@waffo/pancake-ts 0.1.3 → 0.1.5

package/CHANGELOG.md

@@ -4,6 +4,77 @@ All notable changes to `@waffo/pancake-ts` will be documented in this file.
 
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.7] - 2026-03-20
+
+### Added
+
+- **Custom webhook public key** — `WaffoPancakeConfig` accepts optional `webhookPublicKey` to override built-in Waffo public keys for webhook signature verification. Useful for self-hosted deployments or custom key rotation.
+- **`client.webhooks.verify()`** — New resource namespace on the client instance. Uses the configured `webhookPublicKey` automatically; supports per-call override via `options.publicKey`.
+- **`VerifyWebhookOptions.publicKey`** — The standalone `verifyWebhook()` function also accepts a custom public key per call, taking precedence over built-in keys and the `environment` option.
+- **Public key normalization** — `normalizePublicKey()` handles the same flexible input formats as `normalizePrivateKey`: literal `\n` from environment variables, Windows `\r\n` line endings, raw base64 without PEM headers, single-line base64, and PKCS#1 (`BEGIN RSA PUBLIC KEY`) format. Applied automatically when a custom public key is used.
+
+## [0.1.6] - 2026-03-18
+
+### Changed
+
+- **Types (BREAKING)** — `PriceInfo` removes `taxIncluded` field. Prices now only require `amount` and `taxCategory`. The system internally defaults to tax-exclusive pricing; `taxIncluded` may be re-introduced in a future version.
+- **Types (BREAKING)** — `Store` removes `isPublic` field from response type. `UpdateStoreParams` removes `isPublic` field from input type. Store visibility is no longer configurable (defaults to private).
+
+### Migration
+
+Remove `taxIncluded` from all `PriceInfo` / `Prices` objects:
+
+```diff
+ const { product } = await client.onetimeProducts.create({
+   storeId: "store_xxx",
+   name: "My Product",
+   prices: {
+-    USD: { amount: 2900, taxIncluded: false, taxCategory: "digital_goods" },
++    USD: { amount: 2900, taxCategory: "digital_goods" },
+   },
+ });
+```
+
+Remove `isPublic` from `stores.update()` calls:
+
+```diff
+ const { store } = await client.stores.update({
+   id: "store_xxx",
+-  isPublic: true,
+   name: "Updated Name",
+ });
+```
+
+## [0.1.5] - 2026-03-18
+
+### Changed
+
+- **Types** — `CheckoutThemeSettings` removes `checkoutColorTextSecondary` field (7→6 fields). The secondary text color is now derived server-side from `checkoutColorText` and `checkoutColorCard` via color mixing. Merchants only need to configure 5 base color/radius fields; the remaining 7 PSP variables are computed automatically.
+
+### Migration
+
+If your code references `checkoutColorTextSecondary`, remove it. The field is no longer accepted by the API and is silently ignored in stored data.
+
+```diff
+ const theme: CheckoutThemeSettings = {
+   checkoutLogo: null,
+   checkoutColorPrimary: "#6366f1",
+   checkoutColorBackground: "#ffffff",
+   checkoutColorCard: "#f9fafb",
+   checkoutColorText: "#111827",
+-  checkoutColorTextSecondary: "#6b7280",
+   checkoutBorderRadius: "0.5rem",
+ };
+```
+
+## [0.1.4] - 2026-03-16
+
+### Changed
+
+- **Types** — `CheckoutSettings` adds `defaultDarkMode: boolean` field to match API response (store create/update)
+- **Types** — `CreateCheckoutSessionParams` adds optional `darkMode` field for dark mode override
+- **Types** — `CreateCheckoutSessionParams.storeId` changed from optional to required to match API spec
+
 ## [0.1.3] - 2026-03-11
 
 ### Added

package/README.md

@@ -31,8 +31,8 @@ const { product } = await client.onetimeProducts.create({
   storeId: store.id,
   name: "E-Book: TypeScript Handbook",
   prices: {
-    USD: { amount: 2900, taxIncluded: false, taxCategory: "digital_goods" },
-    EUR: { amount: 2700, taxIncluded: true, taxCategory: "digital_goods" },
+    USD: { amount: 2900, taxCategory: "digital_goods" },
+    EUR: { amount: 2700, taxCategory: "digital_goods" },
   },
 });
 
@@ -59,6 +59,7 @@ const result = await client.graphql.query<{ stores: Array<{ id: string; name: st
 | `privateKey` | `string` | Yes | RSA private key (see [Private Key Formats](#private-key-formats) below) |
 | `baseUrl` | `string` | No | API base URL (default: `https://waffo-pancake-auth-service.vercel.app`) |
 | `fetch` | `typeof fetch` | No | Custom fetch implementation |
+| `webhookPublicKey` | `string` | No | Custom RSA public key for webhook verification (see [Public Key Formats](#public-key-formats) below). Overrides built-in keys when set. |
 
 ### Private Key Formats
 
@@ -82,6 +83,19 @@ new WaffoPancake({ merchantId: "m_1", privateKey: fs.readFileSync("key.pem", "ut
 new WaffoPancake({ merchantId: "m_1", privateKey: rawBase64String });                   // raw base64
 ```
 
+### Public Key Formats
+
+The `webhookPublicKey` option (and the `publicKey` field in `VerifyWebhookOptions`) accepts the same flexible formats as private keys:
+
+| Format | Example | Notes |
+|--------|---------|-------|
+| Standard SPKI PEM | `-----BEGIN PUBLIC KEY-----\n...` | Recommended |
+| PKCS#1 PEM | `-----BEGIN RSA PUBLIC KEY-----\n...` | Also accepted |
+| Literal `\n` (env vars) | `"-----BEGIN PUBLIC KEY-----\\nMIIB..."` | Common when stored in `.env` or CI secrets |
+| Windows line endings | `\r\n` | Converted to `\n` |
+| Raw base64 (no headers) | `MIIBIjANBgkqhki...` | Wrapped with SPKI headers automatically |
+| Single-line base64 with headers | Header + all base64 on one line + footer | Re-wrapped to 64-char lines |
+
 ## Resources
 
 | Namespace | Methods | Description |
@@ -95,6 +109,7 @@ new WaffoPancake({ merchantId: "m_1", privateKey: rawBase64String });
 | `client.orders` | `cancelSubscription()` | Order management (pending→canceled, active→canceling) |
 | `client.checkout` | `createSession()` | Create a checkout session with trial toggle, billing detail, and price snapshot |
 | `client.graphql` | `query<T>()` | Typed GraphQL queries (Query only, no Mutations) |
+| `client.webhooks` | `verify<T>()` | Webhook signature verification (uses configured `webhookPublicKey` or built-in keys) |
 
 See [API Reference](docs/api-reference.md) for complete parameter tables and return types.
 
@@ -260,9 +275,9 @@ const { product } = await client.onetimeProducts.create({
   name: "E-Book: TypeScript Handbook",
   description: "Complete TypeScript guide for developers",
   prices: {
-    USD: { amount: 2900, taxIncluded: false, taxCategory: TaxCategory.DigitalGoods },
-    EUR: { amount: 2700, taxIncluded: true, taxCategory: TaxCategory.DigitalGoods },
-    JPY: { amount: 4500, taxIncluded: true, taxCategory: TaxCategory.DigitalGoods },
+    USD: { amount: 2900, taxCategory: TaxCategory.DigitalGoods },
+    EUR: { amount: 2700, taxCategory: TaxCategory.DigitalGoods },
+    JPY: { amount: 4500, taxCategory: TaxCategory.DigitalGoods },
   },
   media: [{ type: "image", url: "https://example.com/cover.jpg", alt: "Book cover" }],
   metadata: { sku: "ebook-ts-001" },
@@ -272,7 +287,7 @@ const { product } = await client.onetimeProducts.create({
 await client.onetimeProducts.update({
   id: product.id,
   name: "E-Book: TypeScript Handbook v2",
-  prices: { USD: { amount: 3900, taxIncluded: false, taxCategory: "digital_goods" } },
+  prices: { USD: { amount: 3900, taxCategory: "digital_goods" } },
 });
 
 // Publish test version → production
@@ -291,7 +306,7 @@ const { product } = await client.subscriptionProducts.create({
   storeId: "store_xxx",
   name: "Pro Plan",
   billingPeriod: BillingPeriod.Monthly,
-  prices: { USD: { amount: 999, taxIncluded: false, taxCategory: TaxCategory.SaaS } },
+  prices: { USD: { amount: 999, taxCategory: TaxCategory.SaaS } },
   description: "Unlimited access to all features",
 });
 
@@ -348,6 +363,7 @@ const session = await client.checkout.createSession({
 
 // Subscription with trial and billing detail
 const subSession = await client.checkout.createSession({
+  storeId: "store_xxx",
   productId: "prod_yyy",
   productType: CheckoutSessionProductType.Subscription,
   currency: "USD",
@@ -390,7 +406,9 @@ See [GraphQL Guide](docs/graphql-guide.md) for introspection, filters, paginatio
 
 ## Webhook Verification
 
-The SDK exports a standalone `verifyWebhook()` function with **embedded RSA-SHA256 public keys** for both test and production environments. No need to manage keys yourself.
+Two ways to verify webhooks: the **standalone function** `verifyWebhook()` with built-in public keys, or the **client instance method** `client.webhooks.verify()` which uses the configured `webhookPublicKey`.
+
+### Option A — Standalone Function (built-in keys)
 
 ```typescript
 import { verifyWebhook, WebhookEventType } from "@waffo/pancake-ts";
@@ -444,6 +462,32 @@ const event = verifyWebhook(body, sig, { environment: "prod" });
 const event = verifyWebhook(body, sig, { toleranceMs: 0 }); // disable replay check
 ```
 
+### Option B — Client Instance Method (custom public key)
+
+When you provide a `webhookPublicKey` in the client config, `client.webhooks.verify()` uses that key automatically. Useful for self-hosted deployments or custom key rotation.
+
+```typescript
+const client = new WaffoPancake({
+  merchantId: process.env.WAFFO_MERCHANT_ID!,
+  privateKey: process.env.WAFFO_PRIVATE_KEY!,
+  webhookPublicKey: process.env.WAFFO_WEBHOOK_PUBLIC_KEY!, // any format accepted
+});
+
+// Uses the configured public key — no need to pass it per call
+const event = client.webhooks.verify(rawBody, signatureHeader);
+
+// You can still override per call if needed
+const event = client.webhooks.verify(rawBody, sig, { publicKey: anotherKey });
+```
+
+### Standalone Function with Custom Key
+
+You can also pass a custom key directly to the standalone function without creating a client:
+
+```typescript
+const event = verifyWebhook(body, sig, { publicKey: process.env.MY_PUBLIC_KEY! });
+```
+
 See [Webhook Guide](docs/webhook-guide.md) for all 10 event types, signature algorithm, and best practices.
 
 ## Error Handling
@@ -536,7 +580,8 @@ src/
     ├── subscription-product-groups.ts
     ├── orders.ts
     ├── checkout.ts
-    └── graphql.ts
+    ├── graphql.ts
+    └── webhooks.ts
 docs/
 ├── api-reference.md       # Complete API reference
 ├── graphql-guide.md       # GraphQL usage guide

package/dist/index.cjs

@@ -63,6 +63,10 @@ var PKCS8_HEADER = "-----BEGIN PRIVATE KEY-----";
 var PKCS8_FOOTER = "-----END PRIVATE KEY-----";
 var PKCS1_HEADER = "-----BEGIN RSA PRIVATE KEY-----";
 var PKCS1_FOOTER = "-----END RSA PRIVATE KEY-----";
+var SPKI_HEADER = "-----BEGIN PUBLIC KEY-----";
+var SPKI_FOOTER = "-----END PUBLIC KEY-----";
+var PKCS1_PUB_HEADER = "-----BEGIN RSA PUBLIC KEY-----";
+var PKCS1_PUB_FOOTER = "-----END RSA PUBLIC KEY-----";
 function normalizePrivateKey(raw) {
   if (!raw || !raw.trim()) {
     throw new Error(
@@ -108,6 +112,51 @@ ${PKCS8_FOOTER}`;
   }
   return pem;
 }
+function normalizePublicKey(raw) {
+  if (!raw || !raw.trim()) {
+    throw new Error(
+      "Public key is empty. Provide an RSA public key in PEM format."
+    );
+  }
+  let pem = raw.replace(/\\n/g, "\n").replace(/\r\n/g, "\n");
+  pem = pem.trim();
+  const hasSpkiHeader = pem.includes(SPKI_HEADER);
+  const hasPkcs1PubHeader = pem.includes(PKCS1_PUB_HEADER);
+  const hasHeader = hasSpkiHeader || hasPkcs1PubHeader;
+  if (hasHeader) {
+    const base64 = pem.replace(/-----BEGIN (?:RSA )?PUBLIC KEY-----/g, "").replace(/-----END (?:RSA )?PUBLIC KEY-----/g, "").replace(/\s+/g, "");
+    if (!base64) {
+      throw new Error(
+        "Public key contains PEM headers but no key data. Check the key content."
+      );
+    }
+    const header = hasPkcs1PubHeader ? PKCS1_PUB_HEADER : SPKI_HEADER;
+    const footer = hasPkcs1PubHeader ? PKCS1_PUB_FOOTER : SPKI_FOOTER;
+    const wrapped = base64.match(/.{1,64}/g).join("\n");
+    pem = `${header}
+${wrapped}
+${footer}`;
+  } else {
+    const base64 = pem.replace(/\s+/g, "");
+    if (!/^[A-Za-z0-9+/]+=*$/.test(base64)) {
+      throw new Error(
+        "Public key is not valid PEM or base64. Expected an RSA public key in PEM format or raw base64."
+      );
+    }
+    const wrapped = base64.match(/.{1,64}/g).join("\n");
+    pem = `${SPKI_HEADER}
+${wrapped}
+${SPKI_FOOTER}`;
+  }
+  try {
+    (0, import_node_crypto.createPublicKey)(pem);
+  } catch {
+    throw new Error(
+      "Public key could not be parsed. Ensure it is a valid RSA public key in SPKI or PKCS#1 (PEM) format."
+    );
+  }
+  return pem;
+}
 function signRequest(method, path, timestamp, body, privateKey) {
   const bodyHash = (0, import_node_crypto.createHash)("sha256").update(body).digest("base64");
   const canonicalRequest = `${method}
@@ -259,7 +308,7 @@ var OnetimeProductsResource = class {
    * const { product } = await client.onetimeProducts.create({
    *   storeId: "store_xxx",
    *   name: "E-Book",
-   *   prices: { USD: { amount: 2900, taxIncluded: false, taxCategory: "digital_goods" } },
+   *   prices: { USD: { amount: 2900, taxCategory: "digital_goods" } },
    * });
    */
   async create(params) {
@@ -275,7 +324,7 @@ var OnetimeProductsResource = class {
    * const { product } = await client.onetimeProducts.update({
    *   id: "prod_xxx",
    *   name: "E-Book v2",
-   *   prices: { USD: { amount: 3900, taxIncluded: false, taxCategory: "digital_goods" } },
+   *   prices: { USD: { amount: 3900, taxCategory: "digital_goods" } },
    * });
    */
   async update(params) {
@@ -416,7 +465,6 @@ var StoresResource = class {
    * const { store } = await client.stores.update({
    *   id: "store_xxx",
    *   name: "Updated Name",
-   *   supportEmail: "help@example.com",
    * });
    */
   async update(params) {
@@ -515,7 +563,7 @@ var SubscriptionProductsResource = class {
    *   storeId: "store_xxx",
    *   name: "Pro Plan",
    *   billingPeriod: "monthly",
-   *   prices: { USD: { amount: 999, taxIncluded: false, taxCategory: "saas" } },
+   *   prices: { USD: { amount: 999, taxCategory: "saas" } },
    * });
    */
   async create(params) {
@@ -532,7 +580,7 @@ var SubscriptionProductsResource = class {
    *   id: "prod_xxx",
    *   name: "Pro Plan v2",
    *   billingPeriod: "monthly",
-   *   prices: { USD: { amount: 1499, taxIncluded: false, taxCategory: "saas" } },
+   *   prices: { USD: { amount: 1499, taxCategory: "saas" } },
    * });
    */
   async update(params) {
@@ -567,32 +615,6 @@ var SubscriptionProductsResource = class {
   }
 };
 
-// src/client.ts
-var WaffoPancake = class {
-  http;
-  auth;
-  stores;
-  storeMerchants;
-  onetimeProducts;
-  subscriptionProducts;
-  subscriptionProductGroups;
-  orders;
-  checkout;
-  graphql;
-  constructor(config) {
-    this.http = new HttpClient(config);
-    this.auth = new AuthResource(this.http);
-    this.stores = new StoresResource(this.http);
-    this.storeMerchants = new StoreMerchantsResource(this.http);
-    this.onetimeProducts = new OnetimeProductsResource(this.http);
-    this.subscriptionProducts = new SubscriptionProductsResource(this.http);
-    this.subscriptionProductGroups = new SubscriptionProductGroupsResource(this.http);
-    this.orders = new OrdersResource(this.http);
-    this.checkout = new CheckoutResource(this.http);
-    this.graphql = new GraphQLResource(this.http);
-  }
-};
-
 // src/webhooks.ts
 var import_node_crypto3 = require("crypto");
 var DEFAULT_TOLERANCE_MS = 5 * 60 * 1e3;
@@ -651,27 +673,97 @@ function verifyWebhook(payload, signatureHeader, options) {
     }
   }
   const signatureInput = `${t}.${payload}`;
-  const env = options?.environment;
-  if (env === "test") {
-    if (!rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY)) {
-      throw new Error("Invalid webhook signature (test key)");
-    }
-  } else if (env === "prod") {
-    if (!rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY)) {
-      throw new Error("Invalid webhook signature (prod key)");
+  const customKey = options?.publicKey;
+  if (customKey) {
+    const normalizedKey = normalizePublicKey(customKey);
+    if (!rsaVerify(signatureInput, v1, normalizedKey)) {
+      throw new Error("Invalid webhook signature (custom key)");
     }
   } else {
-    const prodValid = rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY);
-    if (!prodValid) {
-      const testValid = rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY);
-      if (!testValid) {
-        throw new Error("Invalid webhook signature (tried both prod and test keys)");
+    const env = options?.environment;
+    if (env === "test") {
+      if (!rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY)) {
+        throw new Error("Invalid webhook signature (test key)");
+      }
+    } else if (env === "prod") {
+      if (!rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY)) {
+        throw new Error("Invalid webhook signature (prod key)");
+      }
+    } else {
+      const prodValid = rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY);
+      if (!prodValid) {
+        const testValid = rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY);
+        if (!testValid) {
+          throw new Error("Invalid webhook signature (tried both prod and test keys)");
+        }
       }
     }
   }
   return JSON.parse(payload);
 }
 
+// src/resources/webhooks.ts
+var WebhooksResource = class {
+  /** @param publicKey - Optional custom RSA public key (PEM or raw base64) */
+  constructor(publicKey) {
+    this.publicKey = publicKey;
+  }
+  /**
+   * Verify and parse an incoming webhook event.
+   *
+   * When the client was created with a `webhookPublicKey`, that key is used
+   * automatically. You can still override per-call via `options.publicKey`.
+   *
+   * @param payload - Raw request body string (must be unparsed)
+   * @param signatureHeader - Value of the `X-Waffo-Signature` header
+   * @param options - Verification options (optional)
+   * @returns Parsed webhook event
+   * @throws Error if signature is invalid, header is malformed, or timestamp is stale
+   *
+   * @example
+   * const event = client.webhooks.verify(rawBody, signatureHeader);
+   *
+   * @example
+   * // Override tolerance per call
+   * const event = client.webhooks.verify(rawBody, sig, { toleranceMs: 0 });
+   */
+  verify(payload, signatureHeader, options) {
+    const mergedOptions = {
+      ...options,
+      publicKey: options?.publicKey ?? this.publicKey
+    };
+    return verifyWebhook(payload, signatureHeader, mergedOptions);
+  }
+};
+
+// src/client.ts
+var WaffoPancake = class {
+  http;
+  auth;
+  stores;
+  storeMerchants;
+  onetimeProducts;
+  subscriptionProducts;
+  subscriptionProductGroups;
+  orders;
+  checkout;
+  graphql;
+  webhooks;
+  constructor(config) {
+    this.http = new HttpClient(config);
+    this.auth = new AuthResource(this.http);
+    this.stores = new StoresResource(this.http);
+    this.storeMerchants = new StoreMerchantsResource(this.http);
+    this.onetimeProducts = new OnetimeProductsResource(this.http);
+    this.subscriptionProducts = new SubscriptionProductsResource(this.http);
+    this.subscriptionProductGroups = new SubscriptionProductGroupsResource(this.http);
+    this.orders = new OrdersResource(this.http);
+    this.checkout = new CheckoutResource(this.http);
+    this.graphql = new GraphQLResource(this.http);
+    this.webhooks = new WebhooksResource(config.webhookPublicKey);
+  }
+};
+
 // src/types.ts
 var Environment = /* @__PURE__ */ ((Environment2) => {
   Environment2["Test"] = "test";