@whatalo/plugin-sdk 1.1.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/dist/adapters/express.cjs +101 -10
  2. package/dist/adapters/express.cjs.map +1 -1
  3. package/dist/adapters/express.d.cts +9 -7
  4. package/dist/adapters/express.d.ts +9 -7
  5. package/dist/adapters/express.mjs +104 -10
  6. package/dist/adapters/express.mjs.map +1 -1
  7. package/dist/adapters/hono.cjs +94 -7
  8. package/dist/adapters/hono.cjs.map +1 -1
  9. package/dist/adapters/hono.d.cts +4 -3
  10. package/dist/adapters/hono.d.ts +4 -3
  11. package/dist/adapters/hono.mjs +97 -7
  12. package/dist/adapters/hono.mjs.map +1 -1
  13. package/dist/adapters/nextjs.cjs +94 -7
  14. package/dist/adapters/nextjs.cjs.map +1 -1
  15. package/dist/adapters/nextjs.d.cts +4 -3
  16. package/dist/adapters/nextjs.d.ts +4 -3
  17. package/dist/adapters/nextjs.mjs +97 -7
  18. package/dist/adapters/nextjs.mjs.map +1 -1
  19. package/dist/bridge/index.cjs +33 -2
  20. package/dist/bridge/index.cjs.map +1 -1
  21. package/dist/bridge/index.d.cts +17 -5
  22. package/dist/bridge/index.d.ts +17 -5
  23. package/dist/bridge/index.mjs +33 -2
  24. package/dist/bridge/index.mjs.map +1 -1
  25. package/dist/client/index.cjs +36 -2
  26. package/dist/client/index.cjs.map +1 -1
  27. package/dist/client/index.d.cts +31 -4
  28. package/dist/client/index.d.ts +31 -4
  29. package/dist/client/index.mjs +36 -2
  30. package/dist/client/index.mjs.map +1 -1
  31. package/dist/index.cjs +150 -25
  32. package/dist/index.cjs.map +1 -1
  33. package/dist/index.d.cts +7 -4
  34. package/dist/index.d.ts +7 -4
  35. package/dist/index.mjs +150 -25
  36. package/dist/index.mjs.map +1 -1
  37. package/dist/manifest/index.cjs +2 -17
  38. package/dist/manifest/index.cjs.map +1 -1
  39. package/dist/manifest/index.d.cts +10 -4
  40. package/dist/manifest/index.d.ts +10 -4
  41. package/dist/manifest/index.mjs +2 -17
  42. package/dist/manifest/index.mjs.map +1 -1
  43. package/dist/{types-M1eLMz6w.d.cts → types-B8BAV362.d.cts} +39 -3
  44. package/dist/{types-M1eLMz6w.d.ts → types-B8BAV362.d.ts} +39 -3
  45. package/dist/types-BU71_xQm.d.cts +25 -0
  46. package/dist/types-BhtVJPgF.d.ts +25 -0
  47. package/dist/types-Bo9GbqrM.d.ts +133 -0
  48. package/dist/types-rA6kVlpV.d.cts +133 -0
  49. package/dist/webhooks/index.cjs +78 -3
  50. package/dist/webhooks/index.cjs.map +1 -1
  51. package/dist/webhooks/index.d.cts +11 -4
  52. package/dist/webhooks/index.d.ts +11 -4
  53. package/dist/webhooks/index.mjs +78 -3
  54. package/dist/webhooks/index.mjs.map +1 -1
  55. package/package.json +32 -15
  56. package/dist/types-D2Efg3EG.d.ts +0 -19
  57. package/dist/types-DZ659i6f.d.ts +0 -68
  58. package/dist/types-Db_BeRCj.d.cts +0 -19
  59. package/dist/types-DdqKKyqX.d.cts +0 -68
@@ -26,14 +26,26 @@ module.exports = __toCommonJS(express_exports);
26
26
 
27
27
  // src/webhooks/verify.ts
28
28
  var import_node_crypto = require("crypto");
29
+ var DEFAULT_TOLERANCE_SECONDS = 300;
29
30
  function verifyWebhook({
30
31
  payload,
31
32
  signature,
32
- secret
33
+ timestamp,
34
+ secret,
35
+ toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,
36
+ currentTime = Math.floor(Date.now() / 1e3)
33
37
  }) {
34
- if (!payload || !signature || !secret) return false;
35
- const expected = (0, import_node_crypto.createHmac)("sha256", secret).update(payload, "utf8").digest("hex");
38
+ if (!payload || !signature || !secret || timestamp === "") return false;
39
+ const timestampString = String(timestamp);
40
+ const timestampValue = typeof timestamp === "number" ? timestamp : Number(timestamp);
41
+ if (!Number.isInteger(timestampValue)) return false;
42
+ if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;
43
+ if (!Number.isFinite(currentTime)) return false;
44
+ const ageSeconds = Math.abs(currentTime - timestampValue);
45
+ if (ageSeconds > toleranceSeconds) return false;
46
+ const expected = (0, import_node_crypto.createHmac)("sha256", secret).update(`${timestampString}.${payload}`, "utf8").digest("hex");
36
47
  if (expected.length !== signature.length) return false;
48
+ if (!/^[a-f0-9]+$/i.test(signature)) return false;
37
49
  try {
38
50
  return (0, import_node_crypto.timingSafeEqual)(
39
51
  Buffer.from(expected, "hex"),
@@ -44,9 +56,66 @@ function verifyWebhook({
44
56
  }
45
57
  }
46
58
 
59
+ // src/webhooks/types.ts
60
+ var import_events = require("@whatalo/protocol/events");
61
+ var WEBHOOK_EVENTS = import_events.PUBLIC_WEBHOOK_EVENTS;
62
+ function isWebhookEvent(value) {
63
+ return (0, import_events.isPublicWebhookEvent)(value);
64
+ }
65
+ function isRecord(value) {
66
+ return typeof value === "object" && value !== null && !Array.isArray(value);
67
+ }
68
+ function hasStringId(value) {
69
+ return isRecord(value) && typeof value.id === "string";
70
+ }
71
+ function isOptionalString(value, key) {
72
+ return value[key] === void 0 || typeof value[key] === "string";
73
+ }
74
+ function isRuntimeWebhookStore(value) {
75
+ return isRecord(value) && typeof value.id === "string" && typeof value.timezone === "string" && (value.name === void 0 || typeof value.name === "string");
76
+ }
77
+ function hasValidBasePayloadFields(value) {
78
+ if (!isOptionalString(value, "event_id")) return false;
79
+ if (!isOptionalString(value, "occurred_at")) return false;
80
+ return isRuntimeWebhookStore(value.store);
81
+ }
82
+ function isRuntimeOrderWebhookPayload(value) {
83
+ return hasValidBasePayloadFields(value) && hasStringId(value.order) && (value.customer === void 0 || hasStringId(value.customer));
84
+ }
85
+ function isRuntimeProductWebhookPayload(value) {
86
+ return hasValidBasePayloadFields(value) && hasStringId(value.product);
87
+ }
88
+ function isRuntimeCustomerWebhookPayload(value) {
89
+ return hasValidBasePayloadFields(value) && hasStringId(value.customer);
90
+ }
91
+ function isRuntimeCheckoutCompletedWebhookPayload(value) {
92
+ return hasValidBasePayloadFields(value) && hasStringId(value.order) && hasStringId(value.customer) && isRuntimeWebhookStore(value.store);
93
+ }
94
+ function isRuntimeWebhookPayload(value, event) {
95
+ if (!isRecord(value)) return false;
96
+ switch (event) {
97
+ case WEBHOOK_EVENTS.ORDER_CREATED:
98
+ case WEBHOOK_EVENTS.ORDER_UPDATED:
99
+ case WEBHOOK_EVENTS.ORDER_CANCELLED:
100
+ case WEBHOOK_EVENTS.ORDER_COMPLETED:
101
+ return isRuntimeOrderWebhookPayload(value);
102
+ case WEBHOOK_EVENTS.PRODUCT_CREATED:
103
+ case WEBHOOK_EVENTS.PRODUCT_UPDATED:
104
+ case WEBHOOK_EVENTS.PRODUCT_DELETED:
105
+ return isRuntimeProductWebhookPayload(value);
106
+ case WEBHOOK_EVENTS.CUSTOMER_CREATED:
107
+ case WEBHOOK_EVENTS.CUSTOMER_UPDATED:
108
+ return isRuntimeCustomerWebhookPayload(value);
109
+ case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:
110
+ return isRuntimeCheckoutCompletedWebhookPayload(value);
111
+ default:
112
+ return false;
113
+ }
114
+ }
115
+
47
116
  // src/adapters/express.ts
48
- function getSignature(headers) {
49
- const value = headers["x-webhook-signature"];
117
+ function getHeader(name, headers) {
118
+ const value = headers[name];
50
119
  if (Array.isArray(value)) {
51
120
  return value[0] ?? "";
52
121
  }
@@ -56,23 +125,45 @@ function createWebhookHandler(options) {
56
125
  return async function webhookHandler(req, res) {
57
126
  try {
58
127
  const rawPayload = typeof req.body === "string" ? req.body : req.body.toString("utf8");
59
- const signature = getSignature(req.headers);
128
+ const signature = getHeader("x-webhook-signature", req.headers);
129
+ const timestamp = getHeader("x-webhook-timestamp", req.headers);
130
+ const event = getHeader("x-webhook-event", req.headers);
131
+ const deliveryId = getHeader("x-webhook-id", req.headers);
60
132
  const isValid = verifyWebhook({
61
133
  payload: rawPayload,
62
134
  signature,
135
+ timestamp,
63
136
  secret: options.secret
64
137
  });
65
138
  if (!isValid) {
66
139
  res.status(401).json({ error: "Invalid signature" });
67
140
  return;
68
141
  }
69
- const payload = JSON.parse(rawPayload);
70
- const event = payload.event;
142
+ if (!event) {
143
+ res.status(400).json({ error: "Missing event header" });
144
+ return;
145
+ }
146
+ if (!isWebhookEvent(event)) {
147
+ res.status(400).json({ error: "Invalid event header" });
148
+ return;
149
+ }
150
+ let parsedPayload;
151
+ try {
152
+ parsedPayload = JSON.parse(rawPayload);
153
+ } catch {
154
+ res.status(400).json({ error: "Invalid JSON" });
155
+ return;
156
+ }
157
+ if (!isRuntimeWebhookPayload(parsedPayload, event)) {
158
+ res.status(400).json({ error: "Invalid payload" });
159
+ return;
160
+ }
161
+ const context = { deliveryId, event, timestamp };
71
162
  const handler = options.handlers[event];
72
163
  if (handler) {
73
- await handler(payload);
164
+ await handler(parsedPayload, context);
74
165
  } else if (options.onUnhandledEvent) {
75
- await options.onUnhandledEvent(event, payload);
166
+ await options.onUnhandledEvent(event, parsedPayload, context);
76
167
  }
77
168
  res.status(200).send("OK");
78
169
  } catch {
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/adapters/express.ts","../../src/webhooks/verify.ts"],"sourcesContent":["import { verifyWebhook } from \"../webhooks/verify.js\";\nimport type { WebhookPayload } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\ntype ExpressLikeRequest = {\n body: Buffer | string;\n headers: Record<string, string | string[] | undefined>;\n};\n\ntype ExpressLikeResponse = {\n status: (code: number) => {\n json: (body: unknown) => void;\n send: (body: string) => void;\n };\n};\n\nfunction getSignature(\n headers: Record<string, string | string[] | undefined>\n): string {\n const value = headers[\"x-webhook-signature\"];\n\n if (Array.isArray(value)) {\n return value[0] ?? \"\";\n }\n\n return value ?? \"\";\n}\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (req: ExpressLikeRequest, res: ExpressLikeResponse) => Promise<void> {\n return async function webhookHandler(\n req: ExpressLikeRequest,\n res: ExpressLikeResponse\n ): Promise<void> {\n try {\n const rawPayload =\n typeof req.body === \"string\" ? req.body : req.body.toString(\"utf8\");\n const signature = getSignature(req.headers);\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n secret: options.secret,\n });\n\n if (!isValid) {\n res.status(401).json({ error: \"Invalid signature\" });\n return;\n }\n\n const payload = JSON.parse(rawPayload) as WebhookPayload;\n const event = payload.event;\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(payload);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, payload);\n }\n\n res.status(200).send(\"OK\");\n } catch {\n res.status(500).json({ error: \"Internal error\" });\n }\n };\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n secret,\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(payload, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAA4C;AAerC,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,OAAQ,QAAO;AAE9C,QAAM,eAAW,+BAAW,UAAU,MAAM,EACzC,OAAO,SAAS,MAAM,EACtB,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AAEjD,MAAI;AACF,eAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ADpBA,SAAS,aACP,SACQ;AACR,QAAM,QAAQ,QAAQ,qBAAqB;AAE3C,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,CAAC,KAAK;AAAA,EACrB;AAEA,SAAO,SAAS;AAClB;AAEO,SAAS,qBACd,SACsE;AACtE,SAAO,eAAe,eACpB,KACA,KACe;AACf,QAAI;AACF,YAAM,aACJ,OAAO,IAAI,SAAS,WAAW,IAAI,OAAO,IAAI,KAAK,SAAS,MAAM;AACpE,YAAM,YAAY,aAAa,IAAI,OAAO;AAE1C,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAC;AACnD;AAAA,MACF;AAEA,YAAM,UAAU,KAAK,MAAM,UAAU;AACrC,YAAM,QAAQ,QAAQ;AACtB,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,OAAO;AAAA,MACvB,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,OAAO;AAAA,MAC/C;AAEA,UAAI,OAAO,GAAG,EAAE,KAAK,IAAI;AAAA,IAC3B,QAAQ;AACN,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}
1
+ {"version":3,"sources":["../../src/adapters/express.ts","../../src/webhooks/verify.ts","../../src/webhooks/types.ts"],"sourcesContent":["import { verifyWebhook } from \"../webhooks/verify.js\";\nimport { isRuntimeWebhookPayload, isWebhookEvent } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\ntype ExpressLikeRequest = {\n body: Buffer | string;\n headers: Record<string, string | string[] | undefined>;\n};\n\ntype ExpressLikeStatusResponse = {\n json: (body: unknown) => void;\n send: (body: string) => void;\n};\n\ntype ExpressLikeResponse = {\n status: (code: number) => ExpressLikeStatusResponse;\n};\n\nfunction getHeader(\n name: string,\n headers: Record<string, string | string[] | undefined>\n): string {\n const value = headers[name];\n\n if (Array.isArray(value)) {\n return value[0] ?? \"\";\n }\n\n return value ?? \"\";\n}\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (req: ExpressLikeRequest, res: ExpressLikeResponse) => Promise<void> {\n return async function webhookHandler(\n req: ExpressLikeRequest,\n res: ExpressLikeResponse\n ): Promise<void> {\n try {\n const rawPayload =\n typeof req.body === \"string\" ? req.body : req.body.toString(\"utf8\");\n const signature = getHeader(\"x-webhook-signature\", req.headers);\n const timestamp = getHeader(\"x-webhook-timestamp\", req.headers);\n const event = getHeader(\"x-webhook-event\", req.headers);\n const deliveryId = getHeader(\"x-webhook-id\", req.headers);\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n timestamp,\n secret: options.secret,\n });\n\n if (!isValid) {\n res.status(401).json({ error: \"Invalid signature\" });\n return;\n }\n\n if (!event) {\n res.status(400).json({ error: \"Missing event header\" });\n return;\n }\n\n if (!isWebhookEvent(event)) {\n res.status(400).json({ error: \"Invalid event header\" });\n return;\n }\n\n let parsedPayload: unknown;\n try {\n parsedPayload = JSON.parse(rawPayload) as unknown;\n } catch {\n res.status(400).json({ error: \"Invalid JSON\" });\n return;\n }\n\n if (!isRuntimeWebhookPayload(parsedPayload, event)) {\n res.status(400).json({ error: \"Invalid payload\" });\n return;\n }\n\n const context = { deliveryId, event, timestamp };\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(parsedPayload, context);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, parsedPayload, context);\n }\n\n res.status(200).send(\"OK\");\n } catch {\n res.status(500).json({ error: \"Internal error\" });\n }\n };\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** Value of the X-Webhook-Timestamp header (Unix epoch in seconds) */\n timestamp: string | number;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n /** Maximum timestamp drift allowed in seconds. Defaults to 300 seconds. */\n toleranceSeconds?: number;\n /** Current Unix epoch time in seconds. Intended for tests. */\n currentTime?: number;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256 over `${timestamp}.${payload}`.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n timestamp,\n secret,\n toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,\n currentTime = Math.floor(Date.now() / 1000),\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret || timestamp === \"\") return false;\n\n const timestampString = String(timestamp);\n const timestampValue =\n typeof timestamp === \"number\" ? timestamp : Number(timestamp);\n\n if (!Number.isInteger(timestampValue)) return false;\n if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;\n if (!Number.isFinite(currentTime)) return false;\n\n const ageSeconds = Math.abs(currentTime - timestampValue);\n if (ageSeconds > toleranceSeconds) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(`${timestampString}.${payload}`, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n if (!/^[a-f0-9]+$/i.test(signature)) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import {\n PUBLIC_WEBHOOK_EVENTS,\n isPublicWebhookEvent,\n type PublicWebhookEvent,\n} from \"@whatalo/protocol/events\";\nimport type { Product, Order, Customer } from \"../client/types.js\";\n\nexport const WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;\n\n/** All supported webhook event types */\nexport type WebhookEvent = PublicWebhookEvent;\n\n/** Validate an event header against the public runtime webhook event set. */\nexport function isWebhookEvent(value: string): value is WebhookEvent {\n return isPublicWebhookEvent(value);\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\nfunction hasStringId(value: unknown): value is { id: string } {\n return isRecord(value) && typeof value.id === \"string\";\n}\n\nfunction isOptionalString(\n value: Record<string, unknown>,\n key: string\n): boolean {\n return value[key] === undefined || typeof value[key] === \"string\";\n}\n\nfunction isRuntimeWebhookStore(value: unknown): value is RuntimeWebhookStore {\n return (\n isRecord(value) &&\n typeof value.id === \"string\" &&\n typeof value.timezone === \"string\" &&\n (value.name === undefined || typeof value.name === \"string\")\n );\n}\n\nfunction hasValidBasePayloadFields(value: Record<string, unknown>): boolean {\n if (!isOptionalString(value, \"event_id\")) return false;\n if (!isOptionalString(value, \"occurred_at\")) return false;\n\n return isRuntimeWebhookStore(value.store);\n}\n\nfunction isRuntimeOrderWebhookPayload(value: Record<string, unknown>): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n (value.customer === undefined || hasStringId(value.customer))\n );\n}\n\nfunction isRuntimeProductWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.product);\n}\n\nfunction isRuntimeCustomerWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.customer);\n}\n\nfunction isRuntimeCheckoutCompletedWebhookPayload(\n value: Record<string, unknown>\n): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n hasStringId(value.customer) &&\n isRuntimeWebhookStore(value.store)\n );\n}\n\nexport interface OrderCreatedWebhookData {\n order: Order;\n}\n\nexport interface OrderUpdatedWebhookData {\n order: Order;\n changes: string[];\n}\n\nexport interface OrderCancelledWebhookData {\n orderId: string;\n reason?: string;\n}\n\nexport interface OrderCompletedWebhookData {\n order: Order;\n}\n\nexport interface ProductCreatedWebhookData {\n product: Product;\n}\n\nexport interface ProductUpdatedWebhookData {\n product: Product;\n changes: string[];\n}\n\nexport interface ProductDeletedWebhookProduct {\n id: string;\n}\n\nexport interface ProductDeletedWebhookData {\n product: ProductDeletedWebhookProduct;\n}\n\nexport interface CustomerCreatedWebhookData {\n customer: Customer;\n}\n\nexport interface CustomerUpdatedWebhookData {\n customer: Customer;\n changes: string[];\n}\n\nexport interface CheckoutCompletedWebhookData {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\n/** Map of webhook events to their payload data shapes */\nexport interface WebhookEventData {\n \"order.created\": OrderCreatedWebhookData;\n \"order.updated\": OrderUpdatedWebhookData;\n \"order.cancelled\": OrderCancelledWebhookData;\n \"order.completed\": OrderCompletedWebhookData;\n \"product.created\": ProductCreatedWebhookData;\n \"product.updated\": ProductUpdatedWebhookData;\n \"product.deleted\": ProductDeletedWebhookData;\n \"customer.created\": CustomerCreatedWebhookData;\n \"customer.updated\": CustomerUpdatedWebhookData;\n \"checkout.completed\": CheckoutCompletedWebhookData;\n}\n\n/** Legacy envelope payload. Runtime webhook deliveries do not include the event field in the body. */\nexport interface WebhookPayload<E extends WebhookEvent = WebhookEvent> {\n event: E;\n timestamp: string;\n storeId: string;\n data: WebhookEventData[E];\n}\n\nexport interface RuntimeWebhookStore {\n id: string;\n name?: string;\n timezone: string;\n}\n\nexport interface RuntimeWebhookBasePayload {\n event_id?: string;\n occurred_at?: string;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookOrder {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookProduct {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookCustomer {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeOrderWebhookPayload extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer?: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeProductWebhookPayload extends RuntimeWebhookBasePayload {\n product: RuntimeWebhookProduct;\n}\n\nexport interface RuntimeCustomerWebhookPayload extends RuntimeWebhookBasePayload {\n customer: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeCheckoutCompletedWebhookPayload\n extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookEventData {\n \"order.created\": RuntimeOrderWebhookPayload;\n \"order.updated\": RuntimeOrderWebhookPayload;\n \"order.cancelled\": RuntimeOrderWebhookPayload;\n \"order.completed\": RuntimeOrderWebhookPayload;\n \"product.created\": RuntimeProductWebhookPayload;\n \"product.updated\": RuntimeProductWebhookPayload;\n \"product.deleted\": RuntimeProductWebhookPayload;\n \"customer.created\": RuntimeCustomerWebhookPayload;\n \"customer.updated\": RuntimeCustomerWebhookPayload;\n \"checkout.completed\": RuntimeCheckoutCompletedWebhookPayload;\n}\n\n/** Runtime body delivered to subscriber endpoints. The event comes from X-Webhook-Event. */\nexport type RuntimeWebhookPayload<E extends WebhookEvent = WebhookEvent> =\n RuntimeWebhookEventData[E];\n\n/** Validate the minimum runtime payload shape before invoking typed handlers. */\nexport function isRuntimeWebhookPayload<E extends WebhookEvent>(\n value: unknown,\n event: E\n): value is RuntimeWebhookPayload<E> {\n if (!isRecord(value)) return false;\n\n switch (event) {\n case WEBHOOK_EVENTS.ORDER_CREATED:\n case WEBHOOK_EVENTS.ORDER_UPDATED:\n case WEBHOOK_EVENTS.ORDER_CANCELLED:\n case WEBHOOK_EVENTS.ORDER_COMPLETED:\n return isRuntimeOrderWebhookPayload(value);\n case WEBHOOK_EVENTS.PRODUCT_CREATED:\n case WEBHOOK_EVENTS.PRODUCT_UPDATED:\n case WEBHOOK_EVENTS.PRODUCT_DELETED:\n return isRuntimeProductWebhookPayload(value);\n case WEBHOOK_EVENTS.CUSTOMER_CREATED:\n case WEBHOOK_EVENTS.CUSTOMER_UPDATED:\n return isRuntimeCustomerWebhookPayload(value);\n case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:\n return isRuntimeCheckoutCompletedWebhookPayload(value);\n default:\n return false;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAA4C;AAE5C,IAAM,4BAA4B;AAqB3B,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,mBAAmB;AAAA,EACnB,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC5C,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,cAAc,GAAI,QAAO;AAElE,QAAM,kBAAkB,OAAO,SAAS;AACxC,QAAM,iBACJ,OAAO,cAAc,WAAW,YAAY,OAAO,SAAS;AAE9D,MAAI,CAAC,OAAO,UAAU,cAAc,EAAG,QAAO;AAC9C,MAAI,CAAC,OAAO,SAAS,gBAAgB,KAAK,mBAAmB,EAAG,QAAO;AACvE,MAAI,CAAC,OAAO,SAAS,WAAW,EAAG,QAAO;AAE1C,QAAM,aAAa,KAAK,IAAI,cAAc,cAAc;AACxD,MAAI,aAAa,iBAAkB,QAAO;AAE1C,QAAM,eAAW,+BAAW,UAAU,MAAM,EACzC,OAAO,GAAG,eAAe,IAAI,OAAO,IAAI,MAAM,EAC9C,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AACjD,MAAI,CAAC,eAAe,KAAK,SAAS,EAAG,QAAO;AAE5C,MAAI;AACF,eAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AC3DA,oBAIO;AAGA,IAAM,iBAAiB;AAMvB,SAAS,eAAe,OAAsC;AACnE,aAAO,oCAAqB,KAAK;AACnC;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAyC;AAC5D,SAAO,SAAS,KAAK,KAAK,OAAO,MAAM,OAAO;AAChD;AAEA,SAAS,iBACP,OACA,KACS;AACT,SAAO,MAAM,GAAG,MAAM,UAAa,OAAO,MAAM,GAAG,MAAM;AAC3D;AAEA,SAAS,sBAAsB,OAA8C;AAC3E,SACE,SAAS,KAAK,KACd,OAAO,MAAM,OAAO,YACpB,OAAO,MAAM,aAAa,aACzB,MAAM,SAAS,UAAa,OAAO,MAAM,SAAS;AAEvD;AAEA,SAAS,0BAA0B,OAAyC;AAC1E,MAAI,CAAC,iBAAiB,OAAO,UAAU,EAAG,QAAO;AACjD,MAAI,CAAC,iBAAiB,OAAO,aAAa,EAAG,QAAO;AAEpD,SAAO,sBAAsB,MAAM,KAAK;AAC1C;AAEA,SAAS,6BAA6B,OAAyC;AAC7E,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,MACtB,MAAM,aAAa,UAAa,YAAY,MAAM,QAAQ;AAE/D;AAEA,SAAS,+BAA+B,OAAyC;AAC/E,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,OAAO;AACtE;AAEA,SAAS,gCAAgC,OAAyC;AAChF,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,QAAQ;AACvE;AAEA,SAAS,yCACP,OACS;AACT,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,KACvB,YAAY,MAAM,QAAQ,KAC1B,sBAAsB,MAAM,KAAK;AAErC;AA2IO,SAAS,wBACd,OACA,OACmC;AACnC,MAAI,CAAC,SAAS,KAAK,EAAG,QAAO;AAE7B,UAAQ,OAAO;AAAA,IACb,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,6BAA6B,KAAK;AAAA,IAC3C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,+BAA+B,KAAK;AAAA,IAC7C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,gCAAgC,KAAK;AAAA,IAC9C,KAAK,eAAe;AAClB,aAAO,yCAAyC,KAAK;AAAA,IACvD;AACE,aAAO;AAAA,EACX;AACF;;;AF1NA,SAAS,UACP,MACA,SACQ;AACR,QAAM,QAAQ,QAAQ,IAAI;AAE1B,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,CAAC,KAAK;AAAA,EACrB;AAEA,SAAO,SAAS;AAClB;AAEO,SAAS,qBACd,SACsE;AACtE,SAAO,eAAe,eACpB,KACA,KACe;AACf,QAAI;AACF,YAAM,aACJ,OAAO,IAAI,SAAS,WAAW,IAAI,OAAO,IAAI,KAAK,SAAS,MAAM;AACpE,YAAM,YAAY,UAAU,uBAAuB,IAAI,OAAO;AAC9D,YAAM,YAAY,UAAU,uBAAuB,IAAI,OAAO;AAC9D,YAAM,QAAQ,UAAU,mBAAmB,IAAI,OAAO;AACtD,YAAM,aAAa,UAAU,gBAAgB,IAAI,OAAO;AAExD,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAC;AACnD;AAAA,MACF;AAEA,UAAI,CAAC,OAAO;AACV,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,uBAAuB,CAAC;AACtD;AAAA,MACF;AAEA,UAAI,CAAC,eAAe,KAAK,GAAG;AAC1B,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,uBAAuB,CAAC;AACtD;AAAA,MACF;AAEA,UAAI;AACJ,UAAI;AACF,wBAAgB,KAAK,MAAM,UAAU;AAAA,MACvC,QAAQ;AACN,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,eAAe,CAAC;AAC9C;AAAA,MACF;AAEA,UAAI,CAAC,wBAAwB,eAAe,KAAK,GAAG;AAClD,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAC;AACjD;AAAA,MACF;AAEA,YAAM,UAAU,EAAE,YAAY,OAAO,UAAU;AAC/C,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,eAAe,OAAO;AAAA,MACtC,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,eAAe,OAAO;AAAA,MAC9D;AAEA,UAAI,OAAO,GAAG,EAAE,KAAK,IAAI;AAAA,IAC3B,QAAQ;AACN,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}
@@ -1,16 +1,18 @@
1
- import { W as WebhookHandlerOptions } from '../types-Db_BeRCj.cjs';
2
- import '../types-DdqKKyqX.cjs';
3
- import '../types-M1eLMz6w.cjs';
1
+ import { W as WebhookHandlerOptions } from '../types-BU71_xQm.cjs';
2
+ import '../types-rA6kVlpV.cjs';
3
+ import '@whatalo/protocol/events';
4
+ import '../types-B8BAV362.cjs';
4
5
 
5
6
  type ExpressLikeRequest = {
6
7
  body: Buffer | string;
7
8
  headers: Record<string, string | string[] | undefined>;
8
9
  };
10
+ type ExpressLikeStatusResponse = {
11
+ json: (body: unknown) => void;
12
+ send: (body: string) => void;
13
+ };
9
14
  type ExpressLikeResponse = {
10
- status: (code: number) => {
11
- json: (body: unknown) => void;
12
- send: (body: string) => void;
13
- };
15
+ status: (code: number) => ExpressLikeStatusResponse;
14
16
  };
15
17
  declare function createWebhookHandler(options: WebhookHandlerOptions): (req: ExpressLikeRequest, res: ExpressLikeResponse) => Promise<void>;
16
18
 
@@ -1,16 +1,18 @@
1
- import { W as WebhookHandlerOptions } from '../types-D2Efg3EG.js';
2
- import '../types-DZ659i6f.js';
3
- import '../types-M1eLMz6w.js';
1
+ import { W as WebhookHandlerOptions } from '../types-BhtVJPgF.js';
2
+ import '../types-Bo9GbqrM.js';
3
+ import '@whatalo/protocol/events';
4
+ import '../types-B8BAV362.js';
4
5
 
5
6
  type ExpressLikeRequest = {
6
7
  body: Buffer | string;
7
8
  headers: Record<string, string | string[] | undefined>;
8
9
  };
10
+ type ExpressLikeStatusResponse = {
11
+ json: (body: unknown) => void;
12
+ send: (body: string) => void;
13
+ };
9
14
  type ExpressLikeResponse = {
10
- status: (code: number) => {
11
- json: (body: unknown) => void;
12
- send: (body: string) => void;
13
- };
15
+ status: (code: number) => ExpressLikeStatusResponse;
14
16
  };
15
17
  declare function createWebhookHandler(options: WebhookHandlerOptions): (req: ExpressLikeRequest, res: ExpressLikeResponse) => Promise<void>;
16
18
 
@@ -1,13 +1,25 @@
1
1
  // src/webhooks/verify.ts
2
2
  import { createHmac, timingSafeEqual } from "crypto";
3
+ var DEFAULT_TOLERANCE_SECONDS = 300;
3
4
  function verifyWebhook({
4
5
  payload,
5
6
  signature,
6
- secret
7
+ timestamp,
8
+ secret,
9
+ toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,
10
+ currentTime = Math.floor(Date.now() / 1e3)
7
11
  }) {
8
- if (!payload || !signature || !secret) return false;
9
- const expected = createHmac("sha256", secret).update(payload, "utf8").digest("hex");
12
+ if (!payload || !signature || !secret || timestamp === "") return false;
13
+ const timestampString = String(timestamp);
14
+ const timestampValue = typeof timestamp === "number" ? timestamp : Number(timestamp);
15
+ if (!Number.isInteger(timestampValue)) return false;
16
+ if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;
17
+ if (!Number.isFinite(currentTime)) return false;
18
+ const ageSeconds = Math.abs(currentTime - timestampValue);
19
+ if (ageSeconds > toleranceSeconds) return false;
20
+ const expected = createHmac("sha256", secret).update(`${timestampString}.${payload}`, "utf8").digest("hex");
10
21
  if (expected.length !== signature.length) return false;
22
+ if (!/^[a-f0-9]+$/i.test(signature)) return false;
11
23
  try {
12
24
  return timingSafeEqual(
13
25
  Buffer.from(expected, "hex"),
@@ -18,9 +30,69 @@ function verifyWebhook({
18
30
  }
19
31
  }
20
32
 
33
+ // src/webhooks/types.ts
34
+ import {
35
+ PUBLIC_WEBHOOK_EVENTS,
36
+ isPublicWebhookEvent
37
+ } from "@whatalo/protocol/events";
38
+ var WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;
39
+ function isWebhookEvent(value) {
40
+ return isPublicWebhookEvent(value);
41
+ }
42
+ function isRecord(value) {
43
+ return typeof value === "object" && value !== null && !Array.isArray(value);
44
+ }
45
+ function hasStringId(value) {
46
+ return isRecord(value) && typeof value.id === "string";
47
+ }
48
+ function isOptionalString(value, key) {
49
+ return value[key] === void 0 || typeof value[key] === "string";
50
+ }
51
+ function isRuntimeWebhookStore(value) {
52
+ return isRecord(value) && typeof value.id === "string" && typeof value.timezone === "string" && (value.name === void 0 || typeof value.name === "string");
53
+ }
54
+ function hasValidBasePayloadFields(value) {
55
+ if (!isOptionalString(value, "event_id")) return false;
56
+ if (!isOptionalString(value, "occurred_at")) return false;
57
+ return isRuntimeWebhookStore(value.store);
58
+ }
59
+ function isRuntimeOrderWebhookPayload(value) {
60
+ return hasValidBasePayloadFields(value) && hasStringId(value.order) && (value.customer === void 0 || hasStringId(value.customer));
61
+ }
62
+ function isRuntimeProductWebhookPayload(value) {
63
+ return hasValidBasePayloadFields(value) && hasStringId(value.product);
64
+ }
65
+ function isRuntimeCustomerWebhookPayload(value) {
66
+ return hasValidBasePayloadFields(value) && hasStringId(value.customer);
67
+ }
68
+ function isRuntimeCheckoutCompletedWebhookPayload(value) {
69
+ return hasValidBasePayloadFields(value) && hasStringId(value.order) && hasStringId(value.customer) && isRuntimeWebhookStore(value.store);
70
+ }
71
+ function isRuntimeWebhookPayload(value, event) {
72
+ if (!isRecord(value)) return false;
73
+ switch (event) {
74
+ case WEBHOOK_EVENTS.ORDER_CREATED:
75
+ case WEBHOOK_EVENTS.ORDER_UPDATED:
76
+ case WEBHOOK_EVENTS.ORDER_CANCELLED:
77
+ case WEBHOOK_EVENTS.ORDER_COMPLETED:
78
+ return isRuntimeOrderWebhookPayload(value);
79
+ case WEBHOOK_EVENTS.PRODUCT_CREATED:
80
+ case WEBHOOK_EVENTS.PRODUCT_UPDATED:
81
+ case WEBHOOK_EVENTS.PRODUCT_DELETED:
82
+ return isRuntimeProductWebhookPayload(value);
83
+ case WEBHOOK_EVENTS.CUSTOMER_CREATED:
84
+ case WEBHOOK_EVENTS.CUSTOMER_UPDATED:
85
+ return isRuntimeCustomerWebhookPayload(value);
86
+ case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:
87
+ return isRuntimeCheckoutCompletedWebhookPayload(value);
88
+ default:
89
+ return false;
90
+ }
91
+ }
92
+
21
93
  // src/adapters/express.ts
22
- function getSignature(headers) {
23
- const value = headers["x-webhook-signature"];
94
+ function getHeader(name, headers) {
95
+ const value = headers[name];
24
96
  if (Array.isArray(value)) {
25
97
  return value[0] ?? "";
26
98
  }
@@ -30,23 +102,45 @@ function createWebhookHandler(options) {
30
102
  return async function webhookHandler(req, res) {
31
103
  try {
32
104
  const rawPayload = typeof req.body === "string" ? req.body : req.body.toString("utf8");
33
- const signature = getSignature(req.headers);
105
+ const signature = getHeader("x-webhook-signature", req.headers);
106
+ const timestamp = getHeader("x-webhook-timestamp", req.headers);
107
+ const event = getHeader("x-webhook-event", req.headers);
108
+ const deliveryId = getHeader("x-webhook-id", req.headers);
34
109
  const isValid = verifyWebhook({
35
110
  payload: rawPayload,
36
111
  signature,
112
+ timestamp,
37
113
  secret: options.secret
38
114
  });
39
115
  if (!isValid) {
40
116
  res.status(401).json({ error: "Invalid signature" });
41
117
  return;
42
118
  }
43
- const payload = JSON.parse(rawPayload);
44
- const event = payload.event;
119
+ if (!event) {
120
+ res.status(400).json({ error: "Missing event header" });
121
+ return;
122
+ }
123
+ if (!isWebhookEvent(event)) {
124
+ res.status(400).json({ error: "Invalid event header" });
125
+ return;
126
+ }
127
+ let parsedPayload;
128
+ try {
129
+ parsedPayload = JSON.parse(rawPayload);
130
+ } catch {
131
+ res.status(400).json({ error: "Invalid JSON" });
132
+ return;
133
+ }
134
+ if (!isRuntimeWebhookPayload(parsedPayload, event)) {
135
+ res.status(400).json({ error: "Invalid payload" });
136
+ return;
137
+ }
138
+ const context = { deliveryId, event, timestamp };
45
139
  const handler = options.handlers[event];
46
140
  if (handler) {
47
- await handler(payload);
141
+ await handler(parsedPayload, context);
48
142
  } else if (options.onUnhandledEvent) {
49
- await options.onUnhandledEvent(event, payload);
143
+ await options.onUnhandledEvent(event, parsedPayload, context);
50
144
  }
51
145
  res.status(200).send("OK");
52
146
  } catch {
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/webhooks/verify.ts","../../src/adapters/express.ts"],"sourcesContent":["import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n secret,\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(payload, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import { verifyWebhook } from \"../webhooks/verify.js\";\nimport type { WebhookPayload } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\ntype ExpressLikeRequest = {\n body: Buffer | string;\n headers: Record<string, string | string[] | undefined>;\n};\n\ntype ExpressLikeResponse = {\n status: (code: number) => {\n json: (body: unknown) => void;\n send: (body: string) => void;\n };\n};\n\nfunction getSignature(\n headers: Record<string, string | string[] | undefined>\n): string {\n const value = headers[\"x-webhook-signature\"];\n\n if (Array.isArray(value)) {\n return value[0] ?? \"\";\n }\n\n return value ?? \"\";\n}\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (req: ExpressLikeRequest, res: ExpressLikeResponse) => Promise<void> {\n return async function webhookHandler(\n req: ExpressLikeRequest,\n res: ExpressLikeResponse\n ): Promise<void> {\n try {\n const rawPayload =\n typeof req.body === \"string\" ? req.body : req.body.toString(\"utf8\");\n const signature = getSignature(req.headers);\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n secret: options.secret,\n });\n\n if (!isValid) {\n res.status(401).json({ error: \"Invalid signature\" });\n return;\n }\n\n const payload = JSON.parse(rawPayload) as WebhookPayload;\n const event = payload.event;\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(payload);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, payload);\n }\n\n res.status(200).send(\"OK\");\n } catch {\n res.status(500).json({ error: \"Internal error\" });\n }\n };\n}\n"],"mappings":";AAAA,SAAS,YAAY,uBAAuB;AAerC,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,OAAQ,QAAO;AAE9C,QAAM,WAAW,WAAW,UAAU,MAAM,EACzC,OAAO,SAAS,MAAM,EACtB,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AAEjD,MAAI;AACF,WAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACpBA,SAAS,aACP,SACQ;AACR,QAAM,QAAQ,QAAQ,qBAAqB;AAE3C,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,CAAC,KAAK;AAAA,EACrB;AAEA,SAAO,SAAS;AAClB;AAEO,SAAS,qBACd,SACsE;AACtE,SAAO,eAAe,eACpB,KACA,KACe;AACf,QAAI;AACF,YAAM,aACJ,OAAO,IAAI,SAAS,WAAW,IAAI,OAAO,IAAI,KAAK,SAAS,MAAM;AACpE,YAAM,YAAY,aAAa,IAAI,OAAO;AAE1C,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAC;AACnD;AAAA,MACF;AAEA,YAAM,UAAU,KAAK,MAAM,UAAU;AACrC,YAAM,QAAQ,QAAQ;AACtB,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,OAAO;AAAA,MACvB,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,OAAO;AAAA,MAC/C;AAEA,UAAI,OAAO,GAAG,EAAE,KAAK,IAAI;AAAA,IAC3B,QAAQ;AACN,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}
1
+ {"version":3,"sources":["../../src/webhooks/verify.ts","../../src/webhooks/types.ts","../../src/adapters/express.ts"],"sourcesContent":["import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** Value of the X-Webhook-Timestamp header (Unix epoch in seconds) */\n timestamp: string | number;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n /** Maximum timestamp drift allowed in seconds. Defaults to 300 seconds. */\n toleranceSeconds?: number;\n /** Current Unix epoch time in seconds. Intended for tests. */\n currentTime?: number;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256 over `${timestamp}.${payload}`.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n timestamp,\n secret,\n toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,\n currentTime = Math.floor(Date.now() / 1000),\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret || timestamp === \"\") return false;\n\n const timestampString = String(timestamp);\n const timestampValue =\n typeof timestamp === \"number\" ? timestamp : Number(timestamp);\n\n if (!Number.isInteger(timestampValue)) return false;\n if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;\n if (!Number.isFinite(currentTime)) return false;\n\n const ageSeconds = Math.abs(currentTime - timestampValue);\n if (ageSeconds > toleranceSeconds) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(`${timestampString}.${payload}`, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n if (!/^[a-f0-9]+$/i.test(signature)) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import {\n PUBLIC_WEBHOOK_EVENTS,\n isPublicWebhookEvent,\n type PublicWebhookEvent,\n} from \"@whatalo/protocol/events\";\nimport type { Product, Order, Customer } from \"../client/types.js\";\n\nexport const WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;\n\n/** All supported webhook event types */\nexport type WebhookEvent = PublicWebhookEvent;\n\n/** Validate an event header against the public runtime webhook event set. */\nexport function isWebhookEvent(value: string): value is WebhookEvent {\n return isPublicWebhookEvent(value);\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\nfunction hasStringId(value: unknown): value is { id: string } {\n return isRecord(value) && typeof value.id === \"string\";\n}\n\nfunction isOptionalString(\n value: Record<string, unknown>,\n key: string\n): boolean {\n return value[key] === undefined || typeof value[key] === \"string\";\n}\n\nfunction isRuntimeWebhookStore(value: unknown): value is RuntimeWebhookStore {\n return (\n isRecord(value) &&\n typeof value.id === \"string\" &&\n typeof value.timezone === \"string\" &&\n (value.name === undefined || typeof value.name === \"string\")\n );\n}\n\nfunction hasValidBasePayloadFields(value: Record<string, unknown>): boolean {\n if (!isOptionalString(value, \"event_id\")) return false;\n if (!isOptionalString(value, \"occurred_at\")) return false;\n\n return isRuntimeWebhookStore(value.store);\n}\n\nfunction isRuntimeOrderWebhookPayload(value: Record<string, unknown>): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n (value.customer === undefined || hasStringId(value.customer))\n );\n}\n\nfunction isRuntimeProductWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.product);\n}\n\nfunction isRuntimeCustomerWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.customer);\n}\n\nfunction isRuntimeCheckoutCompletedWebhookPayload(\n value: Record<string, unknown>\n): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n hasStringId(value.customer) &&\n isRuntimeWebhookStore(value.store)\n );\n}\n\nexport interface OrderCreatedWebhookData {\n order: Order;\n}\n\nexport interface OrderUpdatedWebhookData {\n order: Order;\n changes: string[];\n}\n\nexport interface OrderCancelledWebhookData {\n orderId: string;\n reason?: string;\n}\n\nexport interface OrderCompletedWebhookData {\n order: Order;\n}\n\nexport interface ProductCreatedWebhookData {\n product: Product;\n}\n\nexport interface ProductUpdatedWebhookData {\n product: Product;\n changes: string[];\n}\n\nexport interface ProductDeletedWebhookProduct {\n id: string;\n}\n\nexport interface ProductDeletedWebhookData {\n product: ProductDeletedWebhookProduct;\n}\n\nexport interface CustomerCreatedWebhookData {\n customer: Customer;\n}\n\nexport interface CustomerUpdatedWebhookData {\n customer: Customer;\n changes: string[];\n}\n\nexport interface CheckoutCompletedWebhookData {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\n/** Map of webhook events to their payload data shapes */\nexport interface WebhookEventData {\n \"order.created\": OrderCreatedWebhookData;\n \"order.updated\": OrderUpdatedWebhookData;\n \"order.cancelled\": OrderCancelledWebhookData;\n \"order.completed\": OrderCompletedWebhookData;\n \"product.created\": ProductCreatedWebhookData;\n \"product.updated\": ProductUpdatedWebhookData;\n \"product.deleted\": ProductDeletedWebhookData;\n \"customer.created\": CustomerCreatedWebhookData;\n \"customer.updated\": CustomerUpdatedWebhookData;\n \"checkout.completed\": CheckoutCompletedWebhookData;\n}\n\n/** Legacy envelope payload. Runtime webhook deliveries do not include the event field in the body. */\nexport interface WebhookPayload<E extends WebhookEvent = WebhookEvent> {\n event: E;\n timestamp: string;\n storeId: string;\n data: WebhookEventData[E];\n}\n\nexport interface RuntimeWebhookStore {\n id: string;\n name?: string;\n timezone: string;\n}\n\nexport interface RuntimeWebhookBasePayload {\n event_id?: string;\n occurred_at?: string;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookOrder {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookProduct {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookCustomer {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeOrderWebhookPayload extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer?: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeProductWebhookPayload extends RuntimeWebhookBasePayload {\n product: RuntimeWebhookProduct;\n}\n\nexport interface RuntimeCustomerWebhookPayload extends RuntimeWebhookBasePayload {\n customer: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeCheckoutCompletedWebhookPayload\n extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookEventData {\n \"order.created\": RuntimeOrderWebhookPayload;\n \"order.updated\": RuntimeOrderWebhookPayload;\n \"order.cancelled\": RuntimeOrderWebhookPayload;\n \"order.completed\": RuntimeOrderWebhookPayload;\n \"product.created\": RuntimeProductWebhookPayload;\n \"product.updated\": RuntimeProductWebhookPayload;\n \"product.deleted\": RuntimeProductWebhookPayload;\n \"customer.created\": RuntimeCustomerWebhookPayload;\n \"customer.updated\": RuntimeCustomerWebhookPayload;\n \"checkout.completed\": RuntimeCheckoutCompletedWebhookPayload;\n}\n\n/** Runtime body delivered to subscriber endpoints. The event comes from X-Webhook-Event. */\nexport type RuntimeWebhookPayload<E extends WebhookEvent = WebhookEvent> =\n RuntimeWebhookEventData[E];\n\n/** Validate the minimum runtime payload shape before invoking typed handlers. */\nexport function isRuntimeWebhookPayload<E extends WebhookEvent>(\n value: unknown,\n event: E\n): value is RuntimeWebhookPayload<E> {\n if (!isRecord(value)) return false;\n\n switch (event) {\n case WEBHOOK_EVENTS.ORDER_CREATED:\n case WEBHOOK_EVENTS.ORDER_UPDATED:\n case WEBHOOK_EVENTS.ORDER_CANCELLED:\n case WEBHOOK_EVENTS.ORDER_COMPLETED:\n return isRuntimeOrderWebhookPayload(value);\n case WEBHOOK_EVENTS.PRODUCT_CREATED:\n case WEBHOOK_EVENTS.PRODUCT_UPDATED:\n case WEBHOOK_EVENTS.PRODUCT_DELETED:\n return isRuntimeProductWebhookPayload(value);\n case WEBHOOK_EVENTS.CUSTOMER_CREATED:\n case WEBHOOK_EVENTS.CUSTOMER_UPDATED:\n return isRuntimeCustomerWebhookPayload(value);\n case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:\n return isRuntimeCheckoutCompletedWebhookPayload(value);\n default:\n return false;\n }\n}\n","import { verifyWebhook } from \"../webhooks/verify.js\";\nimport { isRuntimeWebhookPayload, isWebhookEvent } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\ntype ExpressLikeRequest = {\n body: Buffer | string;\n headers: Record<string, string | string[] | undefined>;\n};\n\ntype ExpressLikeStatusResponse = {\n json: (body: unknown) => void;\n send: (body: string) => void;\n};\n\ntype ExpressLikeResponse = {\n status: (code: number) => ExpressLikeStatusResponse;\n};\n\nfunction getHeader(\n name: string,\n headers: Record<string, string | string[] | undefined>\n): string {\n const value = headers[name];\n\n if (Array.isArray(value)) {\n return value[0] ?? \"\";\n }\n\n return value ?? \"\";\n}\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (req: ExpressLikeRequest, res: ExpressLikeResponse) => Promise<void> {\n return async function webhookHandler(\n req: ExpressLikeRequest,\n res: ExpressLikeResponse\n ): Promise<void> {\n try {\n const rawPayload =\n typeof req.body === \"string\" ? req.body : req.body.toString(\"utf8\");\n const signature = getHeader(\"x-webhook-signature\", req.headers);\n const timestamp = getHeader(\"x-webhook-timestamp\", req.headers);\n const event = getHeader(\"x-webhook-event\", req.headers);\n const deliveryId = getHeader(\"x-webhook-id\", req.headers);\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n timestamp,\n secret: options.secret,\n });\n\n if (!isValid) {\n res.status(401).json({ error: \"Invalid signature\" });\n return;\n }\n\n if (!event) {\n res.status(400).json({ error: \"Missing event header\" });\n return;\n }\n\n if (!isWebhookEvent(event)) {\n res.status(400).json({ error: \"Invalid event header\" });\n return;\n }\n\n let parsedPayload: unknown;\n try {\n parsedPayload = JSON.parse(rawPayload) as unknown;\n } catch {\n res.status(400).json({ error: \"Invalid JSON\" });\n return;\n }\n\n if (!isRuntimeWebhookPayload(parsedPayload, event)) {\n res.status(400).json({ error: \"Invalid payload\" });\n return;\n }\n\n const context = { deliveryId, event, timestamp };\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(parsedPayload, context);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, parsedPayload, context);\n }\n\n res.status(200).send(\"OK\");\n } catch {\n res.status(500).json({ error: \"Internal error\" });\n }\n };\n}\n"],"mappings":";AAAA,SAAS,YAAY,uBAAuB;AAE5C,IAAM,4BAA4B;AAqB3B,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,mBAAmB;AAAA,EACnB,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC5C,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,cAAc,GAAI,QAAO;AAElE,QAAM,kBAAkB,OAAO,SAAS;AACxC,QAAM,iBACJ,OAAO,cAAc,WAAW,YAAY,OAAO,SAAS;AAE9D,MAAI,CAAC,OAAO,UAAU,cAAc,EAAG,QAAO;AAC9C,MAAI,CAAC,OAAO,SAAS,gBAAgB,KAAK,mBAAmB,EAAG,QAAO;AACvE,MAAI,CAAC,OAAO,SAAS,WAAW,EAAG,QAAO;AAE1C,QAAM,aAAa,KAAK,IAAI,cAAc,cAAc;AACxD,MAAI,aAAa,iBAAkB,QAAO;AAE1C,QAAM,WAAW,WAAW,UAAU,MAAM,EACzC,OAAO,GAAG,eAAe,IAAI,OAAO,IAAI,MAAM,EAC9C,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AACjD,MAAI,CAAC,eAAe,KAAK,SAAS,EAAG,QAAO;AAE5C,MAAI;AACF,WAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AC3DA;AAAA,EACE;AAAA,EACA;AAAA,OAEK;AAGA,IAAM,iBAAiB;AAMvB,SAAS,eAAe,OAAsC;AACnE,SAAO,qBAAqB,KAAK;AACnC;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAyC;AAC5D,SAAO,SAAS,KAAK,KAAK,OAAO,MAAM,OAAO;AAChD;AAEA,SAAS,iBACP,OACA,KACS;AACT,SAAO,MAAM,GAAG,MAAM,UAAa,OAAO,MAAM,GAAG,MAAM;AAC3D;AAEA,SAAS,sBAAsB,OAA8C;AAC3E,SACE,SAAS,KAAK,KACd,OAAO,MAAM,OAAO,YACpB,OAAO,MAAM,aAAa,aACzB,MAAM,SAAS,UAAa,OAAO,MAAM,SAAS;AAEvD;AAEA,SAAS,0BAA0B,OAAyC;AAC1E,MAAI,CAAC,iBAAiB,OAAO,UAAU,EAAG,QAAO;AACjD,MAAI,CAAC,iBAAiB,OAAO,aAAa,EAAG,QAAO;AAEpD,SAAO,sBAAsB,MAAM,KAAK;AAC1C;AAEA,SAAS,6BAA6B,OAAyC;AAC7E,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,MACtB,MAAM,aAAa,UAAa,YAAY,MAAM,QAAQ;AAE/D;AAEA,SAAS,+BAA+B,OAAyC;AAC/E,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,OAAO;AACtE;AAEA,SAAS,gCAAgC,OAAyC;AAChF,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,QAAQ;AACvE;AAEA,SAAS,yCACP,OACS;AACT,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,KACvB,YAAY,MAAM,QAAQ,KAC1B,sBAAsB,MAAM,KAAK;AAErC;AA2IO,SAAS,wBACd,OACA,OACmC;AACnC,MAAI,CAAC,SAAS,KAAK,EAAG,QAAO;AAE7B,UAAQ,OAAO;AAAA,IACb,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,6BAA6B,KAAK;AAAA,IAC3C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,+BAA+B,KAAK;AAAA,IAC7C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,gCAAgC,KAAK;AAAA,IAC9C,KAAK,eAAe;AAClB,aAAO,yCAAyC,KAAK;AAAA,IACvD;AACE,aAAO;AAAA,EACX;AACF;;;AC1NA,SAAS,UACP,MACA,SACQ;AACR,QAAM,QAAQ,QAAQ,IAAI;AAE1B,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,CAAC,KAAK;AAAA,EACrB;AAEA,SAAO,SAAS;AAClB;AAEO,SAAS,qBACd,SACsE;AACtE,SAAO,eAAe,eACpB,KACA,KACe;AACf,QAAI;AACF,YAAM,aACJ,OAAO,IAAI,SAAS,WAAW,IAAI,OAAO,IAAI,KAAK,SAAS,MAAM;AACpE,YAAM,YAAY,UAAU,uBAAuB,IAAI,OAAO;AAC9D,YAAM,YAAY,UAAU,uBAAuB,IAAI,OAAO;AAC9D,YAAM,QAAQ,UAAU,mBAAmB,IAAI,OAAO;AACtD,YAAM,aAAa,UAAU,gBAAgB,IAAI,OAAO;AAExD,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,oBAAoB,CAAC;AACnD;AAAA,MACF;AAEA,UAAI,CAAC,OAAO;AACV,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,uBAAuB,CAAC;AACtD;AAAA,MACF;AAEA,UAAI,CAAC,eAAe,KAAK,GAAG;AAC1B,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,uBAAuB,CAAC;AACtD;AAAA,MACF;AAEA,UAAI;AACJ,UAAI;AACF,wBAAgB,KAAK,MAAM,UAAU;AAAA,MACvC,QAAQ;AACN,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,eAAe,CAAC;AAC9C;AAAA,MACF;AAEA,UAAI,CAAC,wBAAwB,eAAe,KAAK,GAAG;AAClD,YAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,kBAAkB,CAAC;AACjD;AAAA,MACF;AAEA,YAAM,UAAU,EAAE,YAAY,OAAO,UAAU;AAC/C,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,eAAe,OAAO;AAAA,MACtC,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,eAAe,OAAO;AAAA,MAC9D;AAEA,UAAI,OAAO,GAAG,EAAE,KAAK,IAAI;AAAA,IAC3B,QAAQ;AACN,UAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,iBAAiB,CAAC;AAAA,IAClD;AAAA,EACF;AACF;","names":[]}
@@ -26,14 +26,26 @@ module.exports = __toCommonJS(hono_exports);
26
26
 
27
27
  // src/webhooks/verify.ts
28
28
  var import_node_crypto = require("crypto");
29
+ var DEFAULT_TOLERANCE_SECONDS = 300;
29
30
  function verifyWebhook({
30
31
  payload,
31
32
  signature,
32
- secret
33
+ timestamp,
34
+ secret,
35
+ toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,
36
+ currentTime = Math.floor(Date.now() / 1e3)
33
37
  }) {
34
- if (!payload || !signature || !secret) return false;
35
- const expected = (0, import_node_crypto.createHmac)("sha256", secret).update(payload, "utf8").digest("hex");
38
+ if (!payload || !signature || !secret || timestamp === "") return false;
39
+ const timestampString = String(timestamp);
40
+ const timestampValue = typeof timestamp === "number" ? timestamp : Number(timestamp);
41
+ if (!Number.isInteger(timestampValue)) return false;
42
+ if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;
43
+ if (!Number.isFinite(currentTime)) return false;
44
+ const ageSeconds = Math.abs(currentTime - timestampValue);
45
+ if (ageSeconds > toleranceSeconds) return false;
46
+ const expected = (0, import_node_crypto.createHmac)("sha256", secret).update(`${timestampString}.${payload}`, "utf8").digest("hex");
36
47
  if (expected.length !== signature.length) return false;
48
+ if (!/^[a-f0-9]+$/i.test(signature)) return false;
37
49
  try {
38
50
  return (0, import_node_crypto.timingSafeEqual)(
39
51
  Buffer.from(expected, "hex"),
@@ -44,27 +56,102 @@ function verifyWebhook({
44
56
  }
45
57
  }
46
58
 
59
+ // src/webhooks/types.ts
60
+ var import_events = require("@whatalo/protocol/events");
61
+ var WEBHOOK_EVENTS = import_events.PUBLIC_WEBHOOK_EVENTS;
62
+ function isWebhookEvent(value) {
63
+ return (0, import_events.isPublicWebhookEvent)(value);
64
+ }
65
+ function isRecord(value) {
66
+ return typeof value === "object" && value !== null && !Array.isArray(value);
67
+ }
68
+ function hasStringId(value) {
69
+ return isRecord(value) && typeof value.id === "string";
70
+ }
71
+ function isOptionalString(value, key) {
72
+ return value[key] === void 0 || typeof value[key] === "string";
73
+ }
74
+ function isRuntimeWebhookStore(value) {
75
+ return isRecord(value) && typeof value.id === "string" && typeof value.timezone === "string" && (value.name === void 0 || typeof value.name === "string");
76
+ }
77
+ function hasValidBasePayloadFields(value) {
78
+ if (!isOptionalString(value, "event_id")) return false;
79
+ if (!isOptionalString(value, "occurred_at")) return false;
80
+ return isRuntimeWebhookStore(value.store);
81
+ }
82
+ function isRuntimeOrderWebhookPayload(value) {
83
+ return hasValidBasePayloadFields(value) && hasStringId(value.order) && (value.customer === void 0 || hasStringId(value.customer));
84
+ }
85
+ function isRuntimeProductWebhookPayload(value) {
86
+ return hasValidBasePayloadFields(value) && hasStringId(value.product);
87
+ }
88
+ function isRuntimeCustomerWebhookPayload(value) {
89
+ return hasValidBasePayloadFields(value) && hasStringId(value.customer);
90
+ }
91
+ function isRuntimeCheckoutCompletedWebhookPayload(value) {
92
+ return hasValidBasePayloadFields(value) && hasStringId(value.order) && hasStringId(value.customer) && isRuntimeWebhookStore(value.store);
93
+ }
94
+ function isRuntimeWebhookPayload(value, event) {
95
+ if (!isRecord(value)) return false;
96
+ switch (event) {
97
+ case WEBHOOK_EVENTS.ORDER_CREATED:
98
+ case WEBHOOK_EVENTS.ORDER_UPDATED:
99
+ case WEBHOOK_EVENTS.ORDER_CANCELLED:
100
+ case WEBHOOK_EVENTS.ORDER_COMPLETED:
101
+ return isRuntimeOrderWebhookPayload(value);
102
+ case WEBHOOK_EVENTS.PRODUCT_CREATED:
103
+ case WEBHOOK_EVENTS.PRODUCT_UPDATED:
104
+ case WEBHOOK_EVENTS.PRODUCT_DELETED:
105
+ return isRuntimeProductWebhookPayload(value);
106
+ case WEBHOOK_EVENTS.CUSTOMER_CREATED:
107
+ case WEBHOOK_EVENTS.CUSTOMER_UPDATED:
108
+ return isRuntimeCustomerWebhookPayload(value);
109
+ case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:
110
+ return isRuntimeCheckoutCompletedWebhookPayload(value);
111
+ default:
112
+ return false;
113
+ }
114
+ }
115
+
47
116
  // src/adapters/hono.ts
48
117
  function createWebhookHandler(options) {
49
118
  return async function webhookHandler(c) {
50
119
  try {
51
120
  const rawPayload = await c.req.text();
52
121
  const signature = c.req.header("X-Webhook-Signature") ?? "";
122
+ const timestamp = c.req.header("X-Webhook-Timestamp") ?? "";
123
+ const event = c.req.header("X-Webhook-Event") ?? "";
124
+ const deliveryId = c.req.header("X-Webhook-Id") ?? "";
53
125
  const isValid = verifyWebhook({
54
126
  payload: rawPayload,
55
127
  signature,
128
+ timestamp,
56
129
  secret: options.secret
57
130
  });
58
131
  if (!isValid) {
59
132
  return c.json({ error: "Invalid signature" }, 401);
60
133
  }
61
- const payload = JSON.parse(rawPayload);
62
- const event = payload.event;
134
+ if (!event) {
135
+ return c.json({ error: "Missing event header" }, 400);
136
+ }
137
+ if (!isWebhookEvent(event)) {
138
+ return c.json({ error: "Invalid event header" }, 400);
139
+ }
140
+ let parsedPayload;
141
+ try {
142
+ parsedPayload = JSON.parse(rawPayload);
143
+ } catch {
144
+ return c.json({ error: "Invalid JSON" }, 400);
145
+ }
146
+ if (!isRuntimeWebhookPayload(parsedPayload, event)) {
147
+ return c.json({ error: "Invalid payload" }, 400);
148
+ }
149
+ const context = { deliveryId, event, timestamp };
63
150
  const handler = options.handlers[event];
64
151
  if (handler) {
65
- await handler(payload);
152
+ await handler(parsedPayload, context);
66
153
  } else if (options.onUnhandledEvent) {
67
- await options.onUnhandledEvent(event, payload);
154
+ await options.onUnhandledEvent(event, parsedPayload, context);
68
155
  }
69
156
  return c.text("OK", 200);
70
157
  } catch {
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/adapters/hono.ts","../../src/webhooks/verify.ts"],"sourcesContent":["import { verifyWebhook } from \"../webhooks/verify.js\";\nimport type { WebhookPayload } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\nexport type HonoContextLike = {\n req: {\n text: () => Promise<string>;\n header: (name: string) => string | undefined;\n };\n json: (body: unknown, status?: number) => unknown;\n text: (body: string, status?: number) => unknown;\n};\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (c: HonoContextLike) => Promise<unknown> {\n return async function webhookHandler(c: HonoContextLike): Promise<unknown> {\n try {\n const rawPayload = await c.req.text();\n const signature = c.req.header(\"X-Webhook-Signature\") ?? \"\";\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n secret: options.secret,\n });\n\n if (!isValid) {\n return c.json({ error: \"Invalid signature\" }, 401);\n }\n\n const payload = JSON.parse(rawPayload) as WebhookPayload;\n const event = payload.event;\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(payload);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, payload);\n }\n\n return c.text(\"OK\", 200);\n } catch {\n return c.json({ error: \"Internal error\" }, 500);\n }\n };\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n secret,\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(payload, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAA4C;AAerC,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,OAAQ,QAAO;AAE9C,QAAM,eAAW,+BAAW,UAAU,MAAM,EACzC,OAAO,SAAS,MAAM,EACtB,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AAEjD,MAAI;AACF,eAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ADvBO,SAAS,qBACd,SAC0C;AAC1C,SAAO,eAAe,eAAe,GAAsC;AACzE,QAAI;AACF,YAAM,aAAa,MAAM,EAAE,IAAI,KAAK;AACpC,YAAM,YAAY,EAAE,IAAI,OAAO,qBAAqB,KAAK;AAEzD,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,eAAO,EAAE,KAAK,EAAE,OAAO,oBAAoB,GAAG,GAAG;AAAA,MACnD;AAEA,YAAM,UAAU,KAAK,MAAM,UAAU;AACrC,YAAM,QAAQ,QAAQ;AACtB,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,OAAO;AAAA,MACvB,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,OAAO;AAAA,MAC/C;AAEA,aAAO,EAAE,KAAK,MAAM,GAAG;AAAA,IACzB,QAAQ;AACN,aAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;AAAA,IAChD;AAAA,EACF;AACF;","names":[]}
1
+ {"version":3,"sources":["../../src/adapters/hono.ts","../../src/webhooks/verify.ts","../../src/webhooks/types.ts"],"sourcesContent":["import { verifyWebhook } from \"../webhooks/verify.js\";\nimport { isRuntimeWebhookPayload, isWebhookEvent } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\nexport type HonoContextLike = {\n req: {\n text: () => Promise<string>;\n header: (name: string) => string | undefined;\n };\n json: (body: unknown, status?: number) => unknown;\n text: (body: string, status?: number) => unknown;\n};\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (c: HonoContextLike) => Promise<unknown> {\n return async function webhookHandler(c: HonoContextLike): Promise<unknown> {\n try {\n const rawPayload = await c.req.text();\n const signature = c.req.header(\"X-Webhook-Signature\") ?? \"\";\n const timestamp = c.req.header(\"X-Webhook-Timestamp\") ?? \"\";\n const event = c.req.header(\"X-Webhook-Event\") ?? \"\";\n const deliveryId = c.req.header(\"X-Webhook-Id\") ?? \"\";\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n timestamp,\n secret: options.secret,\n });\n\n if (!isValid) {\n return c.json({ error: \"Invalid signature\" }, 401);\n }\n\n if (!event) {\n return c.json({ error: \"Missing event header\" }, 400);\n }\n\n if (!isWebhookEvent(event)) {\n return c.json({ error: \"Invalid event header\" }, 400);\n }\n\n let parsedPayload: unknown;\n try {\n parsedPayload = JSON.parse(rawPayload) as unknown;\n } catch {\n return c.json({ error: \"Invalid JSON\" }, 400);\n }\n\n if (!isRuntimeWebhookPayload(parsedPayload, event)) {\n return c.json({ error: \"Invalid payload\" }, 400);\n }\n\n const context = { deliveryId, event, timestamp };\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(parsedPayload, context);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, parsedPayload, context);\n }\n\n return c.text(\"OK\", 200);\n } catch {\n return c.json({ error: \"Internal error\" }, 500);\n }\n };\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** Value of the X-Webhook-Timestamp header (Unix epoch in seconds) */\n timestamp: string | number;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n /** Maximum timestamp drift allowed in seconds. Defaults to 300 seconds. */\n toleranceSeconds?: number;\n /** Current Unix epoch time in seconds. Intended for tests. */\n currentTime?: number;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256 over `${timestamp}.${payload}`.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n timestamp,\n secret,\n toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,\n currentTime = Math.floor(Date.now() / 1000),\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret || timestamp === \"\") return false;\n\n const timestampString = String(timestamp);\n const timestampValue =\n typeof timestamp === \"number\" ? timestamp : Number(timestamp);\n\n if (!Number.isInteger(timestampValue)) return false;\n if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;\n if (!Number.isFinite(currentTime)) return false;\n\n const ageSeconds = Math.abs(currentTime - timestampValue);\n if (ageSeconds > toleranceSeconds) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(`${timestampString}.${payload}`, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n if (!/^[a-f0-9]+$/i.test(signature)) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import {\n PUBLIC_WEBHOOK_EVENTS,\n isPublicWebhookEvent,\n type PublicWebhookEvent,\n} from \"@whatalo/protocol/events\";\nimport type { Product, Order, Customer } from \"../client/types.js\";\n\nexport const WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;\n\n/** All supported webhook event types */\nexport type WebhookEvent = PublicWebhookEvent;\n\n/** Validate an event header against the public runtime webhook event set. */\nexport function isWebhookEvent(value: string): value is WebhookEvent {\n return isPublicWebhookEvent(value);\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\nfunction hasStringId(value: unknown): value is { id: string } {\n return isRecord(value) && typeof value.id === \"string\";\n}\n\nfunction isOptionalString(\n value: Record<string, unknown>,\n key: string\n): boolean {\n return value[key] === undefined || typeof value[key] === \"string\";\n}\n\nfunction isRuntimeWebhookStore(value: unknown): value is RuntimeWebhookStore {\n return (\n isRecord(value) &&\n typeof value.id === \"string\" &&\n typeof value.timezone === \"string\" &&\n (value.name === undefined || typeof value.name === \"string\")\n );\n}\n\nfunction hasValidBasePayloadFields(value: Record<string, unknown>): boolean {\n if (!isOptionalString(value, \"event_id\")) return false;\n if (!isOptionalString(value, \"occurred_at\")) return false;\n\n return isRuntimeWebhookStore(value.store);\n}\n\nfunction isRuntimeOrderWebhookPayload(value: Record<string, unknown>): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n (value.customer === undefined || hasStringId(value.customer))\n );\n}\n\nfunction isRuntimeProductWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.product);\n}\n\nfunction isRuntimeCustomerWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.customer);\n}\n\nfunction isRuntimeCheckoutCompletedWebhookPayload(\n value: Record<string, unknown>\n): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n hasStringId(value.customer) &&\n isRuntimeWebhookStore(value.store)\n );\n}\n\nexport interface OrderCreatedWebhookData {\n order: Order;\n}\n\nexport interface OrderUpdatedWebhookData {\n order: Order;\n changes: string[];\n}\n\nexport interface OrderCancelledWebhookData {\n orderId: string;\n reason?: string;\n}\n\nexport interface OrderCompletedWebhookData {\n order: Order;\n}\n\nexport interface ProductCreatedWebhookData {\n product: Product;\n}\n\nexport interface ProductUpdatedWebhookData {\n product: Product;\n changes: string[];\n}\n\nexport interface ProductDeletedWebhookProduct {\n id: string;\n}\n\nexport interface ProductDeletedWebhookData {\n product: ProductDeletedWebhookProduct;\n}\n\nexport interface CustomerCreatedWebhookData {\n customer: Customer;\n}\n\nexport interface CustomerUpdatedWebhookData {\n customer: Customer;\n changes: string[];\n}\n\nexport interface CheckoutCompletedWebhookData {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\n/** Map of webhook events to their payload data shapes */\nexport interface WebhookEventData {\n \"order.created\": OrderCreatedWebhookData;\n \"order.updated\": OrderUpdatedWebhookData;\n \"order.cancelled\": OrderCancelledWebhookData;\n \"order.completed\": OrderCompletedWebhookData;\n \"product.created\": ProductCreatedWebhookData;\n \"product.updated\": ProductUpdatedWebhookData;\n \"product.deleted\": ProductDeletedWebhookData;\n \"customer.created\": CustomerCreatedWebhookData;\n \"customer.updated\": CustomerUpdatedWebhookData;\n \"checkout.completed\": CheckoutCompletedWebhookData;\n}\n\n/** Legacy envelope payload. Runtime webhook deliveries do not include the event field in the body. */\nexport interface WebhookPayload<E extends WebhookEvent = WebhookEvent> {\n event: E;\n timestamp: string;\n storeId: string;\n data: WebhookEventData[E];\n}\n\nexport interface RuntimeWebhookStore {\n id: string;\n name?: string;\n timezone: string;\n}\n\nexport interface RuntimeWebhookBasePayload {\n event_id?: string;\n occurred_at?: string;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookOrder {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookProduct {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookCustomer {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeOrderWebhookPayload extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer?: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeProductWebhookPayload extends RuntimeWebhookBasePayload {\n product: RuntimeWebhookProduct;\n}\n\nexport interface RuntimeCustomerWebhookPayload extends RuntimeWebhookBasePayload {\n customer: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeCheckoutCompletedWebhookPayload\n extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookEventData {\n \"order.created\": RuntimeOrderWebhookPayload;\n \"order.updated\": RuntimeOrderWebhookPayload;\n \"order.cancelled\": RuntimeOrderWebhookPayload;\n \"order.completed\": RuntimeOrderWebhookPayload;\n \"product.created\": RuntimeProductWebhookPayload;\n \"product.updated\": RuntimeProductWebhookPayload;\n \"product.deleted\": RuntimeProductWebhookPayload;\n \"customer.created\": RuntimeCustomerWebhookPayload;\n \"customer.updated\": RuntimeCustomerWebhookPayload;\n \"checkout.completed\": RuntimeCheckoutCompletedWebhookPayload;\n}\n\n/** Runtime body delivered to subscriber endpoints. The event comes from X-Webhook-Event. */\nexport type RuntimeWebhookPayload<E extends WebhookEvent = WebhookEvent> =\n RuntimeWebhookEventData[E];\n\n/** Validate the minimum runtime payload shape before invoking typed handlers. */\nexport function isRuntimeWebhookPayload<E extends WebhookEvent>(\n value: unknown,\n event: E\n): value is RuntimeWebhookPayload<E> {\n if (!isRecord(value)) return false;\n\n switch (event) {\n case WEBHOOK_EVENTS.ORDER_CREATED:\n case WEBHOOK_EVENTS.ORDER_UPDATED:\n case WEBHOOK_EVENTS.ORDER_CANCELLED:\n case WEBHOOK_EVENTS.ORDER_COMPLETED:\n return isRuntimeOrderWebhookPayload(value);\n case WEBHOOK_EVENTS.PRODUCT_CREATED:\n case WEBHOOK_EVENTS.PRODUCT_UPDATED:\n case WEBHOOK_EVENTS.PRODUCT_DELETED:\n return isRuntimeProductWebhookPayload(value);\n case WEBHOOK_EVENTS.CUSTOMER_CREATED:\n case WEBHOOK_EVENTS.CUSTOMER_UPDATED:\n return isRuntimeCustomerWebhookPayload(value);\n case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:\n return isRuntimeCheckoutCompletedWebhookPayload(value);\n default:\n return false;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAA4C;AAE5C,IAAM,4BAA4B;AAqB3B,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,mBAAmB;AAAA,EACnB,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC5C,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,cAAc,GAAI,QAAO;AAElE,QAAM,kBAAkB,OAAO,SAAS;AACxC,QAAM,iBACJ,OAAO,cAAc,WAAW,YAAY,OAAO,SAAS;AAE9D,MAAI,CAAC,OAAO,UAAU,cAAc,EAAG,QAAO;AAC9C,MAAI,CAAC,OAAO,SAAS,gBAAgB,KAAK,mBAAmB,EAAG,QAAO;AACvE,MAAI,CAAC,OAAO,SAAS,WAAW,EAAG,QAAO;AAE1C,QAAM,aAAa,KAAK,IAAI,cAAc,cAAc;AACxD,MAAI,aAAa,iBAAkB,QAAO;AAE1C,QAAM,eAAW,+BAAW,UAAU,MAAM,EACzC,OAAO,GAAG,eAAe,IAAI,OAAO,IAAI,MAAM,EAC9C,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AACjD,MAAI,CAAC,eAAe,KAAK,SAAS,EAAG,QAAO;AAE5C,MAAI;AACF,eAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AC3DA,oBAIO;AAGA,IAAM,iBAAiB;AAMvB,SAAS,eAAe,OAAsC;AACnE,aAAO,oCAAqB,KAAK;AACnC;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAyC;AAC5D,SAAO,SAAS,KAAK,KAAK,OAAO,MAAM,OAAO;AAChD;AAEA,SAAS,iBACP,OACA,KACS;AACT,SAAO,MAAM,GAAG,MAAM,UAAa,OAAO,MAAM,GAAG,MAAM;AAC3D;AAEA,SAAS,sBAAsB,OAA8C;AAC3E,SACE,SAAS,KAAK,KACd,OAAO,MAAM,OAAO,YACpB,OAAO,MAAM,aAAa,aACzB,MAAM,SAAS,UAAa,OAAO,MAAM,SAAS;AAEvD;AAEA,SAAS,0BAA0B,OAAyC;AAC1E,MAAI,CAAC,iBAAiB,OAAO,UAAU,EAAG,QAAO;AACjD,MAAI,CAAC,iBAAiB,OAAO,aAAa,EAAG,QAAO;AAEpD,SAAO,sBAAsB,MAAM,KAAK;AAC1C;AAEA,SAAS,6BAA6B,OAAyC;AAC7E,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,MACtB,MAAM,aAAa,UAAa,YAAY,MAAM,QAAQ;AAE/D;AAEA,SAAS,+BAA+B,OAAyC;AAC/E,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,OAAO;AACtE;AAEA,SAAS,gCAAgC,OAAyC;AAChF,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,QAAQ;AACvE;AAEA,SAAS,yCACP,OACS;AACT,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,KACvB,YAAY,MAAM,QAAQ,KAC1B,sBAAsB,MAAM,KAAK;AAErC;AA2IO,SAAS,wBACd,OACA,OACmC;AACnC,MAAI,CAAC,SAAS,KAAK,EAAG,QAAO;AAE7B,UAAQ,OAAO;AAAA,IACb,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,6BAA6B,KAAK;AAAA,IAC3C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,+BAA+B,KAAK;AAAA,IAC7C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,gCAAgC,KAAK;AAAA,IAC9C,KAAK,eAAe;AAClB,aAAO,yCAAyC,KAAK;AAAA,IACvD;AACE,aAAO;AAAA,EACX;AACF;;;AF/NO,SAAS,qBACd,SAC0C;AAC1C,SAAO,eAAe,eAAe,GAAsC;AACzE,QAAI;AACF,YAAM,aAAa,MAAM,EAAE,IAAI,KAAK;AACpC,YAAM,YAAY,EAAE,IAAI,OAAO,qBAAqB,KAAK;AACzD,YAAM,YAAY,EAAE,IAAI,OAAO,qBAAqB,KAAK;AACzD,YAAM,QAAQ,EAAE,IAAI,OAAO,iBAAiB,KAAK;AACjD,YAAM,aAAa,EAAE,IAAI,OAAO,cAAc,KAAK;AAEnD,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,eAAO,EAAE,KAAK,EAAE,OAAO,oBAAoB,GAAG,GAAG;AAAA,MACnD;AAEA,UAAI,CAAC,OAAO;AACV,eAAO,EAAE,KAAK,EAAE,OAAO,uBAAuB,GAAG,GAAG;AAAA,MACtD;AAEA,UAAI,CAAC,eAAe,KAAK,GAAG;AAC1B,eAAO,EAAE,KAAK,EAAE,OAAO,uBAAuB,GAAG,GAAG;AAAA,MACtD;AAEA,UAAI;AACJ,UAAI;AACF,wBAAgB,KAAK,MAAM,UAAU;AAAA,MACvC,QAAQ;AACN,eAAO,EAAE,KAAK,EAAE,OAAO,eAAe,GAAG,GAAG;AAAA,MAC9C;AAEA,UAAI,CAAC,wBAAwB,eAAe,KAAK,GAAG;AAClD,eAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,GAAG,GAAG;AAAA,MACjD;AAEA,YAAM,UAAU,EAAE,YAAY,OAAO,UAAU;AAC/C,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,eAAe,OAAO;AAAA,MACtC,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,eAAe,OAAO;AAAA,MAC9D;AAEA,aAAO,EAAE,KAAK,MAAM,GAAG;AAAA,IACzB,QAAQ;AACN,aAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;AAAA,IAChD;AAAA,EACF;AACF;","names":[]}
@@ -1,6 +1,7 @@
1
- import { W as WebhookHandlerOptions } from '../types-Db_BeRCj.cjs';
2
- import '../types-DdqKKyqX.cjs';
3
- import '../types-M1eLMz6w.cjs';
1
+ import { W as WebhookHandlerOptions } from '../types-BU71_xQm.cjs';
2
+ import '../types-rA6kVlpV.cjs';
3
+ import '@whatalo/protocol/events';
4
+ import '../types-B8BAV362.cjs';
4
5
 
5
6
  type HonoContextLike = {
6
7
  req: {