@pluv/platform-pluv 0.38.3 → 0.38.4

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @pluv/platform-pluv@0.38.3 build /home/runner/work/pluv/pluv/packages/platform-pluv
+> @pluv/platform-pluv@0.38.4 build /home/runner/work/pluv/pluv/packages/platform-pluv
 > tsup src/index.ts --format esm,cjs --dts
 
 CLI Building entry: src/index.ts
@@ -8,11 +8,11 @@
 CLI Target: es6
 ESM Build start
 CJS Build start
-ESM dist/index.mjs 9.86 KB
-ESM ⚡️ Build success in 80ms
-CJS dist/index.js 11.40 KB
+ESM dist/index.mjs 10.13 KB
+ESM ⚡️ Build success in 87ms
+CJS dist/index.js 11.66 KB
 CJS ⚡️ Build success in 88ms
 DTS Build start
-DTS ⚡️ Build success in 6145ms
+DTS ⚡️ Build success in 6854ms
 DTS dist/index.d.mts 3.56 KB
 DTS dist/index.d.ts  3.56 KB

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pluv/platform-pluv
 
+## 0.38.4
+
+### Patch Changes
+
+- 15399b7: Fix webhook signature validation.
+  - @pluv/crdt@0.38.4
+  - @pluv/io@0.38.4
+  - @pluv/types@0.38.4
+
 ## 0.38.3
 
 ### Patch Changes

package/dist/index.js

@@ -75,6 +75,7 @@ var import_fast_json_stable_stringify = __toESM(require("fast-json-stable-string
 var import_hono = require("hono");
 
 // src/constants.ts
+var SIGNATURE_ALGORITHM = "sha256";
 var SIGNATURE_HEADER = "x-pluv-signature-256";
 
 // src/schemas.ts
@@ -214,9 +215,11 @@ var PluvPlatform = class extends import_io.AbstractPlatform {
       return token;
     });
     this._webhooks = new import_hono.Hono().basePath("/").post("/", (c) => __async(this, null, function* () {
-      var _a, _b, _c, _d, _e;
-      const signature = c.req.header(SIGNATURE_HEADER);
-      if (!this._webhookSecret || !signature) return c.json({ error: "Unauthorized" }, 401);
+      var _a, _b, _c, _d, _e, _f, _g;
+      const [algorithm, signature] = (_b = (_a = c.req.header(SIGNATURE_HEADER)) == null ? void 0 : _a.split("=")) != null ? _b : [];
+      if (!this._webhookSecret) return c.json({ error: "Unauthorized" }, 401);
+      if (algorithm !== SIGNATURE_ALGORITHM) return c.json({ error: "Unauthorized" }, 401);
+      if (!signature) return c.json({ error: "Unauthorized" }, 401);
       const payload = yield c.req.json();
       const verified = yield verifyWebhook({
         payload: (0, import_fast_json_stable_stringify.default)(payload),
@@ -230,26 +233,26 @@ var PluvPlatform = class extends import_io.AbstractPlatform {
       switch (event) {
         case "initial-storage": {
           const room = data.room;
-          const storage = typeof room === "string" ? (_b = yield (_a = this._getInitialStorage) == null ? void 0 : _a.call(this, { context: {}, room })) != null ? _b : null : null;
+          const storage = typeof room === "string" ? (_d = yield (_c = this._getInitialStorage) == null ? void 0 : _c.call(this, { context: {}, room })) != null ? _d : null : null;
           return c.json({ data: { storage } }, 200);
         }
         case "room-deleted": {
           const room = data.room;
           const encodedState = data.storage;
-          yield Promise.resolve((_c = this._listeners) == null ? void 0 : _c.onRoomDeleted({ encodedState, room }));
+          yield Promise.resolve((_e = this._listeners) == null ? void 0 : _e.onRoomDeleted({ encodedState, room }));
           return c.json({ data: { room } }, 200);
         }
         case "user-connected": {
           const room = data.room;
           const encodedState = data.storage;
           const user = data.user;
-          yield Promise.resolve((_d = this._listeners) == null ? void 0 : _d.onUserConnected({ encodedState, room, user }));
+          yield Promise.resolve((_f = this._listeners) == null ? void 0 : _f.onUserConnected({ encodedState, room, user }));
         }
         case "user-disconnected": {
           const room = data.room;
           const encodedState = data.storage;
           const user = data.user;
-          yield Promise.resolve((_e = this._listeners) == null ? void 0 : _e.onUserDisconnected({ encodedState, room, user }));
+          yield Promise.resolve((_g = this._listeners) == null ? void 0 : _g.onUserDisconnected({ encodedState, room, user }));
         }
         default:
           return c.json({ data: { ok: true } }, 200);

package/dist/index.mjs

@@ -47,6 +47,7 @@ import stringify from "fast-json-stable-stringify";
 import { Hono } from "hono";
 
 // src/constants.ts
+var SIGNATURE_ALGORITHM = "sha256";
 var SIGNATURE_HEADER = "x-pluv-signature-256";
 
 // src/schemas.ts
@@ -186,9 +187,11 @@ var PluvPlatform = class extends AbstractPlatform {
       return token;
     });
     this._webhooks = new Hono().basePath("/").post("/", (c) => __async(this, null, function* () {
-      var _a, _b, _c, _d, _e;
-      const signature = c.req.header(SIGNATURE_HEADER);
-      if (!this._webhookSecret || !signature) return c.json({ error: "Unauthorized" }, 401);
+      var _a, _b, _c, _d, _e, _f, _g;
+      const [algorithm, signature] = (_b = (_a = c.req.header(SIGNATURE_HEADER)) == null ? void 0 : _a.split("=")) != null ? _b : [];
+      if (!this._webhookSecret) return c.json({ error: "Unauthorized" }, 401);
+      if (algorithm !== SIGNATURE_ALGORITHM) return c.json({ error: "Unauthorized" }, 401);
+      if (!signature) return c.json({ error: "Unauthorized" }, 401);
       const payload = yield c.req.json();
       const verified = yield verifyWebhook({
         payload: stringify(payload),
@@ -202,26 +205,26 @@ var PluvPlatform = class extends AbstractPlatform {
       switch (event) {
         case "initial-storage": {
           const room = data.room;
-          const storage = typeof room === "string" ? (_b = yield (_a = this._getInitialStorage) == null ? void 0 : _a.call(this, { context: {}, room })) != null ? _b : null : null;
+          const storage = typeof room === "string" ? (_d = yield (_c = this._getInitialStorage) == null ? void 0 : _c.call(this, { context: {}, room })) != null ? _d : null : null;
           return c.json({ data: { storage } }, 200);
         }
         case "room-deleted": {
           const room = data.room;
           const encodedState = data.storage;
-          yield Promise.resolve((_c = this._listeners) == null ? void 0 : _c.onRoomDeleted({ encodedState, room }));
+          yield Promise.resolve((_e = this._listeners) == null ? void 0 : _e.onRoomDeleted({ encodedState, room }));
           return c.json({ data: { room } }, 200);
         }
         case "user-connected": {
           const room = data.room;
           const encodedState = data.storage;
           const user = data.user;
-          yield Promise.resolve((_d = this._listeners) == null ? void 0 : _d.onUserConnected({ encodedState, room, user }));
+          yield Promise.resolve((_f = this._listeners) == null ? void 0 : _f.onUserConnected({ encodedState, room, user }));
         }
         case "user-disconnected": {
           const room = data.room;
           const encodedState = data.storage;
           const user = data.user;
-          yield Promise.resolve((_e = this._listeners) == null ? void 0 : _e.onUserDisconnected({ encodedState, room, user }));
+          yield Promise.resolve((_g = this._listeners) == null ? void 0 : _g.onUserDisconnected({ encodedState, room, user }));
         }
         default:
           return c.json({ data: { ok: true } }, 200);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pluv/platform-pluv",
-  "version": "0.38.3",
+  "version": "0.38.4",
   "description": "@pluv/io adapter for pluv.io",
   "author": "leedavidcs",
   "license": "MIT",
@@ -21,16 +21,16 @@
     "fast-json-stable-stringify": "^2.1.0",
     "hono": "^4.7.4",
     "zod": "^3.24.2",
-    "@pluv/crdt": "^0.38.3",
-    "@pluv/io": "^0.38.3",
-    "@pluv/types": "^0.38.3"
+    "@pluv/crdt": "^0.38.4",
+    "@pluv/io": "^0.38.4",
+    "@pluv/types": "^0.38.4"
   },
   "devDependencies": {
     "eslint": "^8.57.1",
     "tsup": "^8.4.0",
     "typescript": "^5.8.2",
-    "@pluv/tsconfig": "^0.38.3",
-    "eslint-config-pluv": "^0.38.3"
+    "@pluv/tsconfig": "^0.38.4",
+    "eslint-config-pluv": "^0.38.4"
   },
   "scripts": {
     "build": "tsup src/index.ts --format esm,cjs --dts",

package/src/PluvPlatform.ts

@@ -9,7 +9,7 @@ import type {
 import { AbstractPlatform } from "@pluv/io";
 import stringify from "fast-json-stable-stringify";
 import { Hono } from "hono";
-import { SIGNATURE_HEADER } from "./constants";
+import { SIGNATURE_ALGORITHM, SIGNATURE_HEADER } from "./constants";
 import { ZodEvent } from "./schemas";
 import { verifyWebhook } from "./shared";
 import type { PluvIOEndpoints, PluvIOListeners } from "./types";
@@ -183,9 +183,11 @@ export class PluvPlatform extends AbstractPlatform<
     }
 
     private _webhooks = new Hono().basePath("/").post("/", async (c) => {
-        const signature = c.req.header(SIGNATURE_HEADER);
+        const [algorithm, signature] = c.req.header(SIGNATURE_HEADER)?.split("=") ?? [];
 
-        if (!this._webhookSecret || !signature) return c.json({ error: "Unauthorized" }, 401);
+        if (!this._webhookSecret) return c.json({ error: "Unauthorized" }, 401);
+        if (algorithm !== SIGNATURE_ALGORITHM) return c.json({ error: "Unauthorized" }, 401);
+        if (!signature) return c.json({ error: "Unauthorized" }, 401);
 
         const payload = await c.req.json();
 

package/src/constants.ts

@@ -1 +1,2 @@
+export const SIGNATURE_ALGORITHM = "sha256";
 export const SIGNATURE_HEADER = "x-pluv-signature-256";