@sentroy-co/client-sdk 2.9.0 → 2.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AGENTS.md +60 -0
- package/README.md +20 -1
- package/dist/vault/index.d.ts +60 -0
- package/dist/vault/index.d.ts.map +1 -1
- package/dist/vault/index.js +116 -0
- package/dist/vault/index.js.map +1 -1
- package/package.json +1 -1
- package/src/vault/index.ts +160 -0
package/AGENTS.md
CHANGED
|
@@ -767,6 +767,21 @@ function ConfigPanel() {
|
|
|
767
767
|
| `apiKey` | `string` | `process.env.NEXT_PUBLIC_SENTROY_ENV_API_KEY` | Bearer token for browser polling |
|
|
768
768
|
| `refreshIntervalMs` | `number` | `300000` (5 min) | `0` to disable polling |
|
|
769
769
|
|
|
770
|
+
### Migration helper: `getEnvWithFallback(key)`
|
|
771
|
+
|
|
772
|
+
For codebases moving from `process.env` to vault gradually, use `getEnvWithFallback` — it tries vault first, falls back to `process.env[key]` on cache miss / fetch failure / missing token. The point is *zero downtime*: deploy the code change before populating the vault, and nothing breaks; fill the vault later, and the same code starts reading from there.
|
|
773
|
+
|
|
774
|
+
```ts
|
|
775
|
+
import { getEnvWithFallback } from "@sentroy-co/client-sdk/vault"
|
|
776
|
+
|
|
777
|
+
// Old: process.env.STRIPE_SECRET_KEY
|
|
778
|
+
const stripeKey = await getEnvWithFallback("STRIPE_SECRET_KEY")
|
|
779
|
+
```
|
|
780
|
+
|
|
781
|
+
After the value is in the vault and you've verified it's being read, swap the call to `getEnv` (or `getEnvOrThrow`) so a future `process.env` re-introduction doesn't silently shadow the vault value.
|
|
782
|
+
|
|
783
|
+
Bootstrap path (no `SENTROY_ENV_API_KEY` set) skips the fetch entirely and goes straight to `process.env` — so an app deployed without vault credentials still boots and reads its envs the legacy way. This is intentional: the vault is opt-in, not a hard requirement.
|
|
784
|
+
|
|
770
785
|
### Security notes
|
|
771
786
|
|
|
772
787
|
- `useEnv()` only ever returns variables marked `public: true` in the dashboard. Server-only secrets stay server-side.
|
|
@@ -774,6 +789,51 @@ function ConfigPanel() {
|
|
|
774
789
|
- The bootstrap token is per-(project, environment). A `prod` token cannot read `staging` and vice versa.
|
|
775
790
|
- Variable values are AES-256-GCM encrypted at rest in the Sentroy vault DB. Decryption happens server-side just before the fetch endpoint streams the response.
|
|
776
791
|
|
|
792
|
+
### Webhooks (`createVaultWebhookHandler`)
|
|
793
|
+
|
|
794
|
+
Variable changes can push directly to your app instead of waiting on the 5-min cache TTL. Configure a webhook in the dashboard under a project's **Webhooks** tab — Sentroy will POST to your URL on every `variable.create | variable.update | variable.delete`.
|
|
795
|
+
|
|
796
|
+
```ts
|
|
797
|
+
// app/api/sentroy/vault-webhook/route.ts
|
|
798
|
+
import { createVaultWebhookHandler } from "@sentroy-co/client-sdk/vault"
|
|
799
|
+
|
|
800
|
+
export const POST = createVaultWebhookHandler({
|
|
801
|
+
secret: process.env.SENTROY_VAULT_WEBHOOK_SECRET!,
|
|
802
|
+
// optional — default behaviour: await refreshEnvCache()
|
|
803
|
+
async onChange(payload) {
|
|
804
|
+
console.log("vault changed", payload.action, payload.keys)
|
|
805
|
+
// your invalidation logic, then:
|
|
806
|
+
await refreshEnvCache()
|
|
807
|
+
},
|
|
808
|
+
// optional — replay-window check, default 5 min
|
|
809
|
+
maxAgeMs: 5 * 60 * 1000,
|
|
810
|
+
})
|
|
811
|
+
```
|
|
812
|
+
|
|
813
|
+
Payload (signed):
|
|
814
|
+
```json
|
|
815
|
+
{
|
|
816
|
+
"event": "vault.variable.changed",
|
|
817
|
+
"project": "<projectId>",
|
|
818
|
+
"environment": "prod",
|
|
819
|
+
"action": "create" | "update" | "delete",
|
|
820
|
+
"keys": ["DATABASE_URL", "..."],
|
|
821
|
+
"timestamp": 1731430000000
|
|
822
|
+
}
|
|
823
|
+
```
|
|
824
|
+
|
|
825
|
+
Headers Sentroy sends: `X-Sentroy-Signature: sha256=<hex>` (HMAC over the raw body), `X-Sentroy-Event: vault.variable.changed`, `X-Sentroy-Webhook-Id: <id>`.
|
|
826
|
+
|
|
827
|
+
The handler returns:
|
|
828
|
+
- `200` with `{ ok: true }` after a verified signature + completed `onChange`
|
|
829
|
+
- `401` for missing/malformed/invalid signature, or timestamp outside the replay window
|
|
830
|
+
- `400` for an invalid JSON body
|
|
831
|
+
- `500` if `onChange` throws
|
|
832
|
+
|
|
833
|
+
Delivery is fire-and-forget on the Sentroy side with a 5 sec timeout; the dashboard records the last delivery's status + error string per webhook for visibility. Failed deliveries are not auto-retried (admin can flip the enabled toggle to retry manually by re-saving a variable, or we'll add a "resend" button later).
|
|
834
|
+
|
|
835
|
+
The vault webhook secret namespace is `whsec_*` — distinct from access tokens (`stk_*` / `stk_env_*`).
|
|
836
|
+
|
|
777
837
|
### CLI (`sentroy env ...`)
|
|
778
838
|
|
|
779
839
|
The package ships a `sentroy` binary. After `npm install` (or `npm install -g`) it's available on `PATH`; `npx sentroy ...` works without a global install.
|
package/README.md
CHANGED
|
@@ -84,11 +84,15 @@ Manage your env vars in the dashboard at [vault.sentroy.com](https://vault.sentr
|
|
|
84
84
|
|
|
85
85
|
```ts
|
|
86
86
|
// server side
|
|
87
|
-
import { getEnv, getEnvOrThrow, preloadEnv } from "@sentroy-co/client-sdk/vault"
|
|
87
|
+
import { getEnv, getEnvOrThrow, getEnvWithFallback, preloadEnv } from "@sentroy-co/client-sdk/vault"
|
|
88
88
|
|
|
89
89
|
await preloadEnv() // optional fail-fast at boot
|
|
90
90
|
const dbUrl = await getEnv("DATABASE_URL")
|
|
91
91
|
const turnstile = await getEnvOrThrow("BETTER_AUTH_TURNSTILE_SECRET")
|
|
92
|
+
|
|
93
|
+
// Migration helper — vault'tan oku, yoksa process.env fallback.
|
|
94
|
+
// Sentroy app'lerini kademeli olarak migrate ederken kullanışlı.
|
|
95
|
+
const stripe = await getEnvWithFallback("STRIPE_SECRET_KEY")
|
|
92
96
|
```
|
|
93
97
|
|
|
94
98
|
```tsx
|
|
@@ -106,6 +110,21 @@ const siteKey = useEnv("TURNSTILE_SITE_KEY")
|
|
|
106
110
|
|
|
107
111
|
Bootstrap is a single env: `SENTROY_ENV_API_KEY`. Public/private split is enforced server-side — the React hook only ever sees `public: true` variables. Full reference at [docs.sentroy.com/env-vault](https://docs.sentroy.com/env-vault).
|
|
108
112
|
|
|
113
|
+
### Webhooks (real-time invalidation)
|
|
114
|
+
|
|
115
|
+
Skip the 5-min cache TTL — point the vault at your app and it'll POST whenever any variable changes. The default handler verifies the HMAC-SHA256 signature and refreshes the cache:
|
|
116
|
+
|
|
117
|
+
```ts
|
|
118
|
+
// app/api/sentroy/vault-webhook/route.ts
|
|
119
|
+
import { createVaultWebhookHandler } from "@sentroy-co/client-sdk/vault"
|
|
120
|
+
|
|
121
|
+
export const POST = createVaultWebhookHandler({
|
|
122
|
+
secret: process.env.SENTROY_VAULT_WEBHOOK_SECRET!,
|
|
123
|
+
})
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
Configure the receiver URL in the vault dashboard under the project's **Webhooks** tab; the secret comes back once at create-time. Provide your own `onChange` handler for custom logic.
|
|
127
|
+
|
|
109
128
|
### CLI
|
|
110
129
|
|
|
111
130
|
The package ships a `sentroy` CLI for syncing local `.env` files to the vault — useful for build pipelines and onboarding.
|
package/dist/vault/index.d.ts
CHANGED
|
@@ -65,9 +65,69 @@ export declare function preloadEnv(): Promise<void>;
|
|
|
65
65
|
export declare function getEnv(key: string): Promise<string | undefined>;
|
|
66
66
|
/** Eksik env'i hemen patlatır — config-validation pattern'inde kullanışlı. */
|
|
67
67
|
export declare function getEnvOrThrow(key: string): Promise<string>;
|
|
68
|
+
/**
|
|
69
|
+
* Migration helper — vault'tan oku, yoksa `process.env` fallback.
|
|
70
|
+
*
|
|
71
|
+
* Sentroy app'lerini kademeli olarak `process.env` → vault'a çevirirken
|
|
72
|
+
* "her ikisi de çalışsın" senaryosu için. Vault doldurulmamış / token
|
|
73
|
+
* eksik / fetch fail dönerse sessizce `process.env[key]`'e döner — eski
|
|
74
|
+
* deploy ile yeni kod bir arada çalışabilir.
|
|
75
|
+
*
|
|
76
|
+
* **Migration tamamlandıktan sonra** çağrı sitelerini `getEnv()` ya da
|
|
77
|
+
* `getEnvOrThrow()`'a çevir; fallback'i bırakmak silently process.env
|
|
78
|
+
* sızıntısı riskini taşır (kullanıcı vault'tan key'i sildi sansa bile
|
|
79
|
+
* eski process.env değeri etkili olur).
|
|
80
|
+
*
|
|
81
|
+
* Bootstrap path için (`SENTROY_ENV_API_KEY` set değil) doğrudan
|
|
82
|
+
* `process.env`'e döner — vault fetch denemez. Bu önemli: Sentroy app'i
|
|
83
|
+
* vault'sız boot edilebilir.
|
|
84
|
+
*/
|
|
85
|
+
export declare function getEnvWithFallback(key: string): Promise<string | undefined>;
|
|
68
86
|
/** Tüm env'leri map olarak döner (dump için kullanışlı). */
|
|
69
87
|
export declare function getAllEnvs(): Promise<Record<string, string>>;
|
|
70
88
|
/** Sadece public (`public: true`) env'ler — SSR helper için. */
|
|
71
89
|
export declare function getPublicEnvs(): Promise<Record<string, string>>;
|
|
90
|
+
export interface VaultWebhookPayload {
|
|
91
|
+
event: "vault.variable.changed";
|
|
92
|
+
project: string;
|
|
93
|
+
environment: string;
|
|
94
|
+
action: "create" | "update" | "delete";
|
|
95
|
+
/** Etkilenen key'ler — bulk push'ta birden fazla. */
|
|
96
|
+
keys: string[];
|
|
97
|
+
/** Unix ms. */
|
|
98
|
+
timestamp: number;
|
|
99
|
+
}
|
|
100
|
+
export interface CreateVaultWebhookHandlerOptions {
|
|
101
|
+
/**
|
|
102
|
+
* Sentroy vault dashboard'dan aldığın webhook secret (`whsec_...`).
|
|
103
|
+
* Receiver bu secret'la HMAC-SHA256 imzayı doğrular; hatalıysa 401 döner.
|
|
104
|
+
*/
|
|
105
|
+
secret: string;
|
|
106
|
+
/**
|
|
107
|
+
* Imzayı doğruladıktan sonra çağrılır. Default davranış:
|
|
108
|
+
* `await refreshEnvCache()` — bir sonraki getEnv() taze değerleri çeker.
|
|
109
|
+
* Custom logic için override et (örn. tek bir key'i targeted invalidate).
|
|
110
|
+
*/
|
|
111
|
+
onChange?: (payload: VaultWebhookPayload) => Promise<void> | void;
|
|
112
|
+
/**
|
|
113
|
+
* Replay attack'lere karşı body'nin timestamp'i ile şu an arasındaki
|
|
114
|
+
* maksimum tolerans (ms). Default 5 dk. Sıfır ise check kapalı.
|
|
115
|
+
*/
|
|
116
|
+
maxAgeMs?: number;
|
|
117
|
+
}
|
|
118
|
+
/**
|
|
119
|
+
* Bir Sentroy vault webhook receiver'ı için Request → Response handler
|
|
120
|
+
* üretir. Next.js App Router'da:
|
|
121
|
+
*
|
|
122
|
+
* // app/api/sentroy/vault-webhook/route.ts
|
|
123
|
+
* import { createVaultWebhookHandler } from "@sentroy-co/client-sdk/vault"
|
|
124
|
+
* export const POST = createVaultWebhookHandler({
|
|
125
|
+
* secret: process.env.SENTROY_VAULT_WEBHOOK_SECRET!,
|
|
126
|
+
* })
|
|
127
|
+
*
|
|
128
|
+
* Default davranış: imza doğruysa cache'i invalidate eder ve 200 döner.
|
|
129
|
+
* Hatalı/eksik imza → 401, eski timestamp → 401, body parse hatası → 400.
|
|
130
|
+
*/
|
|
131
|
+
export declare function createVaultWebhookHandler(options: CreateVaultWebhookHandlerOptions): (request: Request) => Promise<Response>;
|
|
72
132
|
export {};
|
|
73
133
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,OAAO,CAAA;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAA;IACnC,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;CACpB;AAKD,UAAU,aAAa;IACrB,iEAAiE;IACjE,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,+DAA+D;IAC/D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,yCAAyC;IACzC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAcD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,GAAE,aAAkB,GAAG,IAAI,CAYpE;AAED,8EAA8E;AAC9E,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAEpD;AAED,8EAA8E;AAC9E,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAGrD;AAED,2EAA2E;AAC3E,wBAAsB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAEhD;AA6DD;;;;GAIG;AACH,wBAAsB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAGrE;AAED,8EAA8E;AAC9E,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQhE;AAED,4DAA4D;AAC5D,wBAAsB,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAKlE;AAED,gEAAgE;AAChE,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAOrE"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,OAAO,CAAA;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAA;IACnC,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;CACpB;AAKD,UAAU,aAAa;IACrB,iEAAiE;IACjE,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,+DAA+D;IAC/D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,yCAAyC;IACzC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAcD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,GAAE,aAAkB,GAAG,IAAI,CAYpE;AAED,8EAA8E;AAC9E,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAEpD;AAED,8EAA8E;AAC9E,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAGrD;AAED,2EAA2E;AAC3E,wBAAsB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAEhD;AA6DD;;;;GAIG;AACH,wBAAsB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAGrE;AAED,8EAA8E;AAC9E,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQhE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAW7B;AAED,4DAA4D;AAC5D,wBAAsB,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAKlE;AAED,gEAAgE;AAChE,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAOrE;AAID,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,wBAAwB,CAAA;IAC/B,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAA;IACtC,qDAAqD;IACrD,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,eAAe;IACf,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,gCAAgC;IAC/C;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,mBAAmB,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;IACjE;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AA8BD;;;;;;;;;;;;GAYG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,gCAAgC,GACxC,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAmDzC"}
|
package/dist/vault/index.js
CHANGED
|
@@ -32,8 +32,10 @@ exports.refreshEnvCache = refreshEnvCache;
|
|
|
32
32
|
exports.preloadEnv = preloadEnv;
|
|
33
33
|
exports.getEnv = getEnv;
|
|
34
34
|
exports.getEnvOrThrow = getEnvOrThrow;
|
|
35
|
+
exports.getEnvWithFallback = getEnvWithFallback;
|
|
35
36
|
exports.getAllEnvs = getAllEnvs;
|
|
36
37
|
exports.getPublicEnvs = getPublicEnvs;
|
|
38
|
+
exports.createVaultWebhookHandler = createVaultWebhookHandler;
|
|
37
39
|
const DEFAULT_TTL_MS = 5 * 60 * 1000;
|
|
38
40
|
const DEFAULT_BASE_URL = "https://sentroy.com";
|
|
39
41
|
let resolvedBaseUrl = DEFAULT_BASE_URL;
|
|
@@ -148,6 +150,38 @@ async function getEnvOrThrow(key) {
|
|
|
148
150
|
}
|
|
149
151
|
return v;
|
|
150
152
|
}
|
|
153
|
+
/**
|
|
154
|
+
* Migration helper — vault'tan oku, yoksa `process.env` fallback.
|
|
155
|
+
*
|
|
156
|
+
* Sentroy app'lerini kademeli olarak `process.env` → vault'a çevirirken
|
|
157
|
+
* "her ikisi de çalışsın" senaryosu için. Vault doldurulmamış / token
|
|
158
|
+
* eksik / fetch fail dönerse sessizce `process.env[key]`'e döner — eski
|
|
159
|
+
* deploy ile yeni kod bir arada çalışabilir.
|
|
160
|
+
*
|
|
161
|
+
* **Migration tamamlandıktan sonra** çağrı sitelerini `getEnv()` ya da
|
|
162
|
+
* `getEnvOrThrow()`'a çevir; fallback'i bırakmak silently process.env
|
|
163
|
+
* sızıntısı riskini taşır (kullanıcı vault'tan key'i sildi sansa bile
|
|
164
|
+
* eski process.env değeri etkili olur).
|
|
165
|
+
*
|
|
166
|
+
* Bootstrap path için (`SENTROY_ENV_API_KEY` set değil) doğrudan
|
|
167
|
+
* `process.env`'e döner — vault fetch denemez. Bu önemli: Sentroy app'i
|
|
168
|
+
* vault'sız boot edilebilir.
|
|
169
|
+
*/
|
|
170
|
+
async function getEnvWithFallback(key) {
|
|
171
|
+
// Token yoksa bypass — vault fetch denemeyelim, log spam etmeyelim.
|
|
172
|
+
const apiKey = resolvedApiKey ?? readEnv("SENTROY_ENV_API_KEY");
|
|
173
|
+
if (!apiKey)
|
|
174
|
+
return readEnv(key);
|
|
175
|
+
try {
|
|
176
|
+
const v = await getEnv(key);
|
|
177
|
+
if (v !== undefined)
|
|
178
|
+
return v;
|
|
179
|
+
}
|
|
180
|
+
catch {
|
|
181
|
+
// Fetch fail / network down / 401 → sessizce fallback
|
|
182
|
+
}
|
|
183
|
+
return readEnv(key);
|
|
184
|
+
}
|
|
151
185
|
/** Tüm env'leri map olarak döner (dump için kullanışlı). */
|
|
152
186
|
async function getAllEnvs() {
|
|
153
187
|
const c = await ensureCache();
|
|
@@ -166,4 +200,86 @@ async function getPublicEnvs() {
|
|
|
166
200
|
}
|
|
167
201
|
return out;
|
|
168
202
|
}
|
|
203
|
+
const DEFAULT_MAX_AGE_MS = 5 * 60 * 1000;
|
|
204
|
+
async function timingSafeEqualHex(a, b) {
|
|
205
|
+
if (a.length !== b.length)
|
|
206
|
+
return false;
|
|
207
|
+
let diff = 0;
|
|
208
|
+
for (let i = 0; i < a.length; i++) {
|
|
209
|
+
diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
|
|
210
|
+
}
|
|
211
|
+
return diff === 0;
|
|
212
|
+
}
|
|
213
|
+
async function hmacSha256Hex(secret, body) {
|
|
214
|
+
// Web Crypto — Node 18+ + browser ikisi de destekler.
|
|
215
|
+
const encoder = new TextEncoder();
|
|
216
|
+
const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
|
|
217
|
+
const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(body));
|
|
218
|
+
const bytes = new Uint8Array(sig);
|
|
219
|
+
let hex = "";
|
|
220
|
+
for (const b of bytes)
|
|
221
|
+
hex += b.toString(16).padStart(2, "0");
|
|
222
|
+
return hex;
|
|
223
|
+
}
|
|
224
|
+
/**
|
|
225
|
+
* Bir Sentroy vault webhook receiver'ı için Request → Response handler
|
|
226
|
+
* üretir. Next.js App Router'da:
|
|
227
|
+
*
|
|
228
|
+
* // app/api/sentroy/vault-webhook/route.ts
|
|
229
|
+
* import { createVaultWebhookHandler } from "@sentroy-co/client-sdk/vault"
|
|
230
|
+
* export const POST = createVaultWebhookHandler({
|
|
231
|
+
* secret: process.env.SENTROY_VAULT_WEBHOOK_SECRET!,
|
|
232
|
+
* })
|
|
233
|
+
*
|
|
234
|
+
* Default davranış: imza doğruysa cache'i invalidate eder ve 200 döner.
|
|
235
|
+
* Hatalı/eksik imza → 401, eski timestamp → 401, body parse hatası → 400.
|
|
236
|
+
*/
|
|
237
|
+
function createVaultWebhookHandler(options) {
|
|
238
|
+
const maxAgeMs = options.maxAgeMs ?? DEFAULT_MAX_AGE_MS;
|
|
239
|
+
return async (request) => {
|
|
240
|
+
const sigHeader = request.headers.get("x-sentroy-signature") || "";
|
|
241
|
+
const match = sigHeader.match(/^sha256=([a-f0-9]+)$/i);
|
|
242
|
+
if (!match) {
|
|
243
|
+
return new Response("missing or malformed X-Sentroy-Signature header", {
|
|
244
|
+
status: 401,
|
|
245
|
+
});
|
|
246
|
+
}
|
|
247
|
+
const providedSig = match[1].toLowerCase();
|
|
248
|
+
const body = await request.text();
|
|
249
|
+
const expected = await hmacSha256Hex(options.secret, body);
|
|
250
|
+
if (!(await timingSafeEqualHex(providedSig, expected))) {
|
|
251
|
+
return new Response("signature mismatch", { status: 401 });
|
|
252
|
+
}
|
|
253
|
+
let payload;
|
|
254
|
+
try {
|
|
255
|
+
payload = JSON.parse(body);
|
|
256
|
+
}
|
|
257
|
+
catch {
|
|
258
|
+
return new Response("invalid JSON body", { status: 400 });
|
|
259
|
+
}
|
|
260
|
+
if (maxAgeMs > 0) {
|
|
261
|
+
const age = Date.now() - (payload.timestamp ?? 0);
|
|
262
|
+
if (!Number.isFinite(age) || age < 0 || age > maxAgeMs) {
|
|
263
|
+
return new Response("payload timestamp outside acceptable window", {
|
|
264
|
+
status: 401,
|
|
265
|
+
});
|
|
266
|
+
}
|
|
267
|
+
}
|
|
268
|
+
try {
|
|
269
|
+
if (options.onChange) {
|
|
270
|
+
await options.onChange(payload);
|
|
271
|
+
}
|
|
272
|
+
else {
|
|
273
|
+
await refreshEnvCache();
|
|
274
|
+
}
|
|
275
|
+
}
|
|
276
|
+
catch (err) {
|
|
277
|
+
return new Response(`handler error: ${err instanceof Error ? err.message : String(err)}`, { status: 500 });
|
|
278
|
+
}
|
|
279
|
+
return new Response(JSON.stringify({ ok: true }), {
|
|
280
|
+
status: 200,
|
|
281
|
+
headers: { "Content-Type": "application/json" },
|
|
282
|
+
});
|
|
283
|
+
};
|
|
284
|
+
}
|
|
169
285
|
//# sourceMappingURL=index.js.map
|
package/dist/vault/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;;AA8CH,gDAYC;AAGD,wCAEC;AAGD,0CAGC;AAGD,gCAEC;AAkED,wBAGC;AAGD,sCAQC;AAGD,gCAKC;AAGD,sCAOC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;;AA8CH,gDAYC;AAGD,wCAEC;AAGD,0CAGC;AAGD,gCAEC;AAkED,wBAGC;AAGD,sCAQC;AAmBD,gDAaC;AAGD,gCAKC;AAGD,sCAOC;AA2ED,8DAqDC;AA5TD,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA;AACpC,MAAM,gBAAgB,GAAG,qBAAqB,CAAA;AAa9C,IAAI,eAAe,GAAG,gBAAgB,CAAA;AACtC,IAAI,cAAkC,CAAA;AACtC,IAAI,UAAU,GAAG,cAAc,CAAA;AAC/B,IAAI,cAAc,GAAG,IAAI,CAAA;AACzB,IAAI,KAAK,GAAyB,IAAI,CAAA;AACtC,IAAI,cAAc,GAAyB,IAAI,CAAA;AAE/C,SAAS,OAAO,CAAC,IAAY;IAC3B,IAAI,OAAO,OAAO,KAAK,WAAW;QAAE,OAAO,SAAS,CAAA;IACpD,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;AAC5B,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,UAAyB,EAAE;IAC5D,IAAI,OAAO,CAAC,OAAO;QAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;;QAExE,eAAe,GAAG,CAChB,OAAO,CAAC,iCAAiC,CAAC;YAC1C,OAAO,CAAC,qBAAqB,CAAC;YAC9B,OAAO,CAAC,0BAA0B,CAAC;YACnC,gBAAgB,CACjB,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACvB,cAAc,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAA;IACjE,IAAI,OAAO,CAAC,UAAU;QAAE,UAAU,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAA;IAC9D,IAAI,OAAO,CAAC,SAAS;QAAE,cAAc,GAAG,OAAO,CAAC,SAAS,CAAA;AAC3D,CAAC;AAED,8EAA8E;AAC9E,SAAgB,cAAc,CAAC,OAAe;IAC5C,UAAU,GAAG,OAAO,GAAG,IAAI,CAAA;AAC7B,CAAC;AAED,8EAA8E;AACvE,KAAK,UAAU,eAAe;IACnC,KAAK,GAAG,IAAI,CAAA;IACZ,MAAM,WAAW,EAAE,CAAA;AACrB,CAAC;AAED,2EAA2E;AACpE,KAAK,UAAU,UAAU;IAC9B,MAAM,WAAW,EAAE,CAAA;AACrB,CAAC;AAED,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,iEAAiE;QACjE,kBAAkB,EAAE,CAAA;IACtB,CAAC;IACD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,gEAAgE;YAC9D,2FAA2F,CAC9F,CAAA;IACH,CAAC;IACD,MAAM,GAAG,GAAG,GAAG,eAAe,sBAAsB,CAAA;IACpD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,cAAc,EAAE,EAAE;QACtD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,cAAc,CAAC;QAC3C,KAAK,EAAE,UAAU;KAClB,CAAC,CAAA;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,2BAA2B,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,SAAS,GAAG,GAAG,CACvE,CAAA;IACH,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAA;IACD,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACtE,MAAM,GAAG,GAAG,IAAI,GAAG,EAAuB,CAAA;IAC1C,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS;QAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;IACtD,OAAO;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,SAAS,EAAE,GAAG;QACd,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO;QAC1B,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;KACnC,CAAA;AACH,CAAC;AAED,KAAK,UAAU,WAAW;IACxB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACtB,IAAI,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,UAAU;QAAE,OAAO,KAAK,CAAA;IAC7D,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,cAAc,CAAA;QACpB,IAAI,KAAK;YAAE,OAAO,KAAK,CAAA;IACzB,CAAC;IACD,cAAc,GAAG,CAAC,KAAK,IAAI,EAAE;QAC3B,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,cAAc,EAAE,CAAA;QAChC,CAAC;gBAAS,CAAC;YACT,cAAc,GAAG,IAAI,CAAA;QACvB,CAAC;IACH,CAAC,CAAC,EAAE,CAAA;IACJ,MAAM,cAAc,CAAA;IACpB,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAA;IAC9D,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,MAAM,CAAC,GAAW;IACtC,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAA;IAC7B,OAAO,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,KAAK,CAAA;AACpC,CAAC;AAED,8EAA8E;AACvE,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAA;IAC3B,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,4BAA4B,KAAK,EAAE,OAAO,IAAI,GAAG,SAAS,KAAK,EAAE,WAAW,IAAI,GAAG,GAAG,CAC1H,CAAA;IACH,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,kBAAkB,CACtC,GAAW;IAEX,oEAAoE;IACpE,MAAM,MAAM,GAAG,cAAc,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAA;IAC/D,IAAI,CAAC,MAAM;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAA;IAChC,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAA;QAC3B,IAAI,CAAC,KAAK,SAAS;YAAE,OAAO,CAAC,CAAA;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;IACxD,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAA;AACrB,CAAC;AAED,4DAA4D;AACrD,KAAK,UAAU,UAAU;IAC9B,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAA;IAC7B,MAAM,GAAG,GAA2B,EAAE,CAAA;IACtC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAA;IAClD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,gEAAgE;AACzD,KAAK,UAAU,aAAa;IACjC,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAA;IAC7B,MAAM,GAAG,GAA2B,EAAE,CAAA;IACtC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC,CAAC,MAAM;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAA;IAChC,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAkCD,MAAM,kBAAkB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA;AAExC,KAAK,UAAU,kBAAkB,CAAC,CAAS,EAAE,CAAS;IACpD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACvC,IAAI,IAAI,GAAG,CAAC,CAAA;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IAC3C,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAA;AACnB,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,MAAc,EAAE,IAAY;IACvD,sDAAsD;IACtD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EACtB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAA;IACD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAA;IACvE,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAA;IACjC,IAAI,GAAG,GAAG,EAAE,CAAA;IACZ,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC7D,OAAO,GAAG,CAAA;AACZ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,yBAAyB,CACvC,OAAyC;IAEzC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,kBAAkB,CAAA;IACvD,OAAO,KAAK,EAAE,OAAgB,EAAE,EAAE;QAChC,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,EAAE,CAAA;QAClE,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAA;QACtD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,QAAQ,CAAC,iDAAiD,EAAE;gBACrE,MAAM,EAAE,GAAG;aACZ,CAAC,CAAA;QACJ,CAAC;QACD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAA;QAC1C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAA;QACjC,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;QAC1D,IAAI,CAAC,CAAC,MAAM,kBAAkB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,EAAE,CAAC;YACvD,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC5D,CAAC;QAED,IAAI,OAA4B,CAAA;QAChC,IAAI,CAAC;YACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAwB,CAAA;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,QAAQ,CAAC,mBAAmB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;YACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,CAAC,CAAA;YACjD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,QAAQ,EAAE,CAAC;gBACvD,OAAO,IAAI,QAAQ,CAAC,6CAA6C,EAAE;oBACjE,MAAM,EAAE,GAAG;iBACZ,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,MAAM,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;YACjC,CAAC;iBAAM,CAAC;gBACN,MAAM,eAAe,EAAE,CAAA;YACzB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,QAAQ,CACjB,kBAAkB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACpE,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAA;QACH,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE;YAChD,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;SAChD,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}
|
package/package.json
CHANGED
package/src/vault/index.ts
CHANGED
|
@@ -179,6 +179,38 @@ export async function getEnvOrThrow(key: string): Promise<string> {
|
|
|
179
179
|
return v
|
|
180
180
|
}
|
|
181
181
|
|
|
182
|
+
/**
|
|
183
|
+
* Migration helper — vault'tan oku, yoksa `process.env` fallback.
|
|
184
|
+
*
|
|
185
|
+
* Sentroy app'lerini kademeli olarak `process.env` → vault'a çevirirken
|
|
186
|
+
* "her ikisi de çalışsın" senaryosu için. Vault doldurulmamış / token
|
|
187
|
+
* eksik / fetch fail dönerse sessizce `process.env[key]`'e döner — eski
|
|
188
|
+
* deploy ile yeni kod bir arada çalışabilir.
|
|
189
|
+
*
|
|
190
|
+
* **Migration tamamlandıktan sonra** çağrı sitelerini `getEnv()` ya da
|
|
191
|
+
* `getEnvOrThrow()`'a çevir; fallback'i bırakmak silently process.env
|
|
192
|
+
* sızıntısı riskini taşır (kullanıcı vault'tan key'i sildi sansa bile
|
|
193
|
+
* eski process.env değeri etkili olur).
|
|
194
|
+
*
|
|
195
|
+
* Bootstrap path için (`SENTROY_ENV_API_KEY` set değil) doğrudan
|
|
196
|
+
* `process.env`'e döner — vault fetch denemez. Bu önemli: Sentroy app'i
|
|
197
|
+
* vault'sız boot edilebilir.
|
|
198
|
+
*/
|
|
199
|
+
export async function getEnvWithFallback(
|
|
200
|
+
key: string,
|
|
201
|
+
): Promise<string | undefined> {
|
|
202
|
+
// Token yoksa bypass — vault fetch denemeyelim, log spam etmeyelim.
|
|
203
|
+
const apiKey = resolvedApiKey ?? readEnv("SENTROY_ENV_API_KEY")
|
|
204
|
+
if (!apiKey) return readEnv(key)
|
|
205
|
+
try {
|
|
206
|
+
const v = await getEnv(key)
|
|
207
|
+
if (v !== undefined) return v
|
|
208
|
+
} catch {
|
|
209
|
+
// Fetch fail / network down / 401 → sessizce fallback
|
|
210
|
+
}
|
|
211
|
+
return readEnv(key)
|
|
212
|
+
}
|
|
213
|
+
|
|
182
214
|
/** Tüm env'leri map olarak döner (dump için kullanışlı). */
|
|
183
215
|
export async function getAllEnvs(): Promise<Record<string, string>> {
|
|
184
216
|
const c = await ensureCache()
|
|
@@ -196,3 +228,131 @@ export async function getPublicEnvs(): Promise<Record<string, string>> {
|
|
|
196
228
|
}
|
|
197
229
|
return out
|
|
198
230
|
}
|
|
231
|
+
|
|
232
|
+
// ── Webhook handler ─────────────────────────────────────────────────────
|
|
233
|
+
|
|
234
|
+
export interface VaultWebhookPayload {
|
|
235
|
+
event: "vault.variable.changed"
|
|
236
|
+
project: string
|
|
237
|
+
environment: string
|
|
238
|
+
action: "create" | "update" | "delete"
|
|
239
|
+
/** Etkilenen key'ler — bulk push'ta birden fazla. */
|
|
240
|
+
keys: string[]
|
|
241
|
+
/** Unix ms. */
|
|
242
|
+
timestamp: number
|
|
243
|
+
}
|
|
244
|
+
|
|
245
|
+
export interface CreateVaultWebhookHandlerOptions {
|
|
246
|
+
/**
|
|
247
|
+
* Sentroy vault dashboard'dan aldığın webhook secret (`whsec_...`).
|
|
248
|
+
* Receiver bu secret'la HMAC-SHA256 imzayı doğrular; hatalıysa 401 döner.
|
|
249
|
+
*/
|
|
250
|
+
secret: string
|
|
251
|
+
/**
|
|
252
|
+
* Imzayı doğruladıktan sonra çağrılır. Default davranış:
|
|
253
|
+
* `await refreshEnvCache()` — bir sonraki getEnv() taze değerleri çeker.
|
|
254
|
+
* Custom logic için override et (örn. tek bir key'i targeted invalidate).
|
|
255
|
+
*/
|
|
256
|
+
onChange?: (payload: VaultWebhookPayload) => Promise<void> | void
|
|
257
|
+
/**
|
|
258
|
+
* Replay attack'lere karşı body'nin timestamp'i ile şu an arasındaki
|
|
259
|
+
* maksimum tolerans (ms). Default 5 dk. Sıfır ise check kapalı.
|
|
260
|
+
*/
|
|
261
|
+
maxAgeMs?: number
|
|
262
|
+
}
|
|
263
|
+
|
|
264
|
+
const DEFAULT_MAX_AGE_MS = 5 * 60 * 1000
|
|
265
|
+
|
|
266
|
+
async function timingSafeEqualHex(a: string, b: string): Promise<boolean> {
|
|
267
|
+
if (a.length !== b.length) return false
|
|
268
|
+
let diff = 0
|
|
269
|
+
for (let i = 0; i < a.length; i++) {
|
|
270
|
+
diff |= a.charCodeAt(i) ^ b.charCodeAt(i)
|
|
271
|
+
}
|
|
272
|
+
return diff === 0
|
|
273
|
+
}
|
|
274
|
+
|
|
275
|
+
async function hmacSha256Hex(secret: string, body: string): Promise<string> {
|
|
276
|
+
// Web Crypto — Node 18+ + browser ikisi de destekler.
|
|
277
|
+
const encoder = new TextEncoder()
|
|
278
|
+
const key = await crypto.subtle.importKey(
|
|
279
|
+
"raw",
|
|
280
|
+
encoder.encode(secret),
|
|
281
|
+
{ name: "HMAC", hash: "SHA-256" },
|
|
282
|
+
false,
|
|
283
|
+
["sign"],
|
|
284
|
+
)
|
|
285
|
+
const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(body))
|
|
286
|
+
const bytes = new Uint8Array(sig)
|
|
287
|
+
let hex = ""
|
|
288
|
+
for (const b of bytes) hex += b.toString(16).padStart(2, "0")
|
|
289
|
+
return hex
|
|
290
|
+
}
|
|
291
|
+
|
|
292
|
+
/**
|
|
293
|
+
* Bir Sentroy vault webhook receiver'ı için Request → Response handler
|
|
294
|
+
* üretir. Next.js App Router'da:
|
|
295
|
+
*
|
|
296
|
+
* // app/api/sentroy/vault-webhook/route.ts
|
|
297
|
+
* import { createVaultWebhookHandler } from "@sentroy-co/client-sdk/vault"
|
|
298
|
+
* export const POST = createVaultWebhookHandler({
|
|
299
|
+
* secret: process.env.SENTROY_VAULT_WEBHOOK_SECRET!,
|
|
300
|
+
* })
|
|
301
|
+
*
|
|
302
|
+
* Default davranış: imza doğruysa cache'i invalidate eder ve 200 döner.
|
|
303
|
+
* Hatalı/eksik imza → 401, eski timestamp → 401, body parse hatası → 400.
|
|
304
|
+
*/
|
|
305
|
+
export function createVaultWebhookHandler(
|
|
306
|
+
options: CreateVaultWebhookHandlerOptions,
|
|
307
|
+
): (request: Request) => Promise<Response> {
|
|
308
|
+
const maxAgeMs = options.maxAgeMs ?? DEFAULT_MAX_AGE_MS
|
|
309
|
+
return async (request: Request) => {
|
|
310
|
+
const sigHeader = request.headers.get("x-sentroy-signature") || ""
|
|
311
|
+
const match = sigHeader.match(/^sha256=([a-f0-9]+)$/i)
|
|
312
|
+
if (!match) {
|
|
313
|
+
return new Response("missing or malformed X-Sentroy-Signature header", {
|
|
314
|
+
status: 401,
|
|
315
|
+
})
|
|
316
|
+
}
|
|
317
|
+
const providedSig = match[1].toLowerCase()
|
|
318
|
+
const body = await request.text()
|
|
319
|
+
const expected = await hmacSha256Hex(options.secret, body)
|
|
320
|
+
if (!(await timingSafeEqualHex(providedSig, expected))) {
|
|
321
|
+
return new Response("signature mismatch", { status: 401 })
|
|
322
|
+
}
|
|
323
|
+
|
|
324
|
+
let payload: VaultWebhookPayload
|
|
325
|
+
try {
|
|
326
|
+
payload = JSON.parse(body) as VaultWebhookPayload
|
|
327
|
+
} catch {
|
|
328
|
+
return new Response("invalid JSON body", { status: 400 })
|
|
329
|
+
}
|
|
330
|
+
|
|
331
|
+
if (maxAgeMs > 0) {
|
|
332
|
+
const age = Date.now() - (payload.timestamp ?? 0)
|
|
333
|
+
if (!Number.isFinite(age) || age < 0 || age > maxAgeMs) {
|
|
334
|
+
return new Response("payload timestamp outside acceptable window", {
|
|
335
|
+
status: 401,
|
|
336
|
+
})
|
|
337
|
+
}
|
|
338
|
+
}
|
|
339
|
+
|
|
340
|
+
try {
|
|
341
|
+
if (options.onChange) {
|
|
342
|
+
await options.onChange(payload)
|
|
343
|
+
} else {
|
|
344
|
+
await refreshEnvCache()
|
|
345
|
+
}
|
|
346
|
+
} catch (err) {
|
|
347
|
+
return new Response(
|
|
348
|
+
`handler error: ${err instanceof Error ? err.message : String(err)}`,
|
|
349
|
+
{ status: 500 },
|
|
350
|
+
)
|
|
351
|
+
}
|
|
352
|
+
|
|
353
|
+
return new Response(JSON.stringify({ ok: true }), {
|
|
354
|
+
status: 200,
|
|
355
|
+
headers: { "Content-Type": "application/json" },
|
|
356
|
+
})
|
|
357
|
+
}
|
|
358
|
+
}
|