@reauth-dev/sdk 0.1.0

package/dist/webhooks.d.mts

@@ -0,0 +1,23 @@
+declare const SIGNATURE_HEADER = "reauth-webhook-signature";
+declare const ID_HEADER = "reauth-webhook-id";
+declare const TIMESTAMP_HEADER = "reauth-webhook-timestamp";
+type WebhookEvent = {
+    id: string;
+    type: string;
+    api_version: string;
+    created_at: string;
+    domain_id: string;
+    data: Record<string, unknown>;
+};
+type VerifyWebhookOptions = {
+    payload: string;
+    signature: string;
+    secret: string;
+    tolerance?: number;
+};
+declare class WebhookVerificationError extends Error {
+    constructor(message: string);
+}
+declare function verifyWebhookSignature(options: VerifyWebhookOptions): WebhookEvent;
+
+export { ID_HEADER, SIGNATURE_HEADER, TIMESTAMP_HEADER, type VerifyWebhookOptions, type WebhookEvent, WebhookVerificationError, verifyWebhookSignature };

package/dist/webhooks.d.ts

@@ -0,0 +1,23 @@
+declare const SIGNATURE_HEADER = "reauth-webhook-signature";
+declare const ID_HEADER = "reauth-webhook-id";
+declare const TIMESTAMP_HEADER = "reauth-webhook-timestamp";
+type WebhookEvent = {
+    id: string;
+    type: string;
+    api_version: string;
+    created_at: string;
+    domain_id: string;
+    data: Record<string, unknown>;
+};
+type VerifyWebhookOptions = {
+    payload: string;
+    signature: string;
+    secret: string;
+    tolerance?: number;
+};
+declare class WebhookVerificationError extends Error {
+    constructor(message: string);
+}
+declare function verifyWebhookSignature(options: VerifyWebhookOptions): WebhookEvent;
+
+export { ID_HEADER, SIGNATURE_HEADER, TIMESTAMP_HEADER, type VerifyWebhookOptions, type WebhookEvent, WebhookVerificationError, verifyWebhookSignature };

package/dist/webhooks.js

@@ -0,0 +1,123 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/webhooks.ts
+var webhooks_exports = {};
+__export(webhooks_exports, {
+  ID_HEADER: () => ID_HEADER,
+  SIGNATURE_HEADER: () => SIGNATURE_HEADER,
+  TIMESTAMP_HEADER: () => TIMESTAMP_HEADER,
+  WebhookVerificationError: () => WebhookVerificationError,
+  verifyWebhookSignature: () => verifyWebhookSignature
+});
+module.exports = __toCommonJS(webhooks_exports);
+var import_node_crypto = require("crypto");
+var SIGNATURE_HEADER = "reauth-webhook-signature";
+var ID_HEADER = "reauth-webhook-id";
+var TIMESTAMP_HEADER = "reauth-webhook-timestamp";
+var DEFAULT_TOLERANCE_SECONDS = 300;
+var WebhookVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "WebhookVerificationError";
+  }
+};
+function parseSignatureHeader(header) {
+  const parts = header.split(",");
+  let timestamp = "";
+  const signatures = [];
+  for (const part of parts) {
+    const [key, value] = part.split("=", 2);
+    if (key === "t") {
+      timestamp = value;
+    } else if (key === "v1") {
+      signatures.push(value);
+    }
+  }
+  return { timestamp, signatures };
+}
+function isValidHex(value) {
+  return /^[0-9a-fA-F]+$/.test(value) && value.length % 2 === 0;
+}
+function computeSignature(secret, timestamp, payload) {
+  const signedPayload = `${timestamp}.${payload}`;
+  return (0, import_node_crypto.createHmac)("sha256", secret).update(signedPayload).digest("hex");
+}
+function verifyWebhookSignature(options) {
+  const { payload, signature, secret, tolerance = DEFAULT_TOLERANCE_SECONDS } = options;
+  if (!signature) {
+    throw new WebhookVerificationError("Missing webhook signature header");
+  }
+  if (!secret) {
+    throw new WebhookVerificationError("Missing webhook secret");
+  }
+  const rawSecret = secret.startsWith("whsec_") ? secret.slice(6) : secret;
+  const { timestamp, signatures } = parseSignatureHeader(signature);
+  if (!timestamp || signatures.length === 0) {
+    throw new WebhookVerificationError(
+      "Invalid signature header format: expected t=<timestamp>,v1=<signature>"
+    );
+  }
+  const timestampSeconds = parseInt(timestamp, 10);
+  if (isNaN(timestampSeconds)) {
+    throw new WebhookVerificationError("Invalid timestamp in signature header");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const age = now - timestampSeconds;
+  if (age > tolerance) {
+    throw new WebhookVerificationError(
+      `Webhook timestamp too old: ${age}s exceeds tolerance of ${tolerance}s`
+    );
+  }
+  if (age < -tolerance) {
+    throw new WebhookVerificationError(
+      `Webhook timestamp too far in the future: ${-age}s exceeds tolerance of ${tolerance}s`
+    );
+  }
+  const expectedSignature = computeSignature(rawSecret, timestamp, payload);
+  const expectedBuffer = Buffer.from(expectedSignature, "hex");
+  let verified = false;
+  for (const sig of signatures) {
+    if (!isValidHex(sig)) {
+      continue;
+    }
+    const sigBuffer = Buffer.from(sig, "hex");
+    if (sigBuffer.length === expectedBuffer.length && (0, import_node_crypto.timingSafeEqual)(sigBuffer, expectedBuffer)) {
+      verified = true;
+      break;
+    }
+  }
+  if (!verified) {
+    throw new WebhookVerificationError("Webhook signature verification failed");
+  }
+  try {
+    const event = JSON.parse(payload);
+    return event;
+  } catch {
+    throw new WebhookVerificationError("Failed to parse webhook payload as JSON");
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ID_HEADER,
+  SIGNATURE_HEADER,
+  TIMESTAMP_HEADER,
+  WebhookVerificationError,
+  verifyWebhookSignature
+});

package/dist/webhooks.mjs

@@ -0,0 +1,94 @@
+// src/webhooks.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var SIGNATURE_HEADER = "reauth-webhook-signature";
+var ID_HEADER = "reauth-webhook-id";
+var TIMESTAMP_HEADER = "reauth-webhook-timestamp";
+var DEFAULT_TOLERANCE_SECONDS = 300;
+var WebhookVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "WebhookVerificationError";
+  }
+};
+function parseSignatureHeader(header) {
+  const parts = header.split(",");
+  let timestamp = "";
+  const signatures = [];
+  for (const part of parts) {
+    const [key, value] = part.split("=", 2);
+    if (key === "t") {
+      timestamp = value;
+    } else if (key === "v1") {
+      signatures.push(value);
+    }
+  }
+  return { timestamp, signatures };
+}
+function isValidHex(value) {
+  return /^[0-9a-fA-F]+$/.test(value) && value.length % 2 === 0;
+}
+function computeSignature(secret, timestamp, payload) {
+  const signedPayload = `${timestamp}.${payload}`;
+  return createHmac("sha256", secret).update(signedPayload).digest("hex");
+}
+function verifyWebhookSignature(options) {
+  const { payload, signature, secret, tolerance = DEFAULT_TOLERANCE_SECONDS } = options;
+  if (!signature) {
+    throw new WebhookVerificationError("Missing webhook signature header");
+  }
+  if (!secret) {
+    throw new WebhookVerificationError("Missing webhook secret");
+  }
+  const rawSecret = secret.startsWith("whsec_") ? secret.slice(6) : secret;
+  const { timestamp, signatures } = parseSignatureHeader(signature);
+  if (!timestamp || signatures.length === 0) {
+    throw new WebhookVerificationError(
+      "Invalid signature header format: expected t=<timestamp>,v1=<signature>"
+    );
+  }
+  const timestampSeconds = parseInt(timestamp, 10);
+  if (isNaN(timestampSeconds)) {
+    throw new WebhookVerificationError("Invalid timestamp in signature header");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const age = now - timestampSeconds;
+  if (age > tolerance) {
+    throw new WebhookVerificationError(
+      `Webhook timestamp too old: ${age}s exceeds tolerance of ${tolerance}s`
+    );
+  }
+  if (age < -tolerance) {
+    throw new WebhookVerificationError(
+      `Webhook timestamp too far in the future: ${-age}s exceeds tolerance of ${tolerance}s`
+    );
+  }
+  const expectedSignature = computeSignature(rawSecret, timestamp, payload);
+  const expectedBuffer = Buffer.from(expectedSignature, "hex");
+  let verified = false;
+  for (const sig of signatures) {
+    if (!isValidHex(sig)) {
+      continue;
+    }
+    const sigBuffer = Buffer.from(sig, "hex");
+    if (sigBuffer.length === expectedBuffer.length && timingSafeEqual(sigBuffer, expectedBuffer)) {
+      verified = true;
+      break;
+    }
+  }
+  if (!verified) {
+    throw new WebhookVerificationError("Webhook signature verification failed");
+  }
+  try {
+    const event = JSON.parse(payload);
+    return event;
+  } catch {
+    throw new WebhookVerificationError("Failed to parse webhook payload as JSON");
+  }
+}
+export {
+  ID_HEADER,
+  SIGNATURE_HEADER,
+  TIMESTAMP_HEADER,
+  WebhookVerificationError,
+  verifyWebhookSignature
+};

package/package.json

@@ -0,0 +1,78 @@
+{
+  "name": "@reauth-dev/sdk",
+  "version": "0.1.0",
+  "description": "TypeScript SDK for reauth.dev authentication",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./react": {
+      "types": "./dist/react/index.d.ts",
+      "import": "./dist/react/index.mjs",
+      "require": "./dist/react/index.js"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.mjs",
+      "require": "./dist/server.js"
+    },
+    "./webhooks": {
+      "types": "./dist/webhooks.d.ts",
+      "import": "./dist/webhooks.mjs",
+      "require": "./dist/webhooks.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "typecheck": "tsc --noEmit",
+    "format": "prettier --write src"
+  },
+  "dependencies": {
+    "jose": "^5.0.0"
+  },
+  "peerDependencies": {
+    "react": ">=18.0.0"
+  },
+  "peerDependenciesMeta": {
+    "react": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "@types/react": "^18.0.0",
+    "prettier": "^3.8.1",
+    "react": "^18.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.0.0"
+  },
+  "keywords": [
+    "auth",
+    "authentication",
+    "reauth",
+    "magic-link",
+    "passwordless"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sssemil/reauth-sdk.git",
+    "directory": "ts"
+  },
+  "homepage": "https://github.com/sssemil/reauth-sdk/tree/main/ts#readme",
+  "bugs": "https://github.com/sssemil/reauth-sdk/issues"
+}