@ubiquity-os/plugin-sdk 1.0.9 → 1.0.11

package/dist/index.d.mts

@@ -36,6 +36,7 @@ interface Options$1 {
     postCommentOnError?: boolean;
     settingsSchema?: TAnySchema;
     envSchema?: TAnySchema;
+    bypassSignatureVerification?: boolean;
 }
 declare function createPlugin<TConfig = unknown, TEnv = unknown, TSupportedEvents extends EmitterWebhookEventName = EmitterWebhookEventName>(handler: (context: Context<TConfig, TEnv, TSupportedEvents>) => Promise<Record<string, unknown> | undefined>, manifest: Manifest, options?: Options$1): Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
 

package/dist/index.d.ts

@@ -36,6 +36,7 @@ interface Options$1 {
     postCommentOnError?: boolean;
     settingsSchema?: TAnySchema;
     envSchema?: TAnySchema;
+    bypassSignatureVerification?: boolean;
 }
 declare function createPlugin<TConfig = unknown, TEnv = unknown, TSupportedEvents extends EmitterWebhookEventName = EmitterWebhookEventName>(handler: (context: Context<TConfig, TEnv, TSupportedEvents>) => Promise<Record<string, unknown> | undefined>, manifest: Manifest, options?: Options$1): Hono<hono_types.BlankEnv, hono_types.BlankSchema, "/">;
 

package/dist/index.js

@@ -164,13 +164,19 @@ var inputSchema = import_typebox.Type.Object({
   authToken: import_typebox.Type.String(),
   settings: import_typebox.Type.Record(import_typebox.Type.String(), import_typebox.Type.Any()),
   ref: import_typebox.Type.String(),
-  signature: import_typebox.Type.String()
+  signature: import_typebox.Type.String(),
+  bypassSignatureVerification: import_typebox.Type.Optional(
+    import_typebox.Type.Boolean({
+      default: false,
+      description: "Bypass signature verification (caution: only use this if you know what you're doing)"
+    })
+  )
 });
 function createPlugin(handler, manifest, options) {
   const pluginOptions = {
-    kernelPublicKey: options?.kernelPublicKey || KERNEL_PUBLIC_KEY,
-    logLevel: options?.logLevel || import_ubiquity_os_logger.LOG_LEVEL.INFO,
-    postCommentOnError: options?.postCommentOnError || true,
+    kernelPublicKey: options?.kernelPublicKey ?? KERNEL_PUBLIC_KEY,
+    logLevel: options?.logLevel ?? import_ubiquity_os_logger.LOG_LEVEL.INFO,
+    postCommentOnError: options?.postCommentOnError ?? true,
     settingsSchema: options?.settingsSchema,
     envSchema: options?.envSchema
   };
@@ -190,7 +196,7 @@ function createPlugin(handler, manifest, options) {
     }
     const inputs = import_value.Value.Decode(inputSchema, body);
     const signature = inputs.signature;
-    if (!await verifySignature(pluginOptions.kernelPublicKey, inputs, signature)) {
+    if (!options?.bypassSignatureVerification && !await verifySignature(pluginOptions.kernelPublicKey, inputs, signature)) {
       throw new import_http_exception.HTTPException(400, { message: "Invalid signature" });
     }
     let config2;
@@ -265,11 +271,11 @@ var inputSchema2 = import_typebox2.Type.Object({
 });
 async function createActionsPlugin(handler, options) {
   const pluginOptions = {
-    logLevel: options?.logLevel || import_ubiquity_os_logger2.LOG_LEVEL.INFO,
-    postCommentOnError: options?.postCommentOnError || true,
+    logLevel: options?.logLevel ?? import_ubiquity_os_logger2.LOG_LEVEL.INFO,
+    postCommentOnError: options?.postCommentOnError ?? true,
     settingsSchema: options?.settingsSchema,
     envSchema: options?.envSchema,
-    kernelPublicKey: options?.kernelPublicKey || KERNEL_PUBLIC_KEY
+    kernelPublicKey: options?.kernelPublicKey ?? KERNEL_PUBLIC_KEY
   };
   const pluginGithubToken = process.env.PLUGIN_GITHUB_TOKEN;
   if (!pluginGithubToken) {

package/dist/index.mjs

@@ -126,13 +126,19 @@ var inputSchema = T.Object({
   authToken: T.String(),
   settings: T.Record(T.String(), T.Any()),
   ref: T.String(),
-  signature: T.String()
+  signature: T.String(),
+  bypassSignatureVerification: T.Optional(
+    T.Boolean({
+      default: false,
+      description: "Bypass signature verification (caution: only use this if you know what you're doing)"
+    })
+  )
 });
 function createPlugin(handler, manifest, options) {
   const pluginOptions = {
-    kernelPublicKey: options?.kernelPublicKey || KERNEL_PUBLIC_KEY,
-    logLevel: options?.logLevel || LOG_LEVEL.INFO,
-    postCommentOnError: options?.postCommentOnError || true,
+    kernelPublicKey: options?.kernelPublicKey ?? KERNEL_PUBLIC_KEY,
+    logLevel: options?.logLevel ?? LOG_LEVEL.INFO,
+    postCommentOnError: options?.postCommentOnError ?? true,
     settingsSchema: options?.settingsSchema,
     envSchema: options?.envSchema
   };
@@ -152,7 +158,7 @@ function createPlugin(handler, manifest, options) {
     }
     const inputs = Value.Decode(inputSchema, body);
     const signature = inputs.signature;
-    if (!await verifySignature(pluginOptions.kernelPublicKey, inputs, signature)) {
+    if (!options?.bypassSignatureVerification && !await verifySignature(pluginOptions.kernelPublicKey, inputs, signature)) {
       throw new HTTPException(400, { message: "Invalid signature" });
     }
     let config2;
@@ -227,11 +233,11 @@ var inputSchema2 = T2.Object({
 });
 async function createActionsPlugin(handler, options) {
   const pluginOptions = {
-    logLevel: options?.logLevel || LOG_LEVEL2.INFO,
-    postCommentOnError: options?.postCommentOnError || true,
+    logLevel: options?.logLevel ?? LOG_LEVEL2.INFO,
+    postCommentOnError: options?.postCommentOnError ?? true,
     settingsSchema: options?.settingsSchema,
     envSchema: options?.envSchema,
-    kernelPublicKey: options?.kernelPublicKey || KERNEL_PUBLIC_KEY
+    kernelPublicKey: options?.kernelPublicKey ?? KERNEL_PUBLIC_KEY
   };
   const pluginGithubToken = process.env.PLUGIN_GITHUB_TOKEN;
   if (!pluginGithubToken) {

package/dist/signature.d.mts

@@ -0,0 +1,12 @@
+interface Inputs {
+    stateId: unknown;
+    eventName: unknown;
+    eventPayload: unknown;
+    authToken: unknown;
+    settings: unknown;
+    ref: unknown;
+}
+declare function verifySignature(publicKeyPem: string, inputs: Inputs, signature: string): Promise<boolean>;
+declare function signPayload(payload: string, privateKey: string): Promise<string>;
+
+export { signPayload, verifySignature };

package/dist/signature.d.ts

@@ -0,0 +1,12 @@
+interface Inputs {
+    stateId: unknown;
+    eventName: unknown;
+    eventPayload: unknown;
+    authToken: unknown;
+    settings: unknown;
+    ref: unknown;
+}
+declare function verifySignature(publicKeyPem: string, inputs: Inputs, signature: string): Promise<boolean>;
+declare function signPayload(payload: string, privateKey: string): Promise<string>;
+
+export { signPayload, verifySignature };

package/dist/signature.js

@@ -0,0 +1,81 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/signature.ts
+var signature_exports = {};
+__export(signature_exports, {
+  signPayload: () => signPayload,
+  verifySignature: () => verifySignature
+});
+module.exports = __toCommonJS(signature_exports);
+async function verifySignature(publicKeyPem, inputs, signature) {
+  try {
+    const inputsOrdered = {
+      stateId: inputs.stateId,
+      eventName: inputs.eventName,
+      eventPayload: inputs.eventPayload,
+      settings: inputs.settings,
+      authToken: inputs.authToken,
+      ref: inputs.ref
+    };
+    const pemContents = publicKeyPem.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "").trim();
+    const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+    const publicKey = await crypto.subtle.importKey(
+      "spki",
+      binaryDer,
+      {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: "SHA-256"
+      },
+      true,
+      ["verify"]
+    );
+    const signatureArray = Uint8Array.from(atob(signature), (c) => c.charCodeAt(0));
+    const dataArray = new TextEncoder().encode(JSON.stringify(inputsOrdered));
+    return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", publicKey, signatureArray, dataArray);
+  } catch (error) {
+    console.error(error);
+    return false;
+  }
+}
+async function importRsaPrivateKey(pem) {
+  const pemContents = pem.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").trim();
+  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+  return await crypto.subtle.importKey(
+    "pkcs8",
+    binaryDer.buffer,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    },
+    true,
+    ["sign"]
+  );
+}
+async function signPayload(payload, privateKey) {
+  const data = new TextEncoder().encode(payload);
+  const _privateKey = await importRsaPrivateKey(privateKey);
+  const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", _privateKey, data);
+  return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  signPayload,
+  verifySignature
+});

package/dist/signature.mjs

@@ -0,0 +1,55 @@
+// src/signature.ts
+async function verifySignature(publicKeyPem, inputs, signature) {
+  try {
+    const inputsOrdered = {
+      stateId: inputs.stateId,
+      eventName: inputs.eventName,
+      eventPayload: inputs.eventPayload,
+      settings: inputs.settings,
+      authToken: inputs.authToken,
+      ref: inputs.ref
+    };
+    const pemContents = publicKeyPem.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "").trim();
+    const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+    const publicKey = await crypto.subtle.importKey(
+      "spki",
+      binaryDer,
+      {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: "SHA-256"
+      },
+      true,
+      ["verify"]
+    );
+    const signatureArray = Uint8Array.from(atob(signature), (c) => c.charCodeAt(0));
+    const dataArray = new TextEncoder().encode(JSON.stringify(inputsOrdered));
+    return await crypto.subtle.verify("RSASSA-PKCS1-v1_5", publicKey, signatureArray, dataArray);
+  } catch (error) {
+    console.error(error);
+    return false;
+  }
+}
+async function importRsaPrivateKey(pem) {
+  const pemContents = pem.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").trim();
+  const binaryDer = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+  return await crypto.subtle.importKey(
+    "pkcs8",
+    binaryDer.buffer,
+    {
+      name: "RSASSA-PKCS1-v1_5",
+      hash: "SHA-256"
+    },
+    true,
+    ["sign"]
+  );
+}
+async function signPayload(payload, privateKey) {
+  const data = new TextEncoder().encode(payload);
+  const _privateKey = await importRsaPrivateKey(privateKey);
+  const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", _privateKey, data);
+  return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+export {
+  signPayload,
+  verifySignature
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ubiquity-os/plugin-sdk",
-  "version": "1.0.9",
+  "version": "1.0.11",
   "description": "SDK for plugin support.",
   "author": "Ubiquity DAO",
   "license": "MIT",
@@ -18,6 +18,9 @@
       ],
       "constants": [
         "dist/constants.d.ts"
+      ],
+      "signature": [
+        "dist/signature.d.ts"
       ]
     }
   },
@@ -36,6 +39,11 @@
       "types": "./dist/constants.d.ts",
       "import": "./dist/constants.mjs",
       "require": "./dist/constants.js"
+    },
+    "./signature": {
+      "types": "./dist/signature.d.ts",
+      "import": "./dist/signature.mjs",
+      "require": "./dist/signature.js"
     }
   },
   "files": [
@@ -50,7 +58,7 @@
     "knip": "knip --config .github/knip.ts",
     "knip-ci": "knip --no-exit-code --reporter json --config .github/knip.ts",
     "prepare": "node .husky/install.mjs",
-    "test": "jest --setupFiles dotenv/config --coverage"
+    "jest:test": "cross-env NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules\" jest --setupFiles dotenv/config --coverage"
   },
   "keywords": [
     "typescript",
@@ -83,10 +91,10 @@
     "@cspell/dict-software-terms": "^3.3.18",
     "@cspell/dict-typescript": "^3.1.2",
     "@eslint/js": "^9.14.0",
-    "@jest/globals": "29.7.0",
+    "@jest/globals": "^29.7.0",
     "@mswjs/data": "0.16.1",
-    "@types/jest": "29.5.12",
     "@types/node": "^20.11.19",
+    "cross-env": "^7.0.3",
     "cspell": "^8.4.0",
     "eslint": "^9.14.0",
     "eslint-config-prettier": "^9.1.0",
@@ -94,13 +102,17 @@
     "eslint-plugin-prettier": "^5.2.1",
     "eslint-plugin-sonarjs": "^2.0.4",
     "husky": "^9.0.11",
-    "jest": "29.7.0",
-    "jest-junit": "16.0.0",
-    "jest-md-dashboard": "0.8.0",
+    "jest": "^29.7.0",
+    "jest-junit": "^16.0.0",
+    "jest-md-dashboard": "^0.8.0",
     "knip": "^5.0.1",
     "lint-staged": "^15.2.2",
+    "msw": "^2.6.3",
+    "npm-run-all": "^4.1.5",
     "prettier": "^3.3.3",
-    "ts-jest": "29.1.2",
+    "simple-git": "^3.27.0",
+    "ts-jest": "^29.2.5",
+    "ts-node": "^10.9.2",
     "tsup": "8.1.0",
     "typescript": "^5.5.4",
     "typescript-eslint": "^8.13.0"