@usethrottle/extension-bridge 0.2.0

package/dist/webhook.cjs

@@ -0,0 +1,53 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/webhook.ts
+var webhook_exports = {};
+__export(webhook_exports, {
+  verifyWebhook: () => verifyWebhook
+});
+module.exports = __toCommonJS(webhook_exports);
+var import_node_crypto = require("crypto");
+function verifyWebhook(rawBody, signatureHeader, secret, opts = {}) {
+  try {
+    if (!signatureHeader || typeof signatureHeader !== "string") return false;
+    const toleranceSeconds = opts.toleranceSeconds ?? 300;
+    const parts = {};
+    for (const segment of signatureHeader.split(",")) {
+      const idx = segment.indexOf("=");
+      if (idx > 0) parts[segment.slice(0, idx).trim()] = segment.slice(idx + 1).trim();
+    }
+    const ts = parts["t"] ? Number.parseInt(parts["t"], 10) : NaN;
+    const v1 = parts["v1"];
+    if (!Number.isFinite(ts) || !v1 || !/^[0-9a-f]+$/i.test(v1)) return false;
+    const now = Math.floor(Date.now() / 1e3);
+    if (Math.abs(now - ts) > toleranceSeconds) return false;
+    const body = typeof rawBody === "string" ? rawBody : rawBody.toString("utf8");
+    const expected = (0, import_node_crypto.createHmac)("sha256", secret).update(`${ts}.${body}`).digest("hex");
+    if (expected.length !== v1.length) return false;
+    return (0, import_node_crypto.timingSafeEqual)(Buffer.from(expected, "hex"), Buffer.from(v1, "hex"));
+  } catch {
+    return false;
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  verifyWebhook
+});
+//# sourceMappingURL=webhook.cjs.map

package/dist/webhook.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/webhook.ts"],"sourcesContent":["/**\n * @usethrottle/extension-bridge/webhook\n *\n * Server-side webhook signature verifier. Uses node:crypto — keep out of browser bundles.\n * Import from `@usethrottle/extension-bridge/webhook`.\n *\n * Signature scheme: Header `X-Throttle-Signature: t=<unixSeconds>,v1=<hex-hmac-sha256>`\n * Signed payload: `${t}.${rawBody}` (matches signOutbound in @platform/webhooks)\n */\nimport { createHmac, timingSafeEqual } from 'node:crypto';\n\nexport interface VerifyWebhookOptions {\n  /** Clock-skew tolerance in seconds. Default: 300. */\n  toleranceSeconds?: number;\n}\n\n/**\n * Verify the `X-Throttle-Signature` header on an inbound webhook delivery.\n * @returns `true` if valid; `false` for any invalid/malformed input. Never throws.\n */\nexport function verifyWebhook(\n  rawBody: string | Buffer,\n  signatureHeader: string,\n  secret: string,\n  opts: VerifyWebhookOptions = {},\n): boolean {\n  try {\n    if (!signatureHeader || typeof signatureHeader !== 'string') return false;\n    const toleranceSeconds = opts.toleranceSeconds ?? 300;\n    const parts: Record<string, string> = {};\n    for (const segment of signatureHeader.split(',')) {\n      const idx = segment.indexOf('=');\n      if (idx > 0) parts[segment.slice(0, idx).trim()] = segment.slice(idx + 1).trim();\n    }\n    const ts = parts['t'] ? Number.parseInt(parts['t'], 10) : NaN;\n    const v1 = parts['v1'];\n    if (!Number.isFinite(ts) || !v1 || !/^[0-9a-f]+$/i.test(v1)) return false;\n    const now = Math.floor(Date.now() / 1000);\n    if (Math.abs(now - ts) > toleranceSeconds) return false;\n    const body = typeof rawBody === 'string' ? rawBody : rawBody.toString('utf8');\n    const expected = createHmac('sha256', secret).update(`${ts}.${body}`).digest('hex');\n    if (expected.length !== v1.length) return false;\n    return timingSafeEqual(Buffer.from(expected, 'hex'), Buffer.from(v1, 'hex'));\n  } catch {\n    return false;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AASA,yBAA4C;AAWrC,SAAS,cACd,SACA,iBACA,QACA,OAA6B,CAAC,GACrB;AACT,MAAI;AACF,QAAI,CAAC,mBAAmB,OAAO,oBAAoB,SAAU,QAAO;AACpE,UAAM,mBAAmB,KAAK,oBAAoB;AAClD,UAAM,QAAgC,CAAC;AACvC,eAAW,WAAW,gBAAgB,MAAM,GAAG,GAAG;AAChD,YAAM,MAAM,QAAQ,QAAQ,GAAG;AAC/B,UAAI,MAAM,EAAG,OAAM,QAAQ,MAAM,GAAG,GAAG,EAAE,KAAK,CAAC,IAAI,QAAQ,MAAM,MAAM,CAAC,EAAE,KAAK;AAAA,IACjF;AACA,UAAM,KAAK,MAAM,GAAG,IAAI,OAAO,SAAS,MAAM,GAAG,GAAG,EAAE,IAAI;AAC1D,UAAM,KAAK,MAAM,IAAI;AACrB,QAAI,CAAC,OAAO,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,eAAe,KAAK,EAAE,EAAG,QAAO;AACpE,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAI,KAAK,IAAI,MAAM,EAAE,IAAI,iBAAkB,QAAO;AAClD,UAAM,OAAO,OAAO,YAAY,WAAW,UAAU,QAAQ,SAAS,MAAM;AAC5E,UAAM,eAAW,+BAAW,UAAU,MAAM,EAAE,OAAO,GAAG,EAAE,IAAI,IAAI,EAAE,EAAE,OAAO,KAAK;AAClF,QAAI,SAAS,WAAW,GAAG,OAAQ,QAAO;AAC1C,eAAO,oCAAgB,OAAO,KAAK,UAAU,KAAK,GAAG,OAAO,KAAK,IAAI,KAAK,CAAC;AAAA,EAC7E,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/webhook.d.cts

@@ -0,0 +1,11 @@
+interface VerifyWebhookOptions {
+    /** Clock-skew tolerance in seconds. Default: 300. */
+    toleranceSeconds?: number;
+}
+/**
+ * Verify the `X-Throttle-Signature` header on an inbound webhook delivery.
+ * @returns `true` if valid; `false` for any invalid/malformed input. Never throws.
+ */
+declare function verifyWebhook(rawBody: string | Buffer, signatureHeader: string, secret: string, opts?: VerifyWebhookOptions): boolean;
+
+export { type VerifyWebhookOptions, verifyWebhook };

package/dist/webhook.d.ts

@@ -0,0 +1,11 @@
+interface VerifyWebhookOptions {
+    /** Clock-skew tolerance in seconds. Default: 300. */
+    toleranceSeconds?: number;
+}
+/**
+ * Verify the `X-Throttle-Signature` header on an inbound webhook delivery.
+ * @returns `true` if valid; `false` for any invalid/malformed input. Never throws.
+ */
+declare function verifyWebhook(rawBody: string | Buffer, signatureHeader: string, secret: string, opts?: VerifyWebhookOptions): boolean;
+
+export { type VerifyWebhookOptions, verifyWebhook };

package/dist/webhook.js

@@ -0,0 +1,28 @@
+// src/webhook.ts
+import { createHmac, timingSafeEqual } from "crypto";
+function verifyWebhook(rawBody, signatureHeader, secret, opts = {}) {
+  try {
+    if (!signatureHeader || typeof signatureHeader !== "string") return false;
+    const toleranceSeconds = opts.toleranceSeconds ?? 300;
+    const parts = {};
+    for (const segment of signatureHeader.split(",")) {
+      const idx = segment.indexOf("=");
+      if (idx > 0) parts[segment.slice(0, idx).trim()] = segment.slice(idx + 1).trim();
+    }
+    const ts = parts["t"] ? Number.parseInt(parts["t"], 10) : NaN;
+    const v1 = parts["v1"];
+    if (!Number.isFinite(ts) || !v1 || !/^[0-9a-f]+$/i.test(v1)) return false;
+    const now = Math.floor(Date.now() / 1e3);
+    if (Math.abs(now - ts) > toleranceSeconds) return false;
+    const body = typeof rawBody === "string" ? rawBody : rawBody.toString("utf8");
+    const expected = createHmac("sha256", secret).update(`${ts}.${body}`).digest("hex");
+    if (expected.length !== v1.length) return false;
+    return timingSafeEqual(Buffer.from(expected, "hex"), Buffer.from(v1, "hex"));
+  } catch {
+    return false;
+  }
+}
+export {
+  verifyWebhook
+};
+//# sourceMappingURL=webhook.js.map

package/dist/webhook.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/webhook.ts"],"sourcesContent":["/**\n * @usethrottle/extension-bridge/webhook\n *\n * Server-side webhook signature verifier. Uses node:crypto — keep out of browser bundles.\n * Import from `@usethrottle/extension-bridge/webhook`.\n *\n * Signature scheme: Header `X-Throttle-Signature: t=<unixSeconds>,v1=<hex-hmac-sha256>`\n * Signed payload: `${t}.${rawBody}` (matches signOutbound in @platform/webhooks)\n */\nimport { createHmac, timingSafeEqual } from 'node:crypto';\n\nexport interface VerifyWebhookOptions {\n  /** Clock-skew tolerance in seconds. Default: 300. */\n  toleranceSeconds?: number;\n}\n\n/**\n * Verify the `X-Throttle-Signature` header on an inbound webhook delivery.\n * @returns `true` if valid; `false` for any invalid/malformed input. Never throws.\n */\nexport function verifyWebhook(\n  rawBody: string | Buffer,\n  signatureHeader: string,\n  secret: string,\n  opts: VerifyWebhookOptions = {},\n): boolean {\n  try {\n    if (!signatureHeader || typeof signatureHeader !== 'string') return false;\n    const toleranceSeconds = opts.toleranceSeconds ?? 300;\n    const parts: Record<string, string> = {};\n    for (const segment of signatureHeader.split(',')) {\n      const idx = segment.indexOf('=');\n      if (idx > 0) parts[segment.slice(0, idx).trim()] = segment.slice(idx + 1).trim();\n    }\n    const ts = parts['t'] ? Number.parseInt(parts['t'], 10) : NaN;\n    const v1 = parts['v1'];\n    if (!Number.isFinite(ts) || !v1 || !/^[0-9a-f]+$/i.test(v1)) return false;\n    const now = Math.floor(Date.now() / 1000);\n    if (Math.abs(now - ts) > toleranceSeconds) return false;\n    const body = typeof rawBody === 'string' ? rawBody : rawBody.toString('utf8');\n    const expected = createHmac('sha256', secret).update(`${ts}.${body}`).digest('hex');\n    if (expected.length !== v1.length) return false;\n    return timingSafeEqual(Buffer.from(expected, 'hex'), Buffer.from(v1, 'hex'));\n  } catch {\n    return false;\n  }\n}\n"],"mappings":";AASA,SAAS,YAAY,uBAAuB;AAWrC,SAAS,cACd,SACA,iBACA,QACA,OAA6B,CAAC,GACrB;AACT,MAAI;AACF,QAAI,CAAC,mBAAmB,OAAO,oBAAoB,SAAU,QAAO;AACpE,UAAM,mBAAmB,KAAK,oBAAoB;AAClD,UAAM,QAAgC,CAAC;AACvC,eAAW,WAAW,gBAAgB,MAAM,GAAG,GAAG;AAChD,YAAM,MAAM,QAAQ,QAAQ,GAAG;AAC/B,UAAI,MAAM,EAAG,OAAM,QAAQ,MAAM,GAAG,GAAG,EAAE,KAAK,CAAC,IAAI,QAAQ,MAAM,MAAM,CAAC,EAAE,KAAK;AAAA,IACjF;AACA,UAAM,KAAK,MAAM,GAAG,IAAI,OAAO,SAAS,MAAM,GAAG,GAAG,EAAE,IAAI;AAC1D,UAAM,KAAK,MAAM,IAAI;AACrB,QAAI,CAAC,OAAO,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,eAAe,KAAK,EAAE,EAAG,QAAO;AACpE,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAI,KAAK,IAAI,MAAM,EAAE,IAAI,iBAAkB,QAAO;AAClD,UAAM,OAAO,OAAO,YAAY,WAAW,UAAU,QAAQ,SAAS,MAAM;AAC5E,UAAM,WAAW,WAAW,UAAU,MAAM,EAAE,OAAO,GAAG,EAAE,IAAI,IAAI,EAAE,EAAE,OAAO,KAAK;AAClF,QAAI,SAAS,WAAW,GAAG,OAAQ,QAAO;AAC1C,WAAO,gBAAgB,OAAO,KAAK,UAAU,KAAK,GAAG,OAAO,KAAK,IAAI,KAAK,CAAC;AAAA,EAC7E,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@usethrottle/extension-bridge",
+  "version": "0.2.0",
+  "description": "iframe bridge runtime for Throttle extensions — host helper + webhook verifier.",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "unpkg": "./dist/extension-bridge.global.js",
+  "jsdelivr": "./dist/extension-bridge.global.js",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./webhook": {
+      "types": "./dist/webhook.d.ts",
+      "import": "./dist/webhook.js",
+      "require": "./dist/webhook.cjs"
+    },
+    "./protocol": {
+      "types": "./dist/protocol.d.ts",
+      "import": "./dist/protocol.js",
+      "require": "./dist/protocol.cjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {},
+  "devDependencies": {
+    "tsup": "^8.0.0",
+    "typescript": "^5.7.0",
+    "vitest": "^2.1.9",
+    "jsdom": "^25.0.0",
+    "@types/node": "^20.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}