npm - @qodfy/core - Versions diffs - 0.1.5 → 0.1.6 - Mend

@qodfy/core 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +77 -29
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -236,26 +236,14 @@ async function scanProject(projectPath) {
         });
       }
     }
-    const isStripeWebhook = isStripeWebhookRoute(relativeFile, content);
-    const hasStripeSignatureVerification = hasStripeWebhookSignatureVerification(content);
-    const isClerkWebhook = isClerkWebhookRoute(relativeFile, content);
-    const hasClerkSignatureVerification = hasClerkWebhookSignatureVerification(content);
-    if (isStripeWebhook && !hasStripeSignatureVerification) {
+    const webhookRouteInfo = apiRouteSet.has(file) ? getWebhookRouteInfo(relativeFile, content) : null;
+    if (webhookRouteInfo && !hasWebhookSignatureVerification(content, webhookRouteInfo.provider)) {
       issues.push({
-        severity: "critical",
-        title: "Stripe webhook may be missing signature verification",
-        message: "This Stripe webhook route does not appear to verify the Stripe signature before handling the event.",
+        severity: webhookRouteInfo.confidence === "high" ? "critical" : "warning",
+        title: "Webhook route may be missing signature verification",
+        message: "This webhook route appears to handle external events, but Qodfy could not find signature verification before the event is handled.",
         file: relativeFile,
-        suggestion: "Use stripe.webhooks.constructEvent with the raw request body, Stripe-Signature header, and STRIPE_WEBHOOK_SECRET."
-      });
-    }
-    if (isClerkWebhook && !hasClerkSignatureVerification) {
-      issues.push({
-        severity: "critical",
-        title: "Clerk webhook may be missing signature verification",
-        message: "This Clerk webhook route does not appear to verify the webhook signature before handling the event.",
-        file: relativeFile,
-        suggestion: "Use svix Webhook(...).verify(...) with CLERK_WEBHOOK_SECRET and Clerk webhook headers."
+        suggestion: getWebhookSignatureSuggestion(webhookRouteInfo.provider)
       });
     }
     for (const secretMatch of getHardcodedSecretMatches(content)) {
@@ -274,7 +262,7 @@ async function scanProject(projectPath) {
     }
     if (apiRouteSet.has(file)) {
       const hasAuth = content.includes("auth(") || content.includes("getServerSession") || content.includes("currentUser") || content.includes("clerkClient") || content.includes("session");
-      if (!hasAuth && !isStripeWebhook && !isClerkWebhook) {
+      if (!hasAuth && !webhookRouteInfo) {
         issues.push({
           severity: "warning",
           title: "API route may be missing authentication",
@@ -536,23 +524,83 @@ function isClientSideFile(relativeFile, content) {
   return fileName.includes(".client.") || /(^|\n)\s*["']use client["'];?/.test(content);
 }
 function isApiRoute(filePath) {
-  return filePath.includes(`${path.sep}app${path.sep}api${path.sep}`) || filePath.includes(`${path.sep}pages${path.sep}api${path.sep}`);
+  const normalizedFile = normalizePath(filePath);
+  const sourceFileExtension = "(?:ts|tsx|js|jsx|mts|cts|mjs|cjs)";
+  return new RegExp(`/app/api(?:/.+)?/route\\.${sourceFileExtension}$`).test(normalizedFile) || new RegExp(`/pages/api/.+\\.${sourceFileExtension}$`).test(normalizedFile);
 }
-function isStripeWebhookRoute(relativeFile, content) {
+function getWebhookRouteInfo(relativeFile, content) {
   const normalizedFile = relativeFile.toLowerCase();
   const normalizedContent = content.toLowerCase();
-  return normalizedContent.includes("stripe") && (normalizedFile.includes("webhook") || normalizedContent.includes("webhook") || normalizedContent.includes("stripe.webhooks"));
+  const normalizedRouteContext = `${normalizedFile}
+${normalizedContent}`;
+  const pathLooksLikeWebhook = normalizedFile.includes("webhook") || normalizedFile.includes("callback");
+  const contentStronglySuggestsWebhook = normalizedContent.includes("stripe.webhooks") || normalizedContent.includes("constructevent(") || normalizedContent.includes("stripe-signature") || normalizedContent.includes("stripe_webhook_secret") || normalizedContent.includes("clerk_webhook_secret") || normalizedContent.includes("svix") || normalizedContent.includes("x-github-event") || normalizedContent.includes("x-hub-signature") || normalizedContent.includes("x-shopify-hmac-sha256") || normalizedContent.includes("resend") && normalizedContent.includes("webhook") || normalizedContent.includes("webhook_secret") || normalizedContent.includes("webhooksecret") || normalizedContent.includes("webhook") && (normalizedContent.includes("signature") || normalizedContent.includes("secret") || normalizedContent.includes("event"));
+  if (!pathLooksLikeWebhook && !contentStronglySuggestsWebhook) {
+    return null;
+  }
+  const provider = getWebhookProvider(normalizedRouteContext);
+  return {
+    provider,
+    confidence: provider === "unknown" ? "likely" : "high"
+  };
 }
-function hasStripeWebhookSignatureVerification(content) {
-  return content.includes("stripe.webhooks.constructEvent") || content.includes("webhooks.constructEvent") || content.includes("constructEvent(");
+function getWebhookProvider(normalizedRouteContext) {
+  if (normalizedRouteContext.includes("stripe-signature") || normalizedRouteContext.includes("stripe_webhook_secret") || normalizedRouteContext.includes("stripe.webhooks") || normalizedRouteContext.includes("constructevent(") || normalizedRouteContext.includes("stripe") && normalizedRouteContext.includes("webhook")) {
+    return "stripe";
+  }
+  if (normalizedRouteContext.includes("resend") && normalizedRouteContext.includes("webhook")) {
+    return "resend";
+  }
+  if (normalizedRouteContext.includes("clerk_webhook_secret") || normalizedRouteContext.includes("clerk") && normalizedRouteContext.includes("webhook")) {
+    return "clerk";
+  }
+  if (normalizedRouteContext.includes("x-github-event") || normalizedRouteContext.includes("x-hub-signature")) {
+    return "github";
+  }
+  if (normalizedRouteContext.includes("x-shopify-hmac-sha256")) {
+    return "shopify";
+  }
+  return "unknown";
 }
-function isClerkWebhookRoute(relativeFile, content) {
-  const normalizedFile = relativeFile.toLowerCase();
+function hasWebhookSignatureVerification(content, provider) {
   const normalizedContent = content.toLowerCase();
-  return (normalizedContent.includes("clerk") || normalizedContent.includes("clerk_webhook_secret")) && (normalizedFile.includes("webhook") || normalizedContent.includes("webhook"));
+  if (provider === "stripe") {
+    return normalizedContent.includes("stripe.webhooks.constructevent") || normalizedContent.includes("webhooks.constructevent") || normalizedContent.includes("constructevent(");
+  }
+  if (provider === "clerk") {
+    return (normalizedContent.includes("new webhook(") || normalizedContent.includes("webhook(") || normalizedContent.includes("svix")) && (normalizedContent.includes(".verify(") || normalizedContent.includes("verify(") || normalizedContent.includes("verifywebhook"));
+  }
+  if (provider === "github") {
+    return (normalizedContent.includes("x-hub-signature") || normalizedContent.includes("x-hub-signature-256")) && hasHmacOrVerifyCall(normalizedContent);
+  }
+  if (provider === "shopify") {
+    return normalizedContent.includes("x-shopify-hmac-sha256") && hasHmacOrVerifyCall(normalizedContent);
+  }
+  if (provider === "resend") {
+    return normalizedContent.includes("verifywebhook") || (normalizedContent.includes("new webhook(") || normalizedContent.includes("webhook(") || normalizedContent.includes("svix")) && hasHmacOrVerifyCall(normalizedContent);
+  }
+  return normalizedContent.includes("constructevent(") || normalizedContent.includes("verifywebhook") || normalizedContent.includes("signature") && hasHmacOrVerifyCall(normalizedContent) || normalizedContent.includes("webhook") && normalizedContent.includes("verify(");
 }
-function hasClerkWebhookSignatureVerification(content) {
-  return content.includes("new Webhook(") || content.includes(".verify(") || content.includes("svix");
+function hasHmacOrVerifyCall(normalizedContent) {
+  return normalizedContent.includes("verify(") || normalizedContent.includes(".verify(") || normalizedContent.includes("verifywebhook") || normalizedContent.includes("createhmac") || normalizedContent.includes("timingsafeequal") || normalizedContent.includes("subtle.verify");
+}
+function getWebhookSignatureSuggestion(provider) {
+  if (provider === "stripe") {
+    return "Use stripe.webhooks.constructEvent(...) with the Stripe signature header before handling the event.";
+  }
+  if (provider === "clerk") {
+    return "Verify the event with Svix before handling it.";
+  }
+  if (provider === "github") {
+    return "Verify the GitHub signature using the raw request body, X-Hub-Signature-256 header, and webhook secret.";
+  }
+  if (provider === "shopify") {
+    return "Verify the Shopify HMAC using the raw request body, X-Shopify-Hmac-Sha256 header, and webhook secret.";
+  }
+  if (provider === "resend") {
+    return "Verify the Resend webhook signature before handling the event.";
+  }
+  return "Verify the provider signature using the raw request body and signature header before trusting the event.";
 }
 function isPackageJsonObject(data) {
   return typeof data === "object" && data !== null && !Array.isArray(data);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@qodfy/core",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "Scanner engine for Qodfy, an open-source launch readiness scanner for AI-built apps.",
   "keywords": [
     "qodfy",