npm - @roottale/cms-client - Versions diffs - 0.2.0 → 0.5.0 - Mend

@roottale/cms-client 0.2.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # @roottale/cms-client
+## 0.5.0
+### Minor Changes
+- c43ab28: ADR-0039 — `/webhook` subpath export 추가 (0.4.0 에서 누락, 0.5.0 에서 실제 노출). tsup entry 와 package.json exports 동시 갱신 — `@roottale/cms-client/webhook` 로 `verifyRootTaleWebhook` import 가능.
+## 0.4.0
+### Minor Changes
+- 31900de: ADR-0039 (Option D, JWKS asymmetric) — `@roottale/cms-client/webhook` subpath export 추가. `verifyRootTaleWebhook({ rawBody, headers, expectedSiteId, ... })` 가 RootTale CMS publish webhook 의 ES256 JWS 시그너처를 JWKS (api.roottale.com/.well-known/jwks.json) 기반으로 검증한다. **고객 측 secret 보관 0** — `ROOTTALE_EXPECTED_SITE_ID` env 만 (비밀 아님). issuer/audience/site_id/body_sha256/timestamp 모두 검증. jose 라이브러리 (Node 18+/Workers/Bun/Deno 양립).
+  기존 `/server` 의 fetch helper 는 변동 없음.
 ## 0.2.0
 ### Minor Changes
@@ -14,7 +28,6 @@
   (빈 배열 fallback).
   신규 타입:
   - `CmsTermRef { id, taxonomy, slug, name }`
   - `CmsTaxonomyKind = "category" | "tag" | "custom"`
@@ -52,7 +65,6 @@
   의미의 `theme` 옵션. style="..." 속성으로 CSS 변수 주입 (서버 측 escape 보강).
   `theme` prop semantics:
   - `undefined` → 자동 fetch
   - `RootTaleTheme` → 호출자 override
   - `null` → 자동 fetch 건너뜀 (부모 `RootTaleThemeProvider` 활용 시)
@@ -71,7 +83,6 @@
   수정: `tsup` 으로 `dist/*.js` + `dist/*.d.ts` (ESM) 출력. `exports` 가 dist
   가리킴. customer site 측 `transpilePackages` 불필요.
   - `cms-client@0.1.1` — ESM `dist/server.js` + types
   - `cms-core@0.2.1` — ESM `dist/index.js` + types
   - `cms-renderer-next@0.2.1` — ESM `dist/{server,index}.js` + types + `dist/cms-public.css`
@@ -80,7 +91,6 @@
   - `cms-renderer-astro@0.2.1` — ESM `dist/index.js` + types
   후속 (customer site PR):
   - roottale-web / kjmtax / theoneulsan 의 `next.config` 의 `transpilePackages`
     에서 `@roottale/cms-*` 제거. `pnpm update @roottale/cms-client @roottale/cms-renderer-next` 로 patch 적용.
@@ -93,7 +103,6 @@
   ADR-0029 §0 amend (publish-only dormant) 는 design system 5 패키지 (tokens, ui-css, ui-react, ui-astro, ui-admin) 에 한정. cms-\* 는 별도 정책 — 실행 로직 + 5-20 외부 customer site 직접 의존 + schema 호환 + 보안 경계. Codex consult verdict (session `019e6703…`) 정합.
   변경:
   - 4 패키지 `private: true` 해제 + `publishConfig.access: "public"`
   - `@roottale/cms-renderer-next` 에서 `@roottale/tokens/tokens.css` import 제거 — 모든 `--rt-*` 변수에 static fallback 으로 self-contained. tokens dormant 와 무관하게 동작.
   - `RootTaleLeadForm` RSC 추가 — 외부 사이트 진단 폼 (`vertical`/`redirectUrl` props, medical 국외이전 동의 자동).
@@ -102,6 +111,5 @@
   - `cms-renderer-astro` 도 동등 surface 유지를 위해 동시 publish
   후속:
   - ADR 신규 — cms-\* publish 정책 (별 PR)
   - Astro 측 LeadForm 컴포넌트 (현재 `@roottale/ui-astro` 위치, `cms-renderer-astro` 로 이동 검토)

package/dist/webhook.d.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import { JWTPayload, JWK } from 'jose';
+export { JWTPayload } from 'jose';
+/**
+ * `@roottale/cms-client/webhook` — RootTale CMS Publish Webhook verifier.
+ *
+ * ADR-0039 (Option D, JWKS asymmetric). 외부 고객사 사이트가 RootTale CMS 의
+ * publish webhook 을 검증한다. 고객 측에 **secret 보관 0** — 공개키만으로 검증.
+ *
+ * 인증 모델:
+ *   서명 = ES256 JWS (alg=ES256, kid=<opaque>). admin/api-core 의 dispatcher 가
+ *          site_webhook_keys 의 active row 로 서명.
+ *   검증 = `api.roottale.com/.well-known/jwks.json` 에서 공개키 fetch (1 시간
+ *          캐시, kid 변화 즉시 refresh). jose 라이브러리.
+ *
+ * Customer 작업:
+ *   1) `pnpm add @roottale/cms-client`
+ *   2) admin 의 사이트 추가 화면에서 본 사이트의 siteId 값을 받아 env 에 paste:
+ *      `ROOTTALE_EXPECTED_SITE_ID=<siteId>`  (secret 아님, lock-down 용)
+ *   3) /api/revalidate 라우트에서 verifyRootTaleWebhook 호출
+ *
+ * Next.js Route Handler 예제:
+ * ```ts
+ * import { verifyRootTaleWebhook } from "@roottale/cms-client/webhook";
+ *
+ * export async function POST(request: Request) {
+ *   const rawBody = await request.text();
+ *   const result = await verifyRootTaleWebhook({
+ *     rawBody,
+ *     headers: request.headers,
+ *     expectedSiteId: process.env.ROOTTALE_EXPECTED_SITE_ID!,
+ *   });
+ *   if (!result.ok) return Response.json({ reason: result.reason }, { status: 401 });
+ *   // ... revalidatePath(result.payload.paths)
+ * }
+ * ```
+ */
+declare const DEFAULT_JWKS_URL = "https://api.roottale.com/.well-known/jwks.json";
+interface VerifyRootTaleWebhookInput {
+    /** `await request.text()` 결과. parse 전에 verify 해야 함. */
+    rawBody: string;
+    /** request.headers (Headers 또는 dict). */
+    headers: Headers | Record<string, string | undefined>;
+    /**
+     * 고객 사이트가 *어느 RootTale siteId* 를 신뢰하는지 명시. 필수.
+     * production 에서 미설정은 위험 — 다른 사이트로 가는 서명이 통과될 수 있음.
+     */
+    expectedSiteId: string;
+    /** (옵션) JWKS endpoint URL override. 기본 = https://api.roottale.com/.well-known/jwks.json */
+    jwksUrl?: string;
+    /** (옵션) timestamp drift 허용 (초). 기본 300. */
+    timestampWindowSec?: number;
+    /**
+     * (옵션) replay idempotency hook. jti 가 이미 본 거면 "seen" 반환해서 reject.
+     * 미지정 시 replay check skip — ISR revalidate 처럼 idempotent 한 endpoint 에선 무해.
+     */
+    consumeJti?: (jti: string, exp: number) => Promise<"new" | "seen">;
+    /** (옵션) 테스트용 now() override. */
+    now?: () => number;
+}
+interface VerifyRootTaleWebhookSuccess {
+    ok: true;
+    /** JWS jti claim — webhook delivery id, X-Roottale-Delivery-Id 헤더와 동일. */
+    deliveryId: string;
+    /** payload.siteId (= expectedSiteId 가 일치 검증됨). */
+    siteId: string;
+    /** post.published | post.updated | post.deleted */
+    event: string;
+    /** body 의 SHA-256 (base64url). caller 가 별도 검증할 필요 X — 이미 jws 가 binding. */
+    bodyHash: string;
+    /** 디코딩된 JWS payload. */
+    payload: JWTPayload;
+}
+interface VerifyRootTaleWebhookFailure {
+    ok: false;
+    reason: "missing_signature" | "missing_site_id" | "jwks_fetch_failed" | "invalid_signature" | "expired" | "issuer_mismatch" | "audience_mismatch" | "site_id_mismatch" | "body_hash_mismatch" | "timestamp_out_of_window" | "replay_seen" | "internal_error";
+}
+type VerifyRootTaleWebhookResult = VerifyRootTaleWebhookSuccess | VerifyRootTaleWebhookFailure;
+/**
+ * Test-only — 특정 jwksUrl 의 lookup 을 local JWKS 로 미리 채움. 호출 후 같은
+ * URL 로 verifyRootTaleWebhook 하면 remote fetch 없이 in-memory 검증.
+ * production 코드에선 호출 금지.
+ */
+declare function __useLocalJwksForTesting(jwksUrl: string, jwks: {
+    keys: JWK[];
+}): void;
+declare function verifyRootTaleWebhook(input: VerifyRootTaleWebhookInput): Promise<VerifyRootTaleWebhookResult>;
+export { DEFAULT_JWKS_URL, type VerifyRootTaleWebhookFailure, type VerifyRootTaleWebhookInput, type VerifyRootTaleWebhookResult, type VerifyRootTaleWebhookSuccess, __useLocalJwksForTesting, verifyRootTaleWebhook };

package/dist/webhook.js ADDED Viewed

@@ -0,0 +1,133 @@
+// src/webhook.ts
+import {
+  createLocalJWKSet,
+  createRemoteJWKSet,
+  errors as joseErrors,
+  jwtVerify
+} from "jose";
+var DEFAULT_JWKS_URL = "https://api.roottale.com/.well-known/jwks.json";
+var DEFAULT_TIMESTAMP_WINDOW_SEC = 300;
+var SIGNATURE_ISSUER = "https://api.roottale.com";
+var SIGNATURE_AUDIENCE = "roottale-webhook";
+var jwksSetCache = /* @__PURE__ */ new Map();
+function getJwksSet(jwksUrl) {
+  let cached = jwksSetCache.get(jwksUrl);
+  if (!cached) {
+    cached = createRemoteJWKSet(new URL(jwksUrl), {
+      cacheMaxAge: 60 * 60 * 1e3,
+      // 1h
+      cooldownDuration: 30 * 1e3,
+      // 모르는 kid 재 fetch 최소 간격
+      timeoutDuration: 5e3
+    });
+    jwksSetCache.set(jwksUrl, cached);
+  }
+  return cached;
+}
+function __useLocalJwksForTesting(jwksUrl, jwks) {
+  jwksSetCache.set(jwksUrl, createLocalJWKSet(jwks));
+}
+function readHeader(headers, name) {
+  if (typeof headers.get === "function") {
+    const v = headers.get(name);
+    return v ?? null;
+  }
+  const dict = headers;
+  const direct = dict[name];
+  if (typeof direct === "string") return direct;
+  for (const k of Object.keys(dict)) {
+    if (k.toLowerCase() === name) {
+      const v = dict[k];
+      if (typeof v === "string") return v;
+    }
+  }
+  return null;
+}
+function bytesToBase64Url(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
+  const b64 = typeof btoa === "function" ? btoa(s) : Buffer.from(s, "binary").toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function sha256Base64Url(input) {
+  const enc = new TextEncoder();
+  const data = enc.encode(input);
+  const hashBuf = await crypto.subtle.digest("SHA-256", data);
+  return bytesToBase64Url(new Uint8Array(hashBuf));
+}
+async function verifyRootTaleWebhook(input) {
+  if (!input.expectedSiteId) {
+    return { ok: false, reason: "missing_site_id" };
+  }
+  const jws = readHeader(input.headers, "x-roottale-signature");
+  if (!jws) return { ok: false, reason: "missing_signature" };
+  const jwksUrl = input.jwksUrl ?? DEFAULT_JWKS_URL;
+  const jwks = getJwksSet(jwksUrl);
+  const windowSec = input.timestampWindowSec ?? DEFAULT_TIMESTAMP_WINDOW_SEC;
+  const nowDate = input.now ? new Date(input.now()) : /* @__PURE__ */ new Date();
+  let payload;
+  try {
+    const result = await jwtVerify(jws, jwks, {
+      issuer: SIGNATURE_ISSUER,
+      audience: SIGNATURE_AUDIENCE,
+      clockTolerance: `${windowSec}s`,
+      currentDate: nowDate
+    });
+    payload = result.payload;
+  } catch (e) {
+    if (e instanceof joseErrors.JWTExpired) {
+      return { ok: false, reason: "expired" };
+    }
+    if (e instanceof joseErrors.JWTClaimValidationFailed) {
+      const claim = e.claim;
+      if (claim === "iss") return { ok: false, reason: "issuer_mismatch" };
+      if (claim === "aud") return { ok: false, reason: "audience_mismatch" };
+      if (claim === "iat" || claim === "exp")
+        return { ok: false, reason: "timestamp_out_of_window" };
+      return { ok: false, reason: "invalid_signature" };
+    }
+    if (e instanceof joseErrors.JWSSignatureVerificationFailed || e instanceof joseErrors.JWSInvalid || e instanceof joseErrors.JWTInvalid) {
+      return { ok: false, reason: "invalid_signature" };
+    }
+    if (e.code?.startsWith?.("ERR_JWKS")) {
+      return { ok: false, reason: "jwks_fetch_failed" };
+    }
+    if (process.env.VERIFY_DEBUG) {
+      console.warn("[verifyRootTaleWebhook] unexpected error:", e);
+    }
+    return { ok: false, reason: "internal_error" };
+  }
+  const claimSiteId = payload.site_id;
+  if (typeof claimSiteId !== "string" || claimSiteId !== input.expectedSiteId) {
+    return { ok: false, reason: "site_id_mismatch" };
+  }
+  const claimBodyHash = payload.body_sha256;
+  if (typeof claimBodyHash !== "string") {
+    return { ok: false, reason: "body_hash_mismatch" };
+  }
+  const actualBodyHash = await sha256Base64Url(input.rawBody);
+  if (claimBodyHash !== actualBodyHash) {
+    return { ok: false, reason: "body_hash_mismatch" };
+  }
+  if (input.consumeJti && typeof payload.jti === "string") {
+    const seen = await input.consumeJti(
+      payload.jti,
+      typeof payload.exp === "number" ? payload.exp : 0
+    );
+    if (seen === "seen") return { ok: false, reason: "replay_seen" };
+  }
+  return {
+    ok: true,
+    deliveryId: typeof payload.jti === "string" ? payload.jti : "",
+    siteId: claimSiteId,
+    event: typeof payload.event === "string" ? payload.event : "",
+    bodyHash: claimBodyHash,
+    payload
+  };
+}
+export {
+  DEFAULT_JWKS_URL,
+  __useLocalJwksForTesting,
+  verifyRootTaleWebhook
+};
+//# sourceMappingURL=webhook.js.map

package/dist/webhook.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/webhook.ts"],"sourcesContent":["/**\n * `@roottale/cms-client/webhook` — RootTale CMS Publish Webhook verifier.\n *\n * ADR-0039 (Option D, JWKS asymmetric). 외부 고객사 사이트가 RootTale CMS 의\n * publish webhook 을 검증한다. 고객 측에 **secret 보관 0** — 공개키만으로 검증.\n *\n * 인증 모델:\n * 서명 = ES256 JWS (alg=ES256, kid=<opaque>). admin/api-core 의 dispatcher 가\n * site_webhook_keys 의 active row 로 서명.\n * 검증 = `api.roottale.com/.well-known/jwks.json` 에서 공개키 fetch (1 시간\n * 캐시, kid 변화 즉시 refresh). jose 라이브러리.\n *\n * Customer 작업:\n * 1) `pnpm add @roottale/cms-client`\n * 2) admin 의 사이트 추가 화면에서 본 사이트의 siteId 값을 받아 env 에 paste:\n * `ROOTTALE_EXPECTED_SITE_ID=<siteId>` (secret 아님, lock-down 용)\n * 3) /api/revalidate 라우트에서 verifyRootTaleWebhook 호출\n *\n * Next.js Route Handler 예제:\n * ```ts\n * import { verifyRootTaleWebhook } from \"@roottale/cms-client/webhook\";\n *\n * export async function POST(request: Request) {\n * const rawBody = await request.text();\n * const result = await verifyRootTaleWebhook({\n * rawBody,\n * headers: request.headers,\n * expectedSiteId: process.env.ROOTTALE_EXPECTED_SITE_ID!,\n * });\n * if (!result.ok) return Response.json({ reason: result.reason }, { status: 401 });\n * // ... revalidatePath(result.payload.paths)\n * }\n * ```\n */\n\nimport {\n type JWK,\n type JWTPayload,\n createLocalJWKSet,\n createRemoteJWKSet,\n errors as joseErrors,\n jwtVerify,\n} from \"jose\";\n\nexport const DEFAULT_JWKS_URL =\n \"https://api.roottale.com/.well-known/jwks.json\";\nconst DEFAULT_TIMESTAMP_WINDOW_SEC = 300;\nconst SIGNATURE_ISSUER = \"https://api.roottale.com\";\nconst SIGNATURE_AUDIENCE = \"roottale-webhook\";\n\nexport interface VerifyRootTaleWebhookInput {\n /** `await request.text()` 결과. parse 전에 verify 해야 함. */\n rawBody: string;\n /** request.headers (Headers 또는 dict). */\n headers: Headers | Record<string, string | undefined>;\n /**\n * 고객 사이트가 *어느 RootTale siteId* 를 신뢰하는지 명시. 필수.\n * production 에서 미설정은 위험 — 다른 사이트로 가는 서명이 통과될 수 있음.\n */\n expectedSiteId: string;\n /** (옵션) JWKS endpoint URL override. 기본 = https://api.roottale.com/.well-known/jwks.json */\n jwksUrl?: string;\n /** (옵션) timestamp drift 허용 (초). 기본 300. */\n timestampWindowSec?: number;\n /**\n * (옵션) replay idempotency hook. jti 가 이미 본 거면 \"seen\" 반환해서 reject.\n * 미지정 시 replay check skip — ISR revalidate 처럼 idempotent 한 endpoint 에선 무해.\n */\n consumeJti?: (jti: string, exp: number) => Promise<\"new\" | \"seen\">;\n /** (옵션) 테스트용 now() override. */\n now?: () => number;\n}\n\nexport interface VerifyRootTaleWebhookSuccess {\n ok: true;\n /** JWS jti claim — webhook delivery id, X-Roottale-Delivery-Id 헤더와 동일. */\n deliveryId: string;\n /** payload.siteId (= expectedSiteId 가 일치 검증됨). */\n siteId: string;\n /** post.published | post.updated | post.deleted */\n event: string;\n /** body 의 SHA-256 (base64url). caller 가 별도 검증할 필요 X — 이미 jws 가 binding. */\n bodyHash: string;\n /** 디코딩된 JWS payload. */\n payload: JWTPayload;\n}\n\nexport interface VerifyRootTaleWebhookFailure {\n ok: false;\n reason:\n | \"missing_signature\"\n | \"missing_site_id\"\n | \"jwks_fetch_failed\"\n | \"invalid_signature\"\n | \"expired\"\n | \"issuer_mismatch\"\n | \"audience_mismatch\"\n | \"site_id_mismatch\"\n | \"body_hash_mismatch\"\n | \"timestamp_out_of_window\"\n | \"replay_seen\"\n | \"internal_error\";\n}\n\nexport type VerifyRootTaleWebhookResult =\n | VerifyRootTaleWebhookSuccess\n | VerifyRootTaleWebhookFailure;\n\n// ── module-level JWKS cache (process lifetime) ──────────────────────────────\n\ntype JwksResolver = ReturnType<typeof createRemoteJWKSet>;\nconst jwksSetCache = new Map<string, JwksResolver>();\n\nfunction getJwksSet(jwksUrl: string): JwksResolver {\n let cached = jwksSetCache.get(jwksUrl);\n if (!cached) {\n cached = createRemoteJWKSet(new URL(jwksUrl), {\n cacheMaxAge: 60 * 60 * 1000, // 1h\n cooldownDuration: 30 * 1000, // 모르는 kid 재 fetch 최소 간격\n timeoutDuration: 5_000,\n });\n jwksSetCache.set(jwksUrl, cached);\n }\n return cached;\n}\n\n/**\n * Test-only — 특정 jwksUrl 의 lookup 을 local JWKS 로 미리 채움. 호출 후 같은\n * URL 로 verifyRootTaleWebhook 하면 remote fetch 없이 in-memory 검증.\n * production 코드에선 호출 금지.\n */\nexport function __useLocalJwksForTesting(\n jwksUrl: string,\n jwks: { keys: JWK[] },\n): void {\n jwksSetCache.set(jwksUrl, createLocalJWKSet(jwks) as JwksResolver);\n}\n\n// ── helpers ─────────────────────────────────────────────────────────────────\n\nfunction readHeader(\n headers: Headers | Record<string, string | undefined>,\n name: string,\n): string | null {\n if (typeof (headers as Headers).get === \"function\") {\n const v = (headers as Headers).get(name);\n return v ?? null;\n }\n const dict = headers as Record<string, string | undefined>;\n const direct = dict[name];\n if (typeof direct === \"string\") return direct;\n for (const k of Object.keys(dict)) {\n if (k.toLowerCase() === name) {\n const v = dict[k];\n if (typeof v === \"string\") return v;\n }\n }\n return null;\n}\n\nfunction bytesToBase64Url(bytes: Uint8Array): string {\n let s = \"\";\n for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);\n const b64 =\n typeof btoa === \"function\" ? btoa(s) : Buffer.from(s, \"binary\").toString(\"base64\");\n return b64.replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\nasync function sha256Base64Url(input: string): Promise<string> {\n const enc = new TextEncoder();\n const data = enc.encode(input);\n const hashBuf = await crypto.subtle.digest(\"SHA-256\", data);\n return bytesToBase64Url(new Uint8Array(hashBuf));\n}\n\n// ── public API ──────────────────────────────────────────────────────────────\n\nexport async function verifyRootTaleWebhook(\n input: VerifyRootTaleWebhookInput,\n): Promise<VerifyRootTaleWebhookResult> {\n if (!input.expectedSiteId) {\n return { ok: false, reason: \"missing_site_id\" };\n }\n const jws = readHeader(input.headers, \"x-roottale-signature\");\n if (!jws) return { ok: false, reason: \"missing_signature\" };\n\n const jwksUrl = input.jwksUrl ?? DEFAULT_JWKS_URL;\n const jwks = getJwksSet(jwksUrl);\n\n // timestamp window — jose 의 clockTolerance 옵션으로 ±drift 검사.\n // jose 는 iat/exp 를 검사하므로 window 는 clockTolerance 로 흡수.\n const windowSec = input.timestampWindowSec ?? DEFAULT_TIMESTAMP_WINDOW_SEC;\n const nowDate = input.now ? new Date(input.now()) : new Date();\n\n let payload: JWTPayload;\n try {\n const result = await jwtVerify(jws, jwks, {\n issuer: SIGNATURE_ISSUER,\n audience: SIGNATURE_AUDIENCE,\n clockTolerance: `${windowSec}s`,\n currentDate: nowDate,\n });\n payload = result.payload;\n } catch (e) {\n if (e instanceof joseErrors.JWTExpired) {\n return { ok: false, reason: \"expired\" };\n }\n if (e instanceof joseErrors.JWTClaimValidationFailed) {\n const claim = (e as { claim?: string }).claim;\n if (claim === \"iss\") return { ok: false, reason: \"issuer_mismatch\" };\n if (claim === \"aud\") return { ok: false, reason: \"audience_mismatch\" };\n if (claim === \"iat\" || claim === \"exp\")\n return { ok: false, reason: \"timestamp_out_of_window\" };\n return { ok: false, reason: \"invalid_signature\" };\n }\n if (\n e instanceof joseErrors.JWSSignatureVerificationFailed ||\n e instanceof joseErrors.JWSInvalid ||\n e instanceof joseErrors.JWTInvalid\n ) {\n return { ok: false, reason: \"invalid_signature\" };\n }\n if ((e as { code?: string }).code?.startsWith?.(\"ERR_JWKS\")) {\n return { ok: false, reason: \"jwks_fetch_failed\" };\n }\n // 디버그: tests 에서 internal_error 가 나오면 console 에 noise 가 도움.\n if (process.env.VERIFY_DEBUG) {\n // eslint-disable-next-line no-console\n console.warn(\"[verifyRootTaleWebhook] unexpected error:\", e);\n }\n return { ok: false, reason: \"internal_error\" };\n }\n\n const claimSiteId = payload.site_id;\n if (typeof claimSiteId !== \"string\" || claimSiteId !== input.expectedSiteId) {\n return { ok: false, reason: \"site_id_mismatch\" };\n }\n\n const claimBodyHash = payload.body_sha256;\n if (typeof claimBodyHash !== \"string\") {\n return { ok: false, reason: \"body_hash_mismatch\" };\n }\n const actualBodyHash = await sha256Base64Url(input.rawBody);\n if (claimBodyHash !== actualBodyHash) {\n return { ok: false, reason: \"body_hash_mismatch\" };\n }\n\n if (input.consumeJti && typeof payload.jti === \"string\") {\n const seen = await input.consumeJti(\n payload.jti,\n typeof payload.exp === \"number\" ? payload.exp : 0,\n );\n if (seen === \"seen\") return { ok: false, reason: \"replay_seen\" };\n }\n\n return {\n ok: true,\n deliveryId: typeof payload.jti === \"string\" ? payload.jti : \"\",\n siteId: claimSiteId,\n event: typeof payload.event === \"string\" ? payload.event : \"\",\n bodyHash: claimBodyHash,\n payload,\n };\n}\n\n// ── re-export type for caller convenience ───────────────────────────────────\nexport type { JWTPayload };\n"],"mappings":";AAmCA;AAAA,EAGE;AAAA,EACA;AAAA,EACA,UAAU;AAAA,EACV;AAAA,OACK;AAEA,IAAM,mBACX;AACF,IAAM,+BAA+B;AACrC,IAAM,mBAAmB;AACzB,IAAM,qBAAqB;AA+D3B,IAAM,eAAe,oBAAI,IAA0B;AAEnD,SAAS,WAAW,SAA+B;AACjD,MAAI,SAAS,aAAa,IAAI,OAAO;AACrC,MAAI,CAAC,QAAQ;AACX,aAAS,mBAAmB,IAAI,IAAI,OAAO,GAAG;AAAA,MAC5C,aAAa,KAAK,KAAK;AAAA;AAAA,MACvB,kBAAkB,KAAK;AAAA;AAAA,MACvB,iBAAiB;AAAA,IACnB,CAAC;AACD,iBAAa,IAAI,SAAS,MAAM;AAAA,EAClC;AACA,SAAO;AACT;AAOO,SAAS,yBACd,SACA,MACM;AACN,eAAa,IAAI,SAAS,kBAAkB,IAAI,CAAiB;AACnE;AAIA,SAAS,WACP,SACA,MACe;AACf,MAAI,OAAQ,QAAoB,QAAQ,YAAY;AAClD,UAAM,IAAK,QAAoB,IAAI,IAAI;AACvC,WAAO,KAAK;AAAA,EACd;AACA,QAAM,OAAO;AACb,QAAM,SAAS,KAAK,IAAI;AACxB,MAAI,OAAO,WAAW,SAAU,QAAO;AACvC,aAAW,KAAK,OAAO,KAAK,IAAI,GAAG;AACjC,QAAI,EAAE,YAAY,MAAM,MAAM;AAC5B,YAAM,IAAI,KAAK,CAAC;AAChB,UAAI,OAAO,MAAM,SAAU,QAAO;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,iBAAiB,OAA2B;AACnD,MAAI,IAAI;AACR,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,IAAK,MAAK,OAAO,aAAa,MAAM,CAAC,CAAC;AACxE,QAAM,MACJ,OAAO,SAAS,aAAa,KAAK,CAAC,IAAI,OAAO,KAAK,GAAG,QAAQ,EAAE,SAAS,QAAQ;AACnF,SAAO,IAAI,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AACtE;AAEA,eAAe,gBAAgB,OAAgC;AAC7D,QAAM,MAAM,IAAI,YAAY;AAC5B,QAAM,OAAO,IAAI,OAAO,KAAK;AAC7B,QAAM,UAAU,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AAC1D,SAAO,iBAAiB,IAAI,WAAW,OAAO,CAAC;AACjD;AAIA,eAAsB,sBACpB,OACsC;AACtC,MAAI,CAAC,MAAM,gBAAgB;AACzB,WAAO,EAAE,IAAI,OAAO,QAAQ,kBAAkB;AAAA,EAChD;AACA,QAAM,MAAM,WAAW,MAAM,SAAS,sBAAsB;AAC5D,MAAI,CAAC,IAAK,QAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAE1D,QAAM,UAAU,MAAM,WAAW;AACjC,QAAM,OAAO,WAAW,OAAO;AAI/B,QAAM,YAAY,MAAM,sBAAsB;AAC9C,QAAM,UAAU,MAAM,MAAM,IAAI,KAAK,MAAM,IAAI,CAAC,IAAI,oBAAI,KAAK;AAE7D,MAAI;AACJ,MAAI;AACF,UAAM,SAAS,MAAM,UAAU,KAAK,MAAM;AAAA,MACxC,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,gBAAgB,GAAG,SAAS;AAAA,MAC5B,aAAa;AAAA,IACf,CAAC;AACD,cAAU,OAAO;AAAA,EACnB,SAAS,GAAG;AACV,QAAI,aAAa,WAAW,YAAY;AACtC,aAAO,EAAE,IAAI,OAAO,QAAQ,UAAU;AAAA,IACxC;AACA,QAAI,aAAa,WAAW,0BAA0B;AACpD,YAAM,QAAS,EAAyB;AACxC,UAAI,UAAU,MAAO,QAAO,EAAE,IAAI,OAAO,QAAQ,kBAAkB;AACnE,UAAI,UAAU,MAAO,QAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AACrE,UAAI,UAAU,SAAS,UAAU;AAC/B,eAAO,EAAE,IAAI,OAAO,QAAQ,0BAA0B;AACxD,aAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,IAClD;AACA,QACE,aAAa,WAAW,kCACxB,aAAa,WAAW,cACxB,aAAa,WAAW,YACxB;AACA,aAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,IAClD;AACA,QAAK,EAAwB,MAAM,aAAa,UAAU,GAAG;AAC3D,aAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,IAClD;AAEA,QAAI,QAAQ,IAAI,cAAc;AAE5B,cAAQ,KAAK,6CAA6C,CAAC;AAAA,IAC7D;AACA,WAAO,EAAE,IAAI,OAAO,QAAQ,iBAAiB;AAAA,EAC/C;AAEA,QAAM,cAAc,QAAQ;AAC5B,MAAI,OAAO,gBAAgB,YAAY,gBAAgB,MAAM,gBAAgB;AAC3E,WAAO,EAAE,IAAI,OAAO,QAAQ,mBAAmB;AAAA,EACjD;AAEA,QAAM,gBAAgB,QAAQ;AAC9B,MAAI,OAAO,kBAAkB,UAAU;AACrC,WAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAAA,EACnD;AACA,QAAM,iBAAiB,MAAM,gBAAgB,MAAM,OAAO;AAC1D,MAAI,kBAAkB,gBAAgB;AACpC,WAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAAA,EACnD;AAEA,MAAI,MAAM,cAAc,OAAO,QAAQ,QAAQ,UAAU;AACvD,UAAM,OAAO,MAAM,MAAM;AAAA,MACvB,QAAQ;AAAA,MACR,OAAO,QAAQ,QAAQ,WAAW,QAAQ,MAAM;AAAA,IAClD;AACA,QAAI,SAAS,OAAQ,QAAO,EAAE,IAAI,OAAO,QAAQ,cAAc;AAAA,EACjE;AAEA,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,YAAY,OAAO,QAAQ,QAAQ,WAAW,QAAQ,MAAM;AAAA,IAC5D,QAAQ;AAAA,IACR,OAAO,OAAO,QAAQ,UAAU,WAAW,QAAQ,QAAQ;AAAA,IAC3D,UAAU;AAAA,IACV;AAAA,EACF;AACF;","names":[]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@roottale/cms-client",
-  "version": "0.2.0",
+  "version": "0.5.0",
   "type": "module",
   "description": "RootTale CMS Public API server-side fetch client (Bearer rtlk_cust_* auth). SSR-only — refuses to run in the browser to prevent key leak (ADR-0023 §5.1 #15). Pairs with @roottale/cms-renderer-next / @roottale/cms-renderer-astro.",
   "main": "./dist/server.js",
@@ -11,6 +11,11 @@
       "import": "./dist/server.js",
       "default": "./dist/server.js"
     },
+    "./webhook": {
+      "types": "./dist/webhook.d.ts",
+      "import": "./dist/webhook.js",
+      "default": "./dist/webhook.js"
+    },
     "./package.json": "./package.json"
   },
   "files": [
@@ -18,11 +23,14 @@
     "README.md",
     "CHANGELOG.md"
   ],
-  "dependencies": {},
+  "dependencies": {
+    "jose": "^5.10.0"
+  },
   "devDependencies": {
     "@types/node": "^22.0.0",
     "typescript": "^5.7.0",
-    "vitest": "^2.1.0"
+    "vitest": "^2.1.0",
+    "@roottale/cms-webhooks": "0.0.1"
   },
   "publishConfig": {
     "access": "public"