateWebhookSignature(
  * ```
  */
 export async function validateWebhook(
-	payload: string | Buffer,
-	headers: Record<string, string | string[] | undefined>,
-	secret: string,
-	options: WebhookValidationOptions = {},
+  payload: string | Buffer,
+  headers: Record<string, string | string[] | undefined>,
+  secret: string,
+  options: WebhookValidationOptions = {}
 ): Promise<WebhookValidationResult & { payload?: WebhookEventPayload }> {
-	// Get signature header
-	const signatureHeader = headers['x-pierre-signature'] || headers['X-Pierre-Signature'];
-	if (!signatureHeader || Array.isArray(signatureHeader)) {
-		return {
-			valid: false,
-			error: 'Missing or invalid X-Pierre-Signature header',
-		};
-	}
-
-	// Get event type header
-	const eventType = headers['x-pierre-event'] || headers['X-Pierre-Event'];
-	if (!eventType || Array.isArray(eventType)) {
-		return {
-			valid: false,
-			error: 'Missing or invalid X-Pierre-Event header',
-		};
-	}
-
-	// Validate signature
-	const validationResult = await validateWebhookSignature(
-		payload,
-		signatureHeader,
-		secret,
-		options,
-	);
-
-	if (!validationResult.valid) {
-		return validationResult;
-	}
-
-	// Parse payload
-	const payloadStr = typeof payload === 'string' ? payload : payload.toString('utf8');
-	let parsedJson: unknown;
-	try {
-		parsedJson = JSON.parse(payloadStr);
-	} catch {
-		return {
-			valid: false,
-			error: 'Invalid JSON payload',
-			timestamp: validationResult.timestamp,
-		};
-	}
-
-	const conversion = convertWebhookPayload(String(eventType), parsedJson);
-	if (!conversion.valid) {
-		return {
-			valid: false,
-			error: conversion.error,
-			timestamp: validationResult.timestamp,
-		};
-	}
-
-	return {
-		valid: true,
-		eventType,
-		timestamp: validationResult.timestamp,
-		payload: conversion.payload,
-	};
+  // Get signature header
+  const signatureHeader =
+    headers['x-pierre-signature'] || headers['X-Pierre-Signature'];
+  if (!signatureHeader || Array.isArray(signatureHeader)) {
+    return {
+      valid: false,
+      error: 'Missing or invalid X-Pierre-Signature header',
+    };
+  }
+
+  // Get event type header
+  const eventType = headers['x-pierre-event'] || headers['X-Pierre-Event'];
+  if (!eventType || Array.isArray(eventType)) {
+    return {
+      valid: false,
+      error: 'Missing or invalid X-Pierre-Event header',
+    };
+  }
+
+  // Validate signature
+  const validationResult = await validateWebhookSignature(
+    payload,
+    signatureHeader,
+    secret,
+    options
+  );
+
+  if (!validationResult.valid) {
+    return validationResult;
+  }
+
+  // Parse payload
+  const payloadStr =
+    typeof payload === 'string' ? payload : payload.toString('utf8');
+  let parsedJson: unknown;
+  try {
+    parsedJson = JSON.parse(payloadStr);
+  } catch {
+    return {
+      valid: false,
+      error: 'Invalid JSON payload',
+      timestamp: validationResult.timestamp,
+    };
+  }
+
+  const conversion = convertWebhookPayload(String(eventType), parsedJson);
+  if (!conversion.valid) {
+    return {
+      valid: false,
+      error: conversion.error,
+      timestamp: validationResult.timestamp,
+    };
+  }
+
+  return {
+    valid: true,
+    eventType,
+    timestamp: validationResult.timestamp,
+    payload: conversion.payload,
+  };
 }
 
 function convertWebhookPayload(
-	eventType: string,
-	raw: unknown,
-): { valid: true; payload: WebhookEventPayload } | { valid: false; error: string } {
-	if (eventType === 'push') {
-		if (!isRawWebhookPushEvent(raw)) {
-			return {
-				valid: false,
-				error: 'Invalid push payload',
-			};
-		}
-		return {
-			valid: true,
-			payload: transformPushEvent(raw),
-		};
-	}
-	const fallbackPayload = { type: eventType, raw };
-	return {
-		valid: true,
-		payload: fallbackPayload,
-	};
+  eventType: string,
+  raw: unknown
+):
+  | { valid: true; payload: WebhookEventPayload }
+  | { valid: false; error: string } {
+  if (eventType === 'push') {
+    if (!isRawWebhookPushEvent(raw)) {
+      return {
+        valid: false,
+        error: 'Invalid push payload',
+      };
+    }
+    return {
+      valid: true,
+      payload: transformPushEvent(raw),
+    };
+  }
+  const fallbackPayload = { type: eventType, raw };
+  return {
+    valid: true,
+    payload: fallbackPayload,
+  };
 }
 
 function transformPushEvent(raw: RawWebhookPushEvent): WebhookPushEvent {
-	return {
-		type: 'push' as const,
-		repository: {
-			id: raw.repository.id,
-			url: raw.repository.url,
-		},
-		ref: raw.ref,
-		before: raw.before,
-		after: raw.after,
-		customerId: raw.customer_id,
-		pushedAt: new Date(raw.pushed_at),
-		rawPushedAt: raw.pushed_at,
-	};
+  return {
+    type: 'push' as const,
+    repository: {
+      id: raw.repository.id,
+      url: raw.repository.url,
+    },
+    ref: raw.ref,
+    before: raw.before,
+    after: raw.after,
+    customerId: raw.customer_id,
+    pushedAt: new Date(raw.pushed_at),
+    rawPushedAt: raw.pushed_at,
+  };
 }
 
 function isRawWebhookPushEvent(value: unknown): value is RawWebhookPushEvent {
-	if (!isRecord(value)) {
-		return false;
-	}
-	if (!isRecord(value.repository)) {
-		return false;
-	}
-	return (
-		typeof value.repository.id === 'string' &&
-		typeof value.repository.url === 'string' &&
-		typeof value.ref === 'string' &&
-		typeof value.before === 'string' &&
-		typeof value.after === 'string' &&
-		typeof value.customer_id === 'string' &&
-		typeof value.pushed_at === 'string'
-	);
+  if (!isRecord(value)) {
+    return false;
+  }
+  if (!isRecord(value.repository)) {
+    return false;
+  }
+  return (
+    typeof value.repository.id === 'string' &&
+    typeof value.repository.url === 'string' &&
+    typeof value.ref === 'string' &&
+    typeof value.before === 'string' &&
+    typeof value.after === 'string' &&
+    typeof value.customer_id === 'string' &&
+    typeof value.pushed_at === 'string'
+  );
 }
 
 function isRecord(value: unknown): value is Record<string, unknown> {
-	return typeof value === 'object' && value !== null;
+  return typeof value === 'object' && value !== null;
 }