@waffo/pancake-ts 0.1.5 → 0.1.7

package/dist/index.d.ts

@@ -7,8 +7,16 @@ interface WaffoPancakeConfig {
     baseUrl?: string;
     /** Custom fetch implementation (default: global fetch) */
     fetch?: typeof fetch;
-    /** Custom RSA public key (PEM) for webhook signature verification. When set, overrides the built-in Waffo public keys. */
-    webhookPublicKey?: string;
+    /**
+     * Custom RSA public key(s) for webhook signature verification.
+     *
+     * - `string` — single key used for both test and prod environments
+     * - `{ test?, prod? }` — per-environment keys
+     *
+     * Resolution order per environment: config key → env var → built-in key.
+     * @see {@link VerifyWebhookOptions} for per-call overrides
+     */
+    webhookPublicKey?: WebhookPublicKeys;
 }
 /**
  * Single error object within the `errors` array.
@@ -711,6 +719,16 @@ interface WebhookEvent<T = WebhookEventData> {
     /** Event data */
     data: T;
 }
+/**
+ * Webhook public key configuration.
+ *
+ * - `string` — single key used for both test and prod environments
+ * - `{ test?, prod? }` — per-environment keys
+ */
+type WebhookPublicKeys = string | {
+    test?: string;
+    prod?: string;
+};
 /** Options for {@link verifyWebhook}. */
 interface VerifyWebhookOptions {
     /**
@@ -726,10 +744,23 @@ interface VerifyWebhookOptions {
      */
     toleranceMs?: number;
     /**
-     * Custom RSA public key (PEM) for signature verification.
-     * When provided, overrides both built-in keys and the `environment` option.
+     * Per-call public key override (highest priority).
+     * When provided, skips all other key resolution (config, env vars, built-in).
      */
     publicKey?: string;
+    /**
+     * Config-level public key(s) for the resolution chain.
+     * When using `client.webhooks.verify()`, this is set automatically from `WaffoPancakeConfig.webhookPublicKey`.
+     * When using the standalone `verifyWebhook()`, you can pass this directly for config-level key injection.
+     *
+     * Resolution order per environment:
+     * 1. `publicKey` (per-call override)
+     * 2. `publicKeys[env]` or `publicKeys` (config)
+     * 3. `WAFFO_WEBHOOK_{TEST|PROD}_PUBLIC_KEY` (env var)
+     * 4. `WAFFO_WEBHOOK_PUBLIC_KEY` (env var)
+     * 5. Built-in hardcoded key
+     */
+    publicKeys?: WebhookPublicKeys;
 }
 
 /**
@@ -1134,16 +1165,25 @@ declare class SubscriptionProductsResource {
     }>;
 }
 
-/** Webhook signature verification resource. */
+/**
+ * Webhook signature verification resource.
+ *
+ * Unlike other resources, this does not use HttpClient — webhook verification
+ * is a local cryptographic operation that does not require API calls.
+ */
 declare class WebhooksResource {
-    private readonly publicKey;
-    /** @param publicKey - Optional custom RSA public key (PEM or raw base64) */
-    constructor(publicKey: string | undefined);
+    private readonly publicKeys;
+    /** @param publicKeys - Optional config-level public key(s) from WaffoPancakeConfig */
+    constructor(publicKeys: WebhookPublicKeys | undefined);
     /**
      * Verify and parse an incoming webhook event.
      *
-     * When the client was created with a `webhookPublicKey`, that key is used
-     * automatically. You can still override per-call via `options.publicKey`.
+     * Key resolution order:
+     * 1. `options.publicKey` — per-call override (highest priority)
+     * 2. `config.webhookPublicKey[env]` or `config.webhookPublicKey` (string)
+     * 3. `WAFFO_WEBHOOK_{TEST|PROD}_PUBLIC_KEY` environment variable
+     * 4. `WAFFO_WEBHOOK_PUBLIC_KEY` environment variable
+     * 5. Built-in hardcoded key
      *
      * @param payload - Raw request body string (must be unparsed)
      * @param signatureHeader - Value of the `X-Waffo-Signature` header
@@ -1155,8 +1195,12 @@ declare class WebhooksResource {
      * const event = client.webhooks.verify(rawBody, signatureHeader);
      *
      * @example
-     * // Override tolerance per call
-     * const event = client.webhooks.verify(rawBody, sig, { toleranceMs: 0 });
+     * // Specify environment
+     * const event = client.webhooks.verify(rawBody, sig, { environment: "test" });
+     *
+     * @example
+     * // Per-call key override
+     * const event = client.webhooks.verify(rawBody, sig, { publicKey: oneOffKey });
      */
     verify<T = Record<string, unknown>>(payload: string, signatureHeader: string | undefined | null, options?: VerifyWebhookOptions): WebhookEvent<T>;
 }
@@ -1200,11 +1244,14 @@ declare class WebhooksResource {
  * });
  *
  * @example
- * // Use a custom public key for webhook verification
+ * // Per-environment webhook public keys
  * const client = new WaffoPancake({
  *   merchantId: "...",
  *   privateKey: "...",
- *   webhookPublicKey: myCustomPublicKeyPem,
+ *   webhookPublicKey: {
+ *     test: process.env.WAFFO_TEST_PUB_KEY!,
+ *     prod: process.env.WAFFO_PROD_PUB_KEY!,
+ *   },
  * });
  * const event = client.webhooks.verify(rawBody, signatureHeader);
  */
@@ -1245,8 +1292,12 @@ declare class WaffoPancakeError extends Error {
 /**
  * Verify and parse an incoming Waffo Pancake webhook event.
  *
- * Uses built-in Waffo public keys (RSA-SHA256) for signature verification.
- * Test and production environments use different key pairs; both are embedded in the SDK.
+ * Public key resolution (per environment):
+ * 1. `options.publicKey` — per-call override (highest priority, skips all other resolution)
+ * 2. `options.publicKeys[env]` or `options.publicKeys` (string) — config-level
+ * 3. `WAFFO_WEBHOOK_{TEST|PROD}_PUBLIC_KEY` environment variable
+ * 4. `WAFFO_WEBHOOK_PUBLIC_KEY` environment variable
+ * 5. Built-in hardcoded key
  *
  * Behavior:
  * - Parses the `X-Waffo-Signature` header (`t=<timestamp>,v1=<base64sig>`)
@@ -1295,4 +1346,4 @@ declare class WaffoPancakeError extends Error {
  */
 declare function verifyWebhook<T = Record<string, unknown>>(payload: string, signatureHeader: string | undefined | null, options?: VerifyWebhookOptions): WebhookEvent<T>;
 
-export { type AddMerchantParams, type AddMerchantResult, type ApiError, type ApiErrorResponse, type ApiResponse, type ApiSuccessResponse, type BillingDetail, BillingPeriod, type CancelSubscriptionParams, type CancelSubscriptionResult, CheckoutSessionProductType, type CheckoutSessionResult, type CheckoutSettings, type CheckoutThemeSettings, type CreateCheckoutSessionParams, type CreateOnetimeProductParams, type CreateStoreParams, type CreateSubscriptionProductGroupParams, type CreateSubscriptionProductParams, type DeleteStoreParams, type DeleteSubscriptionProductGroupParams, EntityStatus, Environment, ErrorLayer, type GraphQLParams, type GraphQLResponse, type GroupRules, type IssueSessionTokenParams, type MediaItem, MediaType, type NotificationSettings, OnetimeOrderStatus, type OnetimeProductDetail, PaymentStatus, type PriceInfo, type Prices, ProductVersionStatus, type PublishOnetimeProductParams, type PublishSubscriptionProductGroupParams, type PublishSubscriptionProductParams, RefundStatus, RefundTicketStatus, type RemoveMerchantParams, type RemoveMerchantResult, type SessionToken, type Store, StoreRole, SubscriptionOrderStatus, type SubscriptionProductDetail, type SubscriptionProductGroup, TaxCategory, type UpdateOnetimeProductParams, type UpdateOnetimeStatusParams, type UpdateRoleParams, type UpdateRoleResult, type UpdateStoreParams, type UpdateSubscriptionProductGroupParams, type UpdateSubscriptionProductParams, type UpdateSubscriptionStatusParams, type VerifyWebhookOptions, WaffoPancake, type WaffoPancakeConfig, WaffoPancakeError, type WebhookEvent, type WebhookEventData, WebhookEventType, type WebhookSettings, verifyWebhook };
+export { type AddMerchantParams, type AddMerchantResult, type ApiError, type ApiErrorResponse, type ApiResponse, type ApiSuccessResponse, type BillingDetail, BillingPeriod, type CancelSubscriptionParams, type CancelSubscriptionResult, CheckoutSessionProductType, type CheckoutSessionResult, type CheckoutSettings, type CheckoutThemeSettings, type CreateCheckoutSessionParams, type CreateOnetimeProductParams, type CreateStoreParams, type CreateSubscriptionProductGroupParams, type CreateSubscriptionProductParams, type DeleteStoreParams, type DeleteSubscriptionProductGroupParams, EntityStatus, Environment, ErrorLayer, type GraphQLParams, type GraphQLResponse, type GroupRules, type IssueSessionTokenParams, type MediaItem, MediaType, type NotificationSettings, OnetimeOrderStatus, type OnetimeProductDetail, PaymentStatus, type PriceInfo, type Prices, ProductVersionStatus, type PublishOnetimeProductParams, type PublishSubscriptionProductGroupParams, type PublishSubscriptionProductParams, RefundStatus, RefundTicketStatus, type RemoveMerchantParams, type RemoveMerchantResult, type SessionToken, type Store, StoreRole, SubscriptionOrderStatus, type SubscriptionProductDetail, type SubscriptionProductGroup, TaxCategory, type UpdateOnetimeProductParams, type UpdateOnetimeStatusParams, type UpdateRoleParams, type UpdateRoleResult, type UpdateStoreParams, type UpdateSubscriptionProductGroupParams, type UpdateSubscriptionProductParams, type UpdateSubscriptionStatusParams, type VerifyWebhookOptions, WaffoPancake, type WaffoPancakeConfig, WaffoPancakeError, type WebhookEvent, type WebhookEventData, WebhookEventType, type WebhookPublicKeys, type WebhookSettings, verifyWebhook };

package/dist/index.js

@@ -611,6 +611,23 @@ function rsaVerify(signatureInput, v1, publicKey) {
   verifier.update(signatureInput);
   return verifier.verify(publicKey, v1, "base64");
 }
+function resolveKeyForEnv(env, configKeys) {
+  if (typeof configKeys === "string") {
+    return normalizePublicKey(configKeys);
+  }
+  if (configKeys?.[env]) {
+    return normalizePublicKey(configKeys[env]);
+  }
+  const envSpecific = env === "test" ? process.env.WAFFO_WEBHOOK_TEST_PUBLIC_KEY : process.env.WAFFO_WEBHOOK_PROD_PUBLIC_KEY;
+  if (envSpecific) {
+    return normalizePublicKey(envSpecific);
+  }
+  const generic = process.env.WAFFO_WEBHOOK_PUBLIC_KEY;
+  if (generic) {
+    return normalizePublicKey(generic);
+  }
+  return env === "test" ? TEST_PUBLIC_KEY : PROD_PUBLIC_KEY;
+}
 function verifyWebhook(payload, signatureHeader, options) {
   if (!signatureHeader) {
     throw new Error("Missing X-Waffo-Signature header");
@@ -630,27 +647,25 @@ function verifyWebhook(payload, signatureHeader, options) {
     }
   }
   const signatureInput = `${t}.${payload}`;
-  const customKey = options?.publicKey;
-  if (customKey) {
-    const normalizedKey = normalizePublicKey(customKey);
+  const directKey = options?.publicKey;
+  if (directKey) {
+    const normalizedKey = normalizePublicKey(directKey);
     if (!rsaVerify(signatureInput, v1, normalizedKey)) {
       throw new Error("Invalid webhook signature (custom key)");
     }
   } else {
+    const configKeys = options?.publicKeys;
     const env = options?.environment;
-    if (env === "test") {
-      if (!rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY)) {
-        throw new Error("Invalid webhook signature (test key)");
-      }
-    } else if (env === "prod") {
-      if (!rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY)) {
-        throw new Error("Invalid webhook signature (prod key)");
+    if (env === "test" || env === "prod") {
+      const key = resolveKeyForEnv(env, configKeys);
+      if (!rsaVerify(signatureInput, v1, key)) {
+        throw new Error(`Invalid webhook signature (${env} key)`);
       }
     } else {
-      const prodValid = rsaVerify(signatureInput, v1, PROD_PUBLIC_KEY);
-      if (!prodValid) {
-        const testValid = rsaVerify(signatureInput, v1, TEST_PUBLIC_KEY);
-        if (!testValid) {
+      const prodKey = resolveKeyForEnv("prod", configKeys);
+      if (!rsaVerify(signatureInput, v1, prodKey)) {
+        const testKey = resolveKeyForEnv("test", configKeys);
+        if (!rsaVerify(signatureInput, v1, testKey)) {
           throw new Error("Invalid webhook signature (tried both prod and test keys)");
         }
       }
@@ -661,15 +676,19 @@ function verifyWebhook(payload, signatureHeader, options) {
 
 // src/resources/webhooks.ts
 var WebhooksResource = class {
-  /** @param publicKey - Optional custom RSA public key (PEM or raw base64) */
-  constructor(publicKey) {
-    this.publicKey = publicKey;
+  /** @param publicKeys - Optional config-level public key(s) from WaffoPancakeConfig */
+  constructor(publicKeys) {
+    this.publicKeys = publicKeys;
   }
   /**
    * Verify and parse an incoming webhook event.
    *
-   * When the client was created with a `webhookPublicKey`, that key is used
-   * automatically. You can still override per-call via `options.publicKey`.
+   * Key resolution order:
+   * 1. `options.publicKey` — per-call override (highest priority)
+   * 2. `config.webhookPublicKey[env]` or `config.webhookPublicKey` (string)
+   * 3. `WAFFO_WEBHOOK_{TEST|PROD}_PUBLIC_KEY` environment variable
+   * 4. `WAFFO_WEBHOOK_PUBLIC_KEY` environment variable
+   * 5. Built-in hardcoded key
    *
    * @param payload - Raw request body string (must be unparsed)
    * @param signatureHeader - Value of the `X-Waffo-Signature` header
@@ -681,13 +700,17 @@ var WebhooksResource = class {
    * const event = client.webhooks.verify(rawBody, signatureHeader);
    *
    * @example
-   * // Override tolerance per call
-   * const event = client.webhooks.verify(rawBody, sig, { toleranceMs: 0 });
+   * // Specify environment
+   * const event = client.webhooks.verify(rawBody, sig, { environment: "test" });
+   *
+   * @example
+   * // Per-call key override
+   * const event = client.webhooks.verify(rawBody, sig, { publicKey: oneOffKey });
    */
   verify(payload, signatureHeader, options) {
     const mergedOptions = {
       ...options,
-      publicKey: options?.publicKey ?? this.publicKey
+      publicKeys: options?.publicKeys ?? this.publicKeys
     };
     return verifyWebhook(payload, signatureHeader, mergedOptions);
   }