@whatalo/plugin-sdk 1.2.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapters/express.cjs +101 -10
- package/dist/adapters/express.cjs.map +1 -1
- package/dist/adapters/express.d.cts +9 -7
- package/dist/adapters/express.d.ts +9 -7
- package/dist/adapters/express.mjs +104 -10
- package/dist/adapters/express.mjs.map +1 -1
- package/dist/adapters/hono.cjs +94 -7
- package/dist/adapters/hono.cjs.map +1 -1
- package/dist/adapters/hono.d.cts +4 -3
- package/dist/adapters/hono.d.ts +4 -3
- package/dist/adapters/hono.mjs +97 -7
- package/dist/adapters/hono.mjs.map +1 -1
- package/dist/adapters/nextjs.cjs +94 -7
- package/dist/adapters/nextjs.cjs.map +1 -1
- package/dist/adapters/nextjs.d.cts +4 -3
- package/dist/adapters/nextjs.d.ts +4 -3
- package/dist/adapters/nextjs.mjs +97 -7
- package/dist/adapters/nextjs.mjs.map +1 -1
- package/dist/bridge/index.cjs +33 -2
- package/dist/bridge/index.cjs.map +1 -1
- package/dist/bridge/index.d.cts +17 -5
- package/dist/bridge/index.d.ts +17 -5
- package/dist/bridge/index.mjs +33 -2
- package/dist/bridge/index.mjs.map +1 -1
- package/dist/client/index.cjs +33 -2
- package/dist/client/index.cjs.map +1 -1
- package/dist/client/index.d.cts +29 -1
- package/dist/client/index.d.ts +29 -1
- package/dist/client/index.mjs +33 -2
- package/dist/client/index.mjs.map +1 -1
- package/dist/index.cjs +146 -24
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +6 -3
- package/dist/index.d.ts +6 -3
- package/dist/index.mjs +146 -24
- package/dist/index.mjs.map +1 -1
- package/dist/manifest/index.cjs +2 -17
- package/dist/manifest/index.cjs.map +1 -1
- package/dist/manifest/index.d.cts +10 -4
- package/dist/manifest/index.d.ts +10 -4
- package/dist/manifest/index.mjs +2 -17
- package/dist/manifest/index.mjs.map +1 -1
- package/dist/{types-DcmArIC2.d.ts → types-B8BAV362.d.cts} +24 -1
- package/dist/{types-DcmArIC2.d.cts → types-B8BAV362.d.ts} +24 -1
- package/dist/types-BU71_xQm.d.cts +25 -0
- package/dist/types-BhtVJPgF.d.ts +25 -0
- package/dist/types-Bo9GbqrM.d.ts +133 -0
- package/dist/types-rA6kVlpV.d.cts +133 -0
- package/dist/webhooks/index.cjs +78 -3
- package/dist/webhooks/index.cjs.map +1 -1
- package/dist/webhooks/index.d.cts +11 -4
- package/dist/webhooks/index.d.ts +11 -4
- package/dist/webhooks/index.mjs +78 -3
- package/dist/webhooks/index.mjs.map +1 -1
- package/package.json +4 -1
- package/dist/types-C9mg4aQg.d.ts +0 -19
- package/dist/types-DMuHSL_a.d.cts +0 -19
- package/dist/types-DTjA3FHe.d.ts +0 -68
- package/dist/types-tHUO9u-c.d.cts +0 -68
package/dist/adapters/hono.d.ts
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
import { W as WebhookHandlerOptions } from '../types-
|
|
2
|
-
import '../types-
|
|
3
|
-
import '
|
|
1
|
+
import { W as WebhookHandlerOptions } from '../types-BhtVJPgF.js';
|
|
2
|
+
import '../types-Bo9GbqrM.js';
|
|
3
|
+
import '@whatalo/protocol/events';
|
|
4
|
+
import '../types-B8BAV362.js';
|
|
4
5
|
|
|
5
6
|
type HonoContextLike = {
|
|
6
7
|
req: {
|
package/dist/adapters/hono.mjs
CHANGED
|
@@ -1,13 +1,25 @@
|
|
|
1
1
|
// src/webhooks/verify.ts
|
|
2
2
|
import { createHmac, timingSafeEqual } from "crypto";
|
|
3
|
+
var DEFAULT_TOLERANCE_SECONDS = 300;
|
|
3
4
|
function verifyWebhook({
|
|
4
5
|
payload,
|
|
5
6
|
signature,
|
|
6
|
-
|
|
7
|
+
timestamp,
|
|
8
|
+
secret,
|
|
9
|
+
toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,
|
|
10
|
+
currentTime = Math.floor(Date.now() / 1e3)
|
|
7
11
|
}) {
|
|
8
|
-
if (!payload || !signature || !secret) return false;
|
|
9
|
-
const
|
|
12
|
+
if (!payload || !signature || !secret || timestamp === "") return false;
|
|
13
|
+
const timestampString = String(timestamp);
|
|
14
|
+
const timestampValue = typeof timestamp === "number" ? timestamp : Number(timestamp);
|
|
15
|
+
if (!Number.isInteger(timestampValue)) return false;
|
|
16
|
+
if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;
|
|
17
|
+
if (!Number.isFinite(currentTime)) return false;
|
|
18
|
+
const ageSeconds = Math.abs(currentTime - timestampValue);
|
|
19
|
+
if (ageSeconds > toleranceSeconds) return false;
|
|
20
|
+
const expected = createHmac("sha256", secret).update(`${timestampString}.${payload}`, "utf8").digest("hex");
|
|
10
21
|
if (expected.length !== signature.length) return false;
|
|
22
|
+
if (!/^[a-f0-9]+$/i.test(signature)) return false;
|
|
11
23
|
try {
|
|
12
24
|
return timingSafeEqual(
|
|
13
25
|
Buffer.from(expected, "hex"),
|
|
@@ -18,27 +30,105 @@ function verifyWebhook({
|
|
|
18
30
|
}
|
|
19
31
|
}
|
|
20
32
|
|
|
33
|
+
// src/webhooks/types.ts
|
|
34
|
+
import {
|
|
35
|
+
PUBLIC_WEBHOOK_EVENTS,
|
|
36
|
+
isPublicWebhookEvent
|
|
37
|
+
} from "@whatalo/protocol/events";
|
|
38
|
+
var WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;
|
|
39
|
+
function isWebhookEvent(value) {
|
|
40
|
+
return isPublicWebhookEvent(value);
|
|
41
|
+
}
|
|
42
|
+
function isRecord(value) {
|
|
43
|
+
return typeof value === "object" && value !== null && !Array.isArray(value);
|
|
44
|
+
}
|
|
45
|
+
function hasStringId(value) {
|
|
46
|
+
return isRecord(value) && typeof value.id === "string";
|
|
47
|
+
}
|
|
48
|
+
function isOptionalString(value, key) {
|
|
49
|
+
return value[key] === void 0 || typeof value[key] === "string";
|
|
50
|
+
}
|
|
51
|
+
function isRuntimeWebhookStore(value) {
|
|
52
|
+
return isRecord(value) && typeof value.id === "string" && typeof value.timezone === "string" && (value.name === void 0 || typeof value.name === "string");
|
|
53
|
+
}
|
|
54
|
+
function hasValidBasePayloadFields(value) {
|
|
55
|
+
if (!isOptionalString(value, "event_id")) return false;
|
|
56
|
+
if (!isOptionalString(value, "occurred_at")) return false;
|
|
57
|
+
return isRuntimeWebhookStore(value.store);
|
|
58
|
+
}
|
|
59
|
+
function isRuntimeOrderWebhookPayload(value) {
|
|
60
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.order) && (value.customer === void 0 || hasStringId(value.customer));
|
|
61
|
+
}
|
|
62
|
+
function isRuntimeProductWebhookPayload(value) {
|
|
63
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.product);
|
|
64
|
+
}
|
|
65
|
+
function isRuntimeCustomerWebhookPayload(value) {
|
|
66
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.customer);
|
|
67
|
+
}
|
|
68
|
+
function isRuntimeCheckoutCompletedWebhookPayload(value) {
|
|
69
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.order) && hasStringId(value.customer) && isRuntimeWebhookStore(value.store);
|
|
70
|
+
}
|
|
71
|
+
function isRuntimeWebhookPayload(value, event) {
|
|
72
|
+
if (!isRecord(value)) return false;
|
|
73
|
+
switch (event) {
|
|
74
|
+
case WEBHOOK_EVENTS.ORDER_CREATED:
|
|
75
|
+
case WEBHOOK_EVENTS.ORDER_UPDATED:
|
|
76
|
+
case WEBHOOK_EVENTS.ORDER_CANCELLED:
|
|
77
|
+
case WEBHOOK_EVENTS.ORDER_COMPLETED:
|
|
78
|
+
return isRuntimeOrderWebhookPayload(value);
|
|
79
|
+
case WEBHOOK_EVENTS.PRODUCT_CREATED:
|
|
80
|
+
case WEBHOOK_EVENTS.PRODUCT_UPDATED:
|
|
81
|
+
case WEBHOOK_EVENTS.PRODUCT_DELETED:
|
|
82
|
+
return isRuntimeProductWebhookPayload(value);
|
|
83
|
+
case WEBHOOK_EVENTS.CUSTOMER_CREATED:
|
|
84
|
+
case WEBHOOK_EVENTS.CUSTOMER_UPDATED:
|
|
85
|
+
return isRuntimeCustomerWebhookPayload(value);
|
|
86
|
+
case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:
|
|
87
|
+
return isRuntimeCheckoutCompletedWebhookPayload(value);
|
|
88
|
+
default:
|
|
89
|
+
return false;
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
|
|
21
93
|
// src/adapters/hono.ts
|
|
22
94
|
function createWebhookHandler(options) {
|
|
23
95
|
return async function webhookHandler(c) {
|
|
24
96
|
try {
|
|
25
97
|
const rawPayload = await c.req.text();
|
|
26
98
|
const signature = c.req.header("X-Webhook-Signature") ?? "";
|
|
99
|
+
const timestamp = c.req.header("X-Webhook-Timestamp") ?? "";
|
|
100
|
+
const event = c.req.header("X-Webhook-Event") ?? "";
|
|
101
|
+
const deliveryId = c.req.header("X-Webhook-Id") ?? "";
|
|
27
102
|
const isValid = verifyWebhook({
|
|
28
103
|
payload: rawPayload,
|
|
29
104
|
signature,
|
|
105
|
+
timestamp,
|
|
30
106
|
secret: options.secret
|
|
31
107
|
});
|
|
32
108
|
if (!isValid) {
|
|
33
109
|
return c.json({ error: "Invalid signature" }, 401);
|
|
34
110
|
}
|
|
35
|
-
|
|
36
|
-
|
|
111
|
+
if (!event) {
|
|
112
|
+
return c.json({ error: "Missing event header" }, 400);
|
|
113
|
+
}
|
|
114
|
+
if (!isWebhookEvent(event)) {
|
|
115
|
+
return c.json({ error: "Invalid event header" }, 400);
|
|
116
|
+
}
|
|
117
|
+
let parsedPayload;
|
|
118
|
+
try {
|
|
119
|
+
parsedPayload = JSON.parse(rawPayload);
|
|
120
|
+
} catch {
|
|
121
|
+
return c.json({ error: "Invalid JSON" }, 400);
|
|
122
|
+
}
|
|
123
|
+
if (!isRuntimeWebhookPayload(parsedPayload, event)) {
|
|
124
|
+
return c.json({ error: "Invalid payload" }, 400);
|
|
125
|
+
}
|
|
126
|
+
const context = { deliveryId, event, timestamp };
|
|
37
127
|
const handler = options.handlers[event];
|
|
38
128
|
if (handler) {
|
|
39
|
-
await handler(
|
|
129
|
+
await handler(parsedPayload, context);
|
|
40
130
|
} else if (options.onUnhandledEvent) {
|
|
41
|
-
await options.onUnhandledEvent(event,
|
|
131
|
+
await options.onUnhandledEvent(event, parsedPayload, context);
|
|
42
132
|
}
|
|
43
133
|
return c.text("OK", 200);
|
|
44
134
|
} catch {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/webhooks/verify.ts","../../src/adapters/hono.ts"],"sourcesContent":["import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n secret,\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(payload, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import { verifyWebhook } from \"../webhooks/verify.js\";\nimport type { WebhookPayload } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\nexport type HonoContextLike = {\n req: {\n text: () => Promise<string>;\n header: (name: string) => string | undefined;\n };\n json: (body: unknown, status?: number) => unknown;\n text: (body: string, status?: number) => unknown;\n};\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (c: HonoContextLike) => Promise<unknown> {\n return async function webhookHandler(c: HonoContextLike): Promise<unknown> {\n try {\n const rawPayload = await c.req.text();\n const signature = c.req.header(\"X-Webhook-Signature\") ?? \"\";\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n secret: options.secret,\n });\n\n if (!isValid) {\n return c.json({ error: \"Invalid signature\" }, 401);\n }\n\n const payload = JSON.parse(rawPayload) as WebhookPayload;\n const event = payload.event;\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(payload);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, payload);\n }\n\n return c.text(\"OK\", 200);\n } catch {\n return c.json({ error: \"Internal error\" }, 500);\n }\n };\n}\n"],"mappings":";AAAA,SAAS,YAAY,uBAAuB;AAerC,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,OAAQ,QAAO;AAE9C,QAAM,WAAW,WAAW,UAAU,MAAM,EACzC,OAAO,SAAS,MAAM,EACtB,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AAEjD,MAAI;AACF,WAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACvBO,SAAS,qBACd,SAC0C;AAC1C,SAAO,eAAe,eAAe,GAAsC;AACzE,QAAI;AACF,YAAM,aAAa,MAAM,EAAE,IAAI,KAAK;AACpC,YAAM,YAAY,EAAE,IAAI,OAAO,qBAAqB,KAAK;AAEzD,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,eAAO,EAAE,KAAK,EAAE,OAAO,oBAAoB,GAAG,GAAG;AAAA,MACnD;AAEA,YAAM,UAAU,KAAK,MAAM,UAAU;AACrC,YAAM,QAAQ,QAAQ;AACtB,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,OAAO;AAAA,MACvB,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,OAAO;AAAA,MAC/C;AAEA,aAAO,EAAE,KAAK,MAAM,GAAG;AAAA,IACzB,QAAQ;AACN,aAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;AAAA,IAChD;AAAA,EACF;AACF;","names":[]}
|
|
1
|
+
{"version":3,"sources":["../../src/webhooks/verify.ts","../../src/webhooks/types.ts","../../src/adapters/hono.ts"],"sourcesContent":["import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** Value of the X-Webhook-Timestamp header (Unix epoch in seconds) */\n timestamp: string | number;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n /** Maximum timestamp drift allowed in seconds. Defaults to 300 seconds. */\n toleranceSeconds?: number;\n /** Current Unix epoch time in seconds. Intended for tests. */\n currentTime?: number;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256 over `${timestamp}.${payload}`.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n timestamp,\n secret,\n toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,\n currentTime = Math.floor(Date.now() / 1000),\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret || timestamp === \"\") return false;\n\n const timestampString = String(timestamp);\n const timestampValue =\n typeof timestamp === \"number\" ? timestamp : Number(timestamp);\n\n if (!Number.isInteger(timestampValue)) return false;\n if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;\n if (!Number.isFinite(currentTime)) return false;\n\n const ageSeconds = Math.abs(currentTime - timestampValue);\n if (ageSeconds > toleranceSeconds) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(`${timestampString}.${payload}`, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n if (!/^[a-f0-9]+$/i.test(signature)) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import {\n PUBLIC_WEBHOOK_EVENTS,\n isPublicWebhookEvent,\n type PublicWebhookEvent,\n} from \"@whatalo/protocol/events\";\nimport type { Product, Order, Customer } from \"../client/types.js\";\n\nexport const WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;\n\n/** All supported webhook event types */\nexport type WebhookEvent = PublicWebhookEvent;\n\n/** Validate an event header against the public runtime webhook event set. */\nexport function isWebhookEvent(value: string): value is WebhookEvent {\n return isPublicWebhookEvent(value);\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\nfunction hasStringId(value: unknown): value is { id: string } {\n return isRecord(value) && typeof value.id === \"string\";\n}\n\nfunction isOptionalString(\n value: Record<string, unknown>,\n key: string\n): boolean {\n return value[key] === undefined || typeof value[key] === \"string\";\n}\n\nfunction isRuntimeWebhookStore(value: unknown): value is RuntimeWebhookStore {\n return (\n isRecord(value) &&\n typeof value.id === \"string\" &&\n typeof value.timezone === \"string\" &&\n (value.name === undefined || typeof value.name === \"string\")\n );\n}\n\nfunction hasValidBasePayloadFields(value: Record<string, unknown>): boolean {\n if (!isOptionalString(value, \"event_id\")) return false;\n if (!isOptionalString(value, \"occurred_at\")) return false;\n\n return isRuntimeWebhookStore(value.store);\n}\n\nfunction isRuntimeOrderWebhookPayload(value: Record<string, unknown>): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n (value.customer === undefined || hasStringId(value.customer))\n );\n}\n\nfunction isRuntimeProductWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.product);\n}\n\nfunction isRuntimeCustomerWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.customer);\n}\n\nfunction isRuntimeCheckoutCompletedWebhookPayload(\n value: Record<string, unknown>\n): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n hasStringId(value.customer) &&\n isRuntimeWebhookStore(value.store)\n );\n}\n\nexport interface OrderCreatedWebhookData {\n order: Order;\n}\n\nexport interface OrderUpdatedWebhookData {\n order: Order;\n changes: string[];\n}\n\nexport interface OrderCancelledWebhookData {\n orderId: string;\n reason?: string;\n}\n\nexport interface OrderCompletedWebhookData {\n order: Order;\n}\n\nexport interface ProductCreatedWebhookData {\n product: Product;\n}\n\nexport interface ProductUpdatedWebhookData {\n product: Product;\n changes: string[];\n}\n\nexport interface ProductDeletedWebhookProduct {\n id: string;\n}\n\nexport interface ProductDeletedWebhookData {\n product: ProductDeletedWebhookProduct;\n}\n\nexport interface CustomerCreatedWebhookData {\n customer: Customer;\n}\n\nexport interface CustomerUpdatedWebhookData {\n customer: Customer;\n changes: string[];\n}\n\nexport interface CheckoutCompletedWebhookData {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\n/** Map of webhook events to their payload data shapes */\nexport interface WebhookEventData {\n \"order.created\": OrderCreatedWebhookData;\n \"order.updated\": OrderUpdatedWebhookData;\n \"order.cancelled\": OrderCancelledWebhookData;\n \"order.completed\": OrderCompletedWebhookData;\n \"product.created\": ProductCreatedWebhookData;\n \"product.updated\": ProductUpdatedWebhookData;\n \"product.deleted\": ProductDeletedWebhookData;\n \"customer.created\": CustomerCreatedWebhookData;\n \"customer.updated\": CustomerUpdatedWebhookData;\n \"checkout.completed\": CheckoutCompletedWebhookData;\n}\n\n/** Legacy envelope payload. Runtime webhook deliveries do not include the event field in the body. */\nexport interface WebhookPayload<E extends WebhookEvent = WebhookEvent> {\n event: E;\n timestamp: string;\n storeId: string;\n data: WebhookEventData[E];\n}\n\nexport interface RuntimeWebhookStore {\n id: string;\n name?: string;\n timezone: string;\n}\n\nexport interface RuntimeWebhookBasePayload {\n event_id?: string;\n occurred_at?: string;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookOrder {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookProduct {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookCustomer {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeOrderWebhookPayload extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer?: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeProductWebhookPayload extends RuntimeWebhookBasePayload {\n product: RuntimeWebhookProduct;\n}\n\nexport interface RuntimeCustomerWebhookPayload extends RuntimeWebhookBasePayload {\n customer: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeCheckoutCompletedWebhookPayload\n extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookEventData {\n \"order.created\": RuntimeOrderWebhookPayload;\n \"order.updated\": RuntimeOrderWebhookPayload;\n \"order.cancelled\": RuntimeOrderWebhookPayload;\n \"order.completed\": RuntimeOrderWebhookPayload;\n \"product.created\": RuntimeProductWebhookPayload;\n \"product.updated\": RuntimeProductWebhookPayload;\n \"product.deleted\": RuntimeProductWebhookPayload;\n \"customer.created\": RuntimeCustomerWebhookPayload;\n \"customer.updated\": RuntimeCustomerWebhookPayload;\n \"checkout.completed\": RuntimeCheckoutCompletedWebhookPayload;\n}\n\n/** Runtime body delivered to subscriber endpoints. The event comes from X-Webhook-Event. */\nexport type RuntimeWebhookPayload<E extends WebhookEvent = WebhookEvent> =\n RuntimeWebhookEventData[E];\n\n/** Validate the minimum runtime payload shape before invoking typed handlers. */\nexport function isRuntimeWebhookPayload<E extends WebhookEvent>(\n value: unknown,\n event: E\n): value is RuntimeWebhookPayload<E> {\n if (!isRecord(value)) return false;\n\n switch (event) {\n case WEBHOOK_EVENTS.ORDER_CREATED:\n case WEBHOOK_EVENTS.ORDER_UPDATED:\n case WEBHOOK_EVENTS.ORDER_CANCELLED:\n case WEBHOOK_EVENTS.ORDER_COMPLETED:\n return isRuntimeOrderWebhookPayload(value);\n case WEBHOOK_EVENTS.PRODUCT_CREATED:\n case WEBHOOK_EVENTS.PRODUCT_UPDATED:\n case WEBHOOK_EVENTS.PRODUCT_DELETED:\n return isRuntimeProductWebhookPayload(value);\n case WEBHOOK_EVENTS.CUSTOMER_CREATED:\n case WEBHOOK_EVENTS.CUSTOMER_UPDATED:\n return isRuntimeCustomerWebhookPayload(value);\n case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:\n return isRuntimeCheckoutCompletedWebhookPayload(value);\n default:\n return false;\n }\n}\n","import { verifyWebhook } from \"../webhooks/verify.js\";\nimport { isRuntimeWebhookPayload, isWebhookEvent } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\nexport type HonoContextLike = {\n req: {\n text: () => Promise<string>;\n header: (name: string) => string | undefined;\n };\n json: (body: unknown, status?: number) => unknown;\n text: (body: string, status?: number) => unknown;\n};\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (c: HonoContextLike) => Promise<unknown> {\n return async function webhookHandler(c: HonoContextLike): Promise<unknown> {\n try {\n const rawPayload = await c.req.text();\n const signature = c.req.header(\"X-Webhook-Signature\") ?? \"\";\n const timestamp = c.req.header(\"X-Webhook-Timestamp\") ?? \"\";\n const event = c.req.header(\"X-Webhook-Event\") ?? \"\";\n const deliveryId = c.req.header(\"X-Webhook-Id\") ?? \"\";\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n timestamp,\n secret: options.secret,\n });\n\n if (!isValid) {\n return c.json({ error: \"Invalid signature\" }, 401);\n }\n\n if (!event) {\n return c.json({ error: \"Missing event header\" }, 400);\n }\n\n if (!isWebhookEvent(event)) {\n return c.json({ error: \"Invalid event header\" }, 400);\n }\n\n let parsedPayload: unknown;\n try {\n parsedPayload = JSON.parse(rawPayload) as unknown;\n } catch {\n return c.json({ error: \"Invalid JSON\" }, 400);\n }\n\n if (!isRuntimeWebhookPayload(parsedPayload, event)) {\n return c.json({ error: \"Invalid payload\" }, 400);\n }\n\n const context = { deliveryId, event, timestamp };\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(parsedPayload, context);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, parsedPayload, context);\n }\n\n return c.text(\"OK\", 200);\n } catch {\n return c.json({ error: \"Internal error\" }, 500);\n }\n };\n}\n"],"mappings":";AAAA,SAAS,YAAY,uBAAuB;AAE5C,IAAM,4BAA4B;AAqB3B,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,mBAAmB;AAAA,EACnB,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC5C,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,cAAc,GAAI,QAAO;AAElE,QAAM,kBAAkB,OAAO,SAAS;AACxC,QAAM,iBACJ,OAAO,cAAc,WAAW,YAAY,OAAO,SAAS;AAE9D,MAAI,CAAC,OAAO,UAAU,cAAc,EAAG,QAAO;AAC9C,MAAI,CAAC,OAAO,SAAS,gBAAgB,KAAK,mBAAmB,EAAG,QAAO;AACvE,MAAI,CAAC,OAAO,SAAS,WAAW,EAAG,QAAO;AAE1C,QAAM,aAAa,KAAK,IAAI,cAAc,cAAc;AACxD,MAAI,aAAa,iBAAkB,QAAO;AAE1C,QAAM,WAAW,WAAW,UAAU,MAAM,EACzC,OAAO,GAAG,eAAe,IAAI,OAAO,IAAI,MAAM,EAC9C,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AACjD,MAAI,CAAC,eAAe,KAAK,SAAS,EAAG,QAAO;AAE5C,MAAI;AACF,WAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AC3DA;AAAA,EACE;AAAA,EACA;AAAA,OAEK;AAGA,IAAM,iBAAiB;AAMvB,SAAS,eAAe,OAAsC;AACnE,SAAO,qBAAqB,KAAK;AACnC;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAyC;AAC5D,SAAO,SAAS,KAAK,KAAK,OAAO,MAAM,OAAO;AAChD;AAEA,SAAS,iBACP,OACA,KACS;AACT,SAAO,MAAM,GAAG,MAAM,UAAa,OAAO,MAAM,GAAG,MAAM;AAC3D;AAEA,SAAS,sBAAsB,OAA8C;AAC3E,SACE,SAAS,KAAK,KACd,OAAO,MAAM,OAAO,YACpB,OAAO,MAAM,aAAa,aACzB,MAAM,SAAS,UAAa,OAAO,MAAM,SAAS;AAEvD;AAEA,SAAS,0BAA0B,OAAyC;AAC1E,MAAI,CAAC,iBAAiB,OAAO,UAAU,EAAG,QAAO;AACjD,MAAI,CAAC,iBAAiB,OAAO,aAAa,EAAG,QAAO;AAEpD,SAAO,sBAAsB,MAAM,KAAK;AAC1C;AAEA,SAAS,6BAA6B,OAAyC;AAC7E,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,MACtB,MAAM,aAAa,UAAa,YAAY,MAAM,QAAQ;AAE/D;AAEA,SAAS,+BAA+B,OAAyC;AAC/E,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,OAAO;AACtE;AAEA,SAAS,gCAAgC,OAAyC;AAChF,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,QAAQ;AACvE;AAEA,SAAS,yCACP,OACS;AACT,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,KACvB,YAAY,MAAM,QAAQ,KAC1B,sBAAsB,MAAM,KAAK;AAErC;AA2IO,SAAS,wBACd,OACA,OACmC;AACnC,MAAI,CAAC,SAAS,KAAK,EAAG,QAAO;AAE7B,UAAQ,OAAO;AAAA,IACb,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,6BAA6B,KAAK;AAAA,IAC3C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,+BAA+B,KAAK;AAAA,IAC7C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,gCAAgC,KAAK;AAAA,IAC9C,KAAK,eAAe;AAClB,aAAO,yCAAyC,KAAK;AAAA,IACvD;AACE,aAAO;AAAA,EACX;AACF;;;AC/NO,SAAS,qBACd,SAC0C;AAC1C,SAAO,eAAe,eAAe,GAAsC;AACzE,QAAI;AACF,YAAM,aAAa,MAAM,EAAE,IAAI,KAAK;AACpC,YAAM,YAAY,EAAE,IAAI,OAAO,qBAAqB,KAAK;AACzD,YAAM,YAAY,EAAE,IAAI,OAAO,qBAAqB,KAAK;AACzD,YAAM,QAAQ,EAAE,IAAI,OAAO,iBAAiB,KAAK;AACjD,YAAM,aAAa,EAAE,IAAI,OAAO,cAAc,KAAK;AAEnD,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,eAAO,EAAE,KAAK,EAAE,OAAO,oBAAoB,GAAG,GAAG;AAAA,MACnD;AAEA,UAAI,CAAC,OAAO;AACV,eAAO,EAAE,KAAK,EAAE,OAAO,uBAAuB,GAAG,GAAG;AAAA,MACtD;AAEA,UAAI,CAAC,eAAe,KAAK,GAAG;AAC1B,eAAO,EAAE,KAAK,EAAE,OAAO,uBAAuB,GAAG,GAAG;AAAA,MACtD;AAEA,UAAI;AACJ,UAAI;AACF,wBAAgB,KAAK,MAAM,UAAU;AAAA,MACvC,QAAQ;AACN,eAAO,EAAE,KAAK,EAAE,OAAO,eAAe,GAAG,GAAG;AAAA,MAC9C;AAEA,UAAI,CAAC,wBAAwB,eAAe,KAAK,GAAG;AAClD,eAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,GAAG,GAAG;AAAA,MACjD;AAEA,YAAM,UAAU,EAAE,YAAY,OAAO,UAAU;AAC/C,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,eAAe,OAAO;AAAA,MACtC,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,eAAe,OAAO;AAAA,MAC9D;AAEA,aAAO,EAAE,KAAK,MAAM,GAAG;AAAA,IACzB,QAAQ;AACN,aAAO,EAAE,KAAK,EAAE,OAAO,iBAAiB,GAAG,GAAG;AAAA,IAChD;AAAA,EACF;AACF;","names":[]}
|
package/dist/adapters/nextjs.cjs
CHANGED
|
@@ -26,14 +26,26 @@ module.exports = __toCommonJS(nextjs_exports);
|
|
|
26
26
|
|
|
27
27
|
// src/webhooks/verify.ts
|
|
28
28
|
var import_node_crypto = require("crypto");
|
|
29
|
+
var DEFAULT_TOLERANCE_SECONDS = 300;
|
|
29
30
|
function verifyWebhook({
|
|
30
31
|
payload,
|
|
31
32
|
signature,
|
|
32
|
-
|
|
33
|
+
timestamp,
|
|
34
|
+
secret,
|
|
35
|
+
toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,
|
|
36
|
+
currentTime = Math.floor(Date.now() / 1e3)
|
|
33
37
|
}) {
|
|
34
|
-
if (!payload || !signature || !secret) return false;
|
|
35
|
-
const
|
|
38
|
+
if (!payload || !signature || !secret || timestamp === "") return false;
|
|
39
|
+
const timestampString = String(timestamp);
|
|
40
|
+
const timestampValue = typeof timestamp === "number" ? timestamp : Number(timestamp);
|
|
41
|
+
if (!Number.isInteger(timestampValue)) return false;
|
|
42
|
+
if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;
|
|
43
|
+
if (!Number.isFinite(currentTime)) return false;
|
|
44
|
+
const ageSeconds = Math.abs(currentTime - timestampValue);
|
|
45
|
+
if (ageSeconds > toleranceSeconds) return false;
|
|
46
|
+
const expected = (0, import_node_crypto.createHmac)("sha256", secret).update(`${timestampString}.${payload}`, "utf8").digest("hex");
|
|
36
47
|
if (expected.length !== signature.length) return false;
|
|
48
|
+
if (!/^[a-f0-9]+$/i.test(signature)) return false;
|
|
37
49
|
try {
|
|
38
50
|
return (0, import_node_crypto.timingSafeEqual)(
|
|
39
51
|
Buffer.from(expected, "hex"),
|
|
@@ -44,27 +56,102 @@ function verifyWebhook({
|
|
|
44
56
|
}
|
|
45
57
|
}
|
|
46
58
|
|
|
59
|
+
// src/webhooks/types.ts
|
|
60
|
+
var import_events = require("@whatalo/protocol/events");
|
|
61
|
+
var WEBHOOK_EVENTS = import_events.PUBLIC_WEBHOOK_EVENTS;
|
|
62
|
+
function isWebhookEvent(value) {
|
|
63
|
+
return (0, import_events.isPublicWebhookEvent)(value);
|
|
64
|
+
}
|
|
65
|
+
function isRecord(value) {
|
|
66
|
+
return typeof value === "object" && value !== null && !Array.isArray(value);
|
|
67
|
+
}
|
|
68
|
+
function hasStringId(value) {
|
|
69
|
+
return isRecord(value) && typeof value.id === "string";
|
|
70
|
+
}
|
|
71
|
+
function isOptionalString(value, key) {
|
|
72
|
+
return value[key] === void 0 || typeof value[key] === "string";
|
|
73
|
+
}
|
|
74
|
+
function isRuntimeWebhookStore(value) {
|
|
75
|
+
return isRecord(value) && typeof value.id === "string" && typeof value.timezone === "string" && (value.name === void 0 || typeof value.name === "string");
|
|
76
|
+
}
|
|
77
|
+
function hasValidBasePayloadFields(value) {
|
|
78
|
+
if (!isOptionalString(value, "event_id")) return false;
|
|
79
|
+
if (!isOptionalString(value, "occurred_at")) return false;
|
|
80
|
+
return isRuntimeWebhookStore(value.store);
|
|
81
|
+
}
|
|
82
|
+
function isRuntimeOrderWebhookPayload(value) {
|
|
83
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.order) && (value.customer === void 0 || hasStringId(value.customer));
|
|
84
|
+
}
|
|
85
|
+
function isRuntimeProductWebhookPayload(value) {
|
|
86
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.product);
|
|
87
|
+
}
|
|
88
|
+
function isRuntimeCustomerWebhookPayload(value) {
|
|
89
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.customer);
|
|
90
|
+
}
|
|
91
|
+
function isRuntimeCheckoutCompletedWebhookPayload(value) {
|
|
92
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.order) && hasStringId(value.customer) && isRuntimeWebhookStore(value.store);
|
|
93
|
+
}
|
|
94
|
+
function isRuntimeWebhookPayload(value, event) {
|
|
95
|
+
if (!isRecord(value)) return false;
|
|
96
|
+
switch (event) {
|
|
97
|
+
case WEBHOOK_EVENTS.ORDER_CREATED:
|
|
98
|
+
case WEBHOOK_EVENTS.ORDER_UPDATED:
|
|
99
|
+
case WEBHOOK_EVENTS.ORDER_CANCELLED:
|
|
100
|
+
case WEBHOOK_EVENTS.ORDER_COMPLETED:
|
|
101
|
+
return isRuntimeOrderWebhookPayload(value);
|
|
102
|
+
case WEBHOOK_EVENTS.PRODUCT_CREATED:
|
|
103
|
+
case WEBHOOK_EVENTS.PRODUCT_UPDATED:
|
|
104
|
+
case WEBHOOK_EVENTS.PRODUCT_DELETED:
|
|
105
|
+
return isRuntimeProductWebhookPayload(value);
|
|
106
|
+
case WEBHOOK_EVENTS.CUSTOMER_CREATED:
|
|
107
|
+
case WEBHOOK_EVENTS.CUSTOMER_UPDATED:
|
|
108
|
+
return isRuntimeCustomerWebhookPayload(value);
|
|
109
|
+
case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:
|
|
110
|
+
return isRuntimeCheckoutCompletedWebhookPayload(value);
|
|
111
|
+
default:
|
|
112
|
+
return false;
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
|
|
47
116
|
// src/adapters/nextjs.ts
|
|
48
117
|
function createWebhookHandler(options) {
|
|
49
118
|
return async function webhookHandler(request) {
|
|
50
119
|
try {
|
|
51
120
|
const rawPayload = await request.text();
|
|
52
121
|
const signature = request.headers.get("X-Webhook-Signature") ?? "";
|
|
122
|
+
const timestamp = request.headers.get("X-Webhook-Timestamp") ?? "";
|
|
123
|
+
const event = request.headers.get("X-Webhook-Event") ?? "";
|
|
124
|
+
const deliveryId = request.headers.get("X-Webhook-Id") ?? "";
|
|
53
125
|
const isValid = verifyWebhook({
|
|
54
126
|
payload: rawPayload,
|
|
55
127
|
signature,
|
|
128
|
+
timestamp,
|
|
56
129
|
secret: options.secret
|
|
57
130
|
});
|
|
58
131
|
if (!isValid) {
|
|
59
132
|
return new Response("Invalid signature", { status: 401 });
|
|
60
133
|
}
|
|
61
|
-
|
|
62
|
-
|
|
134
|
+
if (!event) {
|
|
135
|
+
return new Response("Missing event header", { status: 400 });
|
|
136
|
+
}
|
|
137
|
+
if (!isWebhookEvent(event)) {
|
|
138
|
+
return new Response("Invalid event header", { status: 400 });
|
|
139
|
+
}
|
|
140
|
+
let parsedPayload;
|
|
141
|
+
try {
|
|
142
|
+
parsedPayload = JSON.parse(rawPayload);
|
|
143
|
+
} catch {
|
|
144
|
+
return new Response("Invalid JSON", { status: 400 });
|
|
145
|
+
}
|
|
146
|
+
if (!isRuntimeWebhookPayload(parsedPayload, event)) {
|
|
147
|
+
return new Response("Invalid payload", { status: 400 });
|
|
148
|
+
}
|
|
149
|
+
const context = { deliveryId, event, timestamp };
|
|
63
150
|
const handler = options.handlers[event];
|
|
64
151
|
if (handler) {
|
|
65
|
-
await handler(
|
|
152
|
+
await handler(parsedPayload, context);
|
|
66
153
|
} else if (options.onUnhandledEvent) {
|
|
67
|
-
await options.onUnhandledEvent(event,
|
|
154
|
+
await options.onUnhandledEvent(event, parsedPayload, context);
|
|
68
155
|
}
|
|
69
156
|
return new Response("OK", { status: 200 });
|
|
70
157
|
} catch {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/adapters/nextjs.ts","../../src/webhooks/verify.ts"],"sourcesContent":["import { verifyWebhook } from \"../webhooks/verify.js\";\nimport type { WebhookPayload } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (request: Request) => Promise<Response> {\n return async function webhookHandler(request: Request): Promise<Response> {\n try {\n const rawPayload = await request.text();\n const signature = request.headers.get(\"X-Webhook-Signature\") ?? \"\";\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n secret: options.secret,\n });\n\n if (!isValid) {\n return new Response(\"Invalid signature\", { status: 401 });\n }\n\n const payload = JSON.parse(rawPayload) as WebhookPayload;\n const event = payload.event;\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(payload);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, payload);\n }\n\n return new Response(\"OK\", { status: 200 });\n } catch {\n return new Response(\"Internal error\", { status: 500 });\n }\n };\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n secret,\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(payload, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAA4C;AAerC,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,OAAQ,QAAO;AAE9C,QAAM,eAAW,+BAAW,UAAU,MAAM,EACzC,OAAO,SAAS,MAAM,EACtB,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AAEjD,MAAI;AACF,eAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ADhCO,SAAS,qBACd,SACyC;AACzC,SAAO,eAAe,eAAe,SAAqC;AACxE,QAAI;AACF,YAAM,aAAa,MAAM,QAAQ,KAAK;AACtC,YAAM,YAAY,QAAQ,QAAQ,IAAI,qBAAqB,KAAK;AAEhE,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,eAAO,IAAI,SAAS,qBAAqB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC1D;AAEA,YAAM,UAAU,KAAK,MAAM,UAAU;AACrC,YAAM,QAAQ,QAAQ;AACtB,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,OAAO;AAAA,MACvB,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,OAAO;AAAA,MAC/C;AAEA,aAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3C,QAAQ;AACN,aAAO,IAAI,SAAS,kBAAkB,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvD;AAAA,EACF;AACF;","names":[]}
|
|
1
|
+
{"version":3,"sources":["../../src/adapters/nextjs.ts","../../src/webhooks/verify.ts","../../src/webhooks/types.ts"],"sourcesContent":["import { verifyWebhook } from \"../webhooks/verify.js\";\nimport { isRuntimeWebhookPayload, isWebhookEvent } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (request: Request) => Promise<Response> {\n return async function webhookHandler(request: Request): Promise<Response> {\n try {\n const rawPayload = await request.text();\n const signature = request.headers.get(\"X-Webhook-Signature\") ?? \"\";\n const timestamp = request.headers.get(\"X-Webhook-Timestamp\") ?? \"\";\n const event = request.headers.get(\"X-Webhook-Event\") ?? \"\";\n const deliveryId = request.headers.get(\"X-Webhook-Id\") ?? \"\";\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n timestamp,\n secret: options.secret,\n });\n\n if (!isValid) {\n return new Response(\"Invalid signature\", { status: 401 });\n }\n\n if (!event) {\n return new Response(\"Missing event header\", { status: 400 });\n }\n\n if (!isWebhookEvent(event)) {\n return new Response(\"Invalid event header\", { status: 400 });\n }\n\n let parsedPayload: unknown;\n try {\n parsedPayload = JSON.parse(rawPayload) as unknown;\n } catch {\n return new Response(\"Invalid JSON\", { status: 400 });\n }\n\n if (!isRuntimeWebhookPayload(parsedPayload, event)) {\n return new Response(\"Invalid payload\", { status: 400 });\n }\n\n const context = { deliveryId, event, timestamp };\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(parsedPayload, context);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, parsedPayload, context);\n }\n\n return new Response(\"OK\", { status: 200 });\n } catch {\n return new Response(\"Internal error\", { status: 500 });\n }\n };\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** Value of the X-Webhook-Timestamp header (Unix epoch in seconds) */\n timestamp: string | number;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n /** Maximum timestamp drift allowed in seconds. Defaults to 300 seconds. */\n toleranceSeconds?: number;\n /** Current Unix epoch time in seconds. Intended for tests. */\n currentTime?: number;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256 over `${timestamp}.${payload}`.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n timestamp,\n secret,\n toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,\n currentTime = Math.floor(Date.now() / 1000),\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret || timestamp === \"\") return false;\n\n const timestampString = String(timestamp);\n const timestampValue =\n typeof timestamp === \"number\" ? timestamp : Number(timestamp);\n\n if (!Number.isInteger(timestampValue)) return false;\n if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;\n if (!Number.isFinite(currentTime)) return false;\n\n const ageSeconds = Math.abs(currentTime - timestampValue);\n if (ageSeconds > toleranceSeconds) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(`${timestampString}.${payload}`, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n if (!/^[a-f0-9]+$/i.test(signature)) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import {\n PUBLIC_WEBHOOK_EVENTS,\n isPublicWebhookEvent,\n type PublicWebhookEvent,\n} from \"@whatalo/protocol/events\";\nimport type { Product, Order, Customer } from \"../client/types.js\";\n\nexport const WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;\n\n/** All supported webhook event types */\nexport type WebhookEvent = PublicWebhookEvent;\n\n/** Validate an event header against the public runtime webhook event set. */\nexport function isWebhookEvent(value: string): value is WebhookEvent {\n return isPublicWebhookEvent(value);\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\nfunction hasStringId(value: unknown): value is { id: string } {\n return isRecord(value) && typeof value.id === \"string\";\n}\n\nfunction isOptionalString(\n value: Record<string, unknown>,\n key: string\n): boolean {\n return value[key] === undefined || typeof value[key] === \"string\";\n}\n\nfunction isRuntimeWebhookStore(value: unknown): value is RuntimeWebhookStore {\n return (\n isRecord(value) &&\n typeof value.id === \"string\" &&\n typeof value.timezone === \"string\" &&\n (value.name === undefined || typeof value.name === \"string\")\n );\n}\n\nfunction hasValidBasePayloadFields(value: Record<string, unknown>): boolean {\n if (!isOptionalString(value, \"event_id\")) return false;\n if (!isOptionalString(value, \"occurred_at\")) return false;\n\n return isRuntimeWebhookStore(value.store);\n}\n\nfunction isRuntimeOrderWebhookPayload(value: Record<string, unknown>): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n (value.customer === undefined || hasStringId(value.customer))\n );\n}\n\nfunction isRuntimeProductWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.product);\n}\n\nfunction isRuntimeCustomerWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.customer);\n}\n\nfunction isRuntimeCheckoutCompletedWebhookPayload(\n value: Record<string, unknown>\n): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n hasStringId(value.customer) &&\n isRuntimeWebhookStore(value.store)\n );\n}\n\nexport interface OrderCreatedWebhookData {\n order: Order;\n}\n\nexport interface OrderUpdatedWebhookData {\n order: Order;\n changes: string[];\n}\n\nexport interface OrderCancelledWebhookData {\n orderId: string;\n reason?: string;\n}\n\nexport interface OrderCompletedWebhookData {\n order: Order;\n}\n\nexport interface ProductCreatedWebhookData {\n product: Product;\n}\n\nexport interface ProductUpdatedWebhookData {\n product: Product;\n changes: string[];\n}\n\nexport interface ProductDeletedWebhookProduct {\n id: string;\n}\n\nexport interface ProductDeletedWebhookData {\n product: ProductDeletedWebhookProduct;\n}\n\nexport interface CustomerCreatedWebhookData {\n customer: Customer;\n}\n\nexport interface CustomerUpdatedWebhookData {\n customer: Customer;\n changes: string[];\n}\n\nexport interface CheckoutCompletedWebhookData {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\n/** Map of webhook events to their payload data shapes */\nexport interface WebhookEventData {\n \"order.created\": OrderCreatedWebhookData;\n \"order.updated\": OrderUpdatedWebhookData;\n \"order.cancelled\": OrderCancelledWebhookData;\n \"order.completed\": OrderCompletedWebhookData;\n \"product.created\": ProductCreatedWebhookData;\n \"product.updated\": ProductUpdatedWebhookData;\n \"product.deleted\": ProductDeletedWebhookData;\n \"customer.created\": CustomerCreatedWebhookData;\n \"customer.updated\": CustomerUpdatedWebhookData;\n \"checkout.completed\": CheckoutCompletedWebhookData;\n}\n\n/** Legacy envelope payload. Runtime webhook deliveries do not include the event field in the body. */\nexport interface WebhookPayload<E extends WebhookEvent = WebhookEvent> {\n event: E;\n timestamp: string;\n storeId: string;\n data: WebhookEventData[E];\n}\n\nexport interface RuntimeWebhookStore {\n id: string;\n name?: string;\n timezone: string;\n}\n\nexport interface RuntimeWebhookBasePayload {\n event_id?: string;\n occurred_at?: string;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookOrder {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookProduct {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookCustomer {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeOrderWebhookPayload extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer?: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeProductWebhookPayload extends RuntimeWebhookBasePayload {\n product: RuntimeWebhookProduct;\n}\n\nexport interface RuntimeCustomerWebhookPayload extends RuntimeWebhookBasePayload {\n customer: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeCheckoutCompletedWebhookPayload\n extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookEventData {\n \"order.created\": RuntimeOrderWebhookPayload;\n \"order.updated\": RuntimeOrderWebhookPayload;\n \"order.cancelled\": RuntimeOrderWebhookPayload;\n \"order.completed\": RuntimeOrderWebhookPayload;\n \"product.created\": RuntimeProductWebhookPayload;\n \"product.updated\": RuntimeProductWebhookPayload;\n \"product.deleted\": RuntimeProductWebhookPayload;\n \"customer.created\": RuntimeCustomerWebhookPayload;\n \"customer.updated\": RuntimeCustomerWebhookPayload;\n \"checkout.completed\": RuntimeCheckoutCompletedWebhookPayload;\n}\n\n/** Runtime body delivered to subscriber endpoints. The event comes from X-Webhook-Event. */\nexport type RuntimeWebhookPayload<E extends WebhookEvent = WebhookEvent> =\n RuntimeWebhookEventData[E];\n\n/** Validate the minimum runtime payload shape before invoking typed handlers. */\nexport function isRuntimeWebhookPayload<E extends WebhookEvent>(\n value: unknown,\n event: E\n): value is RuntimeWebhookPayload<E> {\n if (!isRecord(value)) return false;\n\n switch (event) {\n case WEBHOOK_EVENTS.ORDER_CREATED:\n case WEBHOOK_EVENTS.ORDER_UPDATED:\n case WEBHOOK_EVENTS.ORDER_CANCELLED:\n case WEBHOOK_EVENTS.ORDER_COMPLETED:\n return isRuntimeOrderWebhookPayload(value);\n case WEBHOOK_EVENTS.PRODUCT_CREATED:\n case WEBHOOK_EVENTS.PRODUCT_UPDATED:\n case WEBHOOK_EVENTS.PRODUCT_DELETED:\n return isRuntimeProductWebhookPayload(value);\n case WEBHOOK_EVENTS.CUSTOMER_CREATED:\n case WEBHOOK_EVENTS.CUSTOMER_UPDATED:\n return isRuntimeCustomerWebhookPayload(value);\n case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:\n return isRuntimeCheckoutCompletedWebhookPayload(value);\n default:\n return false;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,yBAA4C;AAE5C,IAAM,4BAA4B;AAqB3B,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,mBAAmB;AAAA,EACnB,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC5C,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,cAAc,GAAI,QAAO;AAElE,QAAM,kBAAkB,OAAO,SAAS;AACxC,QAAM,iBACJ,OAAO,cAAc,WAAW,YAAY,OAAO,SAAS;AAE9D,MAAI,CAAC,OAAO,UAAU,cAAc,EAAG,QAAO;AAC9C,MAAI,CAAC,OAAO,SAAS,gBAAgB,KAAK,mBAAmB,EAAG,QAAO;AACvE,MAAI,CAAC,OAAO,SAAS,WAAW,EAAG,QAAO;AAE1C,QAAM,aAAa,KAAK,IAAI,cAAc,cAAc;AACxD,MAAI,aAAa,iBAAkB,QAAO;AAE1C,QAAM,eAAW,+BAAW,UAAU,MAAM,EACzC,OAAO,GAAG,eAAe,IAAI,OAAO,IAAI,MAAM,EAC9C,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AACjD,MAAI,CAAC,eAAe,KAAK,SAAS,EAAG,QAAO;AAE5C,MAAI;AACF,eAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AC3DA,oBAIO;AAGA,IAAM,iBAAiB;AAMvB,SAAS,eAAe,OAAsC;AACnE,aAAO,oCAAqB,KAAK;AACnC;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAyC;AAC5D,SAAO,SAAS,KAAK,KAAK,OAAO,MAAM,OAAO;AAChD;AAEA,SAAS,iBACP,OACA,KACS;AACT,SAAO,MAAM,GAAG,MAAM,UAAa,OAAO,MAAM,GAAG,MAAM;AAC3D;AAEA,SAAS,sBAAsB,OAA8C;AAC3E,SACE,SAAS,KAAK,KACd,OAAO,MAAM,OAAO,YACpB,OAAO,MAAM,aAAa,aACzB,MAAM,SAAS,UAAa,OAAO,MAAM,SAAS;AAEvD;AAEA,SAAS,0BAA0B,OAAyC;AAC1E,MAAI,CAAC,iBAAiB,OAAO,UAAU,EAAG,QAAO;AACjD,MAAI,CAAC,iBAAiB,OAAO,aAAa,EAAG,QAAO;AAEpD,SAAO,sBAAsB,MAAM,KAAK;AAC1C;AAEA,SAAS,6BAA6B,OAAyC;AAC7E,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,MACtB,MAAM,aAAa,UAAa,YAAY,MAAM,QAAQ;AAE/D;AAEA,SAAS,+BAA+B,OAAyC;AAC/E,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,OAAO;AACtE;AAEA,SAAS,gCAAgC,OAAyC;AAChF,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,QAAQ;AACvE;AAEA,SAAS,yCACP,OACS;AACT,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,KACvB,YAAY,MAAM,QAAQ,KAC1B,sBAAsB,MAAM,KAAK;AAErC;AA2IO,SAAS,wBACd,OACA,OACmC;AACnC,MAAI,CAAC,SAAS,KAAK,EAAG,QAAO;AAE7B,UAAQ,OAAO;AAAA,IACb,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,6BAA6B,KAAK;AAAA,IAC3C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,+BAA+B,KAAK;AAAA,IAC7C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,gCAAgC,KAAK;AAAA,IAC9C,KAAK,eAAe;AAClB,aAAO,yCAAyC,KAAK;AAAA,IACvD;AACE,aAAO;AAAA,EACX;AACF;;;AFxOO,SAAS,qBACd,SACyC;AACzC,SAAO,eAAe,eAAe,SAAqC;AACxE,QAAI;AACF,YAAM,aAAa,MAAM,QAAQ,KAAK;AACtC,YAAM,YAAY,QAAQ,QAAQ,IAAI,qBAAqB,KAAK;AAChE,YAAM,YAAY,QAAQ,QAAQ,IAAI,qBAAqB,KAAK;AAChE,YAAM,QAAQ,QAAQ,QAAQ,IAAI,iBAAiB,KAAK;AACxD,YAAM,aAAa,QAAQ,QAAQ,IAAI,cAAc,KAAK;AAE1D,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,eAAO,IAAI,SAAS,qBAAqB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC1D;AAEA,UAAI,CAAC,OAAO;AACV,eAAO,IAAI,SAAS,wBAAwB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC7D;AAEA,UAAI,CAAC,eAAe,KAAK,GAAG;AAC1B,eAAO,IAAI,SAAS,wBAAwB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC7D;AAEA,UAAI;AACJ,UAAI;AACF,wBAAgB,KAAK,MAAM,UAAU;AAAA,MACvC,QAAQ;AACN,eAAO,IAAI,SAAS,gBAAgB,EAAE,QAAQ,IAAI,CAAC;AAAA,MACrD;AAEA,UAAI,CAAC,wBAAwB,eAAe,KAAK,GAAG;AAClD,eAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,IAAI,CAAC;AAAA,MACxD;AAEA,YAAM,UAAU,EAAE,YAAY,OAAO,UAAU;AAC/C,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,eAAe,OAAO;AAAA,MACtC,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,eAAe,OAAO;AAAA,MAC9D;AAEA,aAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3C,QAAQ;AACN,aAAO,IAAI,SAAS,kBAAkB,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvD;AAAA,EACF;AACF;","names":[]}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
import { W as WebhookHandlerOptions } from '../types-
|
|
2
|
-
import '../types-
|
|
3
|
-
import '
|
|
1
|
+
import { W as WebhookHandlerOptions } from '../types-BU71_xQm.cjs';
|
|
2
|
+
import '../types-rA6kVlpV.cjs';
|
|
3
|
+
import '@whatalo/protocol/events';
|
|
4
|
+
import '../types-B8BAV362.cjs';
|
|
4
5
|
|
|
5
6
|
declare function createWebhookHandler(options: WebhookHandlerOptions): (request: Request) => Promise<Response>;
|
|
6
7
|
|
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
import { W as WebhookHandlerOptions } from '../types-
|
|
2
|
-
import '../types-
|
|
3
|
-
import '
|
|
1
|
+
import { W as WebhookHandlerOptions } from '../types-BhtVJPgF.js';
|
|
2
|
+
import '../types-Bo9GbqrM.js';
|
|
3
|
+
import '@whatalo/protocol/events';
|
|
4
|
+
import '../types-B8BAV362.js';
|
|
4
5
|
|
|
5
6
|
declare function createWebhookHandler(options: WebhookHandlerOptions): (request: Request) => Promise<Response>;
|
|
6
7
|
|
package/dist/adapters/nextjs.mjs
CHANGED
|
@@ -1,13 +1,25 @@
|
|
|
1
1
|
// src/webhooks/verify.ts
|
|
2
2
|
import { createHmac, timingSafeEqual } from "crypto";
|
|
3
|
+
var DEFAULT_TOLERANCE_SECONDS = 300;
|
|
3
4
|
function verifyWebhook({
|
|
4
5
|
payload,
|
|
5
6
|
signature,
|
|
6
|
-
|
|
7
|
+
timestamp,
|
|
8
|
+
secret,
|
|
9
|
+
toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,
|
|
10
|
+
currentTime = Math.floor(Date.now() / 1e3)
|
|
7
11
|
}) {
|
|
8
|
-
if (!payload || !signature || !secret) return false;
|
|
9
|
-
const
|
|
12
|
+
if (!payload || !signature || !secret || timestamp === "") return false;
|
|
13
|
+
const timestampString = String(timestamp);
|
|
14
|
+
const timestampValue = typeof timestamp === "number" ? timestamp : Number(timestamp);
|
|
15
|
+
if (!Number.isInteger(timestampValue)) return false;
|
|
16
|
+
if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;
|
|
17
|
+
if (!Number.isFinite(currentTime)) return false;
|
|
18
|
+
const ageSeconds = Math.abs(currentTime - timestampValue);
|
|
19
|
+
if (ageSeconds > toleranceSeconds) return false;
|
|
20
|
+
const expected = createHmac("sha256", secret).update(`${timestampString}.${payload}`, "utf8").digest("hex");
|
|
10
21
|
if (expected.length !== signature.length) return false;
|
|
22
|
+
if (!/^[a-f0-9]+$/i.test(signature)) return false;
|
|
11
23
|
try {
|
|
12
24
|
return timingSafeEqual(
|
|
13
25
|
Buffer.from(expected, "hex"),
|
|
@@ -18,27 +30,105 @@ function verifyWebhook({
|
|
|
18
30
|
}
|
|
19
31
|
}
|
|
20
32
|
|
|
33
|
+
// src/webhooks/types.ts
|
|
34
|
+
import {
|
|
35
|
+
PUBLIC_WEBHOOK_EVENTS,
|
|
36
|
+
isPublicWebhookEvent
|
|
37
|
+
} from "@whatalo/protocol/events";
|
|
38
|
+
var WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;
|
|
39
|
+
function isWebhookEvent(value) {
|
|
40
|
+
return isPublicWebhookEvent(value);
|
|
41
|
+
}
|
|
42
|
+
function isRecord(value) {
|
|
43
|
+
return typeof value === "object" && value !== null && !Array.isArray(value);
|
|
44
|
+
}
|
|
45
|
+
function hasStringId(value) {
|
|
46
|
+
return isRecord(value) && typeof value.id === "string";
|
|
47
|
+
}
|
|
48
|
+
function isOptionalString(value, key) {
|
|
49
|
+
return value[key] === void 0 || typeof value[key] === "string";
|
|
50
|
+
}
|
|
51
|
+
function isRuntimeWebhookStore(value) {
|
|
52
|
+
return isRecord(value) && typeof value.id === "string" && typeof value.timezone === "string" && (value.name === void 0 || typeof value.name === "string");
|
|
53
|
+
}
|
|
54
|
+
function hasValidBasePayloadFields(value) {
|
|
55
|
+
if (!isOptionalString(value, "event_id")) return false;
|
|
56
|
+
if (!isOptionalString(value, "occurred_at")) return false;
|
|
57
|
+
return isRuntimeWebhookStore(value.store);
|
|
58
|
+
}
|
|
59
|
+
function isRuntimeOrderWebhookPayload(value) {
|
|
60
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.order) && (value.customer === void 0 || hasStringId(value.customer));
|
|
61
|
+
}
|
|
62
|
+
function isRuntimeProductWebhookPayload(value) {
|
|
63
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.product);
|
|
64
|
+
}
|
|
65
|
+
function isRuntimeCustomerWebhookPayload(value) {
|
|
66
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.customer);
|
|
67
|
+
}
|
|
68
|
+
function isRuntimeCheckoutCompletedWebhookPayload(value) {
|
|
69
|
+
return hasValidBasePayloadFields(value) && hasStringId(value.order) && hasStringId(value.customer) && isRuntimeWebhookStore(value.store);
|
|
70
|
+
}
|
|
71
|
+
function isRuntimeWebhookPayload(value, event) {
|
|
72
|
+
if (!isRecord(value)) return false;
|
|
73
|
+
switch (event) {
|
|
74
|
+
case WEBHOOK_EVENTS.ORDER_CREATED:
|
|
75
|
+
case WEBHOOK_EVENTS.ORDER_UPDATED:
|
|
76
|
+
case WEBHOOK_EVENTS.ORDER_CANCELLED:
|
|
77
|
+
case WEBHOOK_EVENTS.ORDER_COMPLETED:
|
|
78
|
+
return isRuntimeOrderWebhookPayload(value);
|
|
79
|
+
case WEBHOOK_EVENTS.PRODUCT_CREATED:
|
|
80
|
+
case WEBHOOK_EVENTS.PRODUCT_UPDATED:
|
|
81
|
+
case WEBHOOK_EVENTS.PRODUCT_DELETED:
|
|
82
|
+
return isRuntimeProductWebhookPayload(value);
|
|
83
|
+
case WEBHOOK_EVENTS.CUSTOMER_CREATED:
|
|
84
|
+
case WEBHOOK_EVENTS.CUSTOMER_UPDATED:
|
|
85
|
+
return isRuntimeCustomerWebhookPayload(value);
|
|
86
|
+
case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:
|
|
87
|
+
return isRuntimeCheckoutCompletedWebhookPayload(value);
|
|
88
|
+
default:
|
|
89
|
+
return false;
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
|
|
21
93
|
// src/adapters/nextjs.ts
|
|
22
94
|
function createWebhookHandler(options) {
|
|
23
95
|
return async function webhookHandler(request) {
|
|
24
96
|
try {
|
|
25
97
|
const rawPayload = await request.text();
|
|
26
98
|
const signature = request.headers.get("X-Webhook-Signature") ?? "";
|
|
99
|
+
const timestamp = request.headers.get("X-Webhook-Timestamp") ?? "";
|
|
100
|
+
const event = request.headers.get("X-Webhook-Event") ?? "";
|
|
101
|
+
const deliveryId = request.headers.get("X-Webhook-Id") ?? "";
|
|
27
102
|
const isValid = verifyWebhook({
|
|
28
103
|
payload: rawPayload,
|
|
29
104
|
signature,
|
|
105
|
+
timestamp,
|
|
30
106
|
secret: options.secret
|
|
31
107
|
});
|
|
32
108
|
if (!isValid) {
|
|
33
109
|
return new Response("Invalid signature", { status: 401 });
|
|
34
110
|
}
|
|
35
|
-
|
|
36
|
-
|
|
111
|
+
if (!event) {
|
|
112
|
+
return new Response("Missing event header", { status: 400 });
|
|
113
|
+
}
|
|
114
|
+
if (!isWebhookEvent(event)) {
|
|
115
|
+
return new Response("Invalid event header", { status: 400 });
|
|
116
|
+
}
|
|
117
|
+
let parsedPayload;
|
|
118
|
+
try {
|
|
119
|
+
parsedPayload = JSON.parse(rawPayload);
|
|
120
|
+
} catch {
|
|
121
|
+
return new Response("Invalid JSON", { status: 400 });
|
|
122
|
+
}
|
|
123
|
+
if (!isRuntimeWebhookPayload(parsedPayload, event)) {
|
|
124
|
+
return new Response("Invalid payload", { status: 400 });
|
|
125
|
+
}
|
|
126
|
+
const context = { deliveryId, event, timestamp };
|
|
37
127
|
const handler = options.handlers[event];
|
|
38
128
|
if (handler) {
|
|
39
|
-
await handler(
|
|
129
|
+
await handler(parsedPayload, context);
|
|
40
130
|
} else if (options.onUnhandledEvent) {
|
|
41
|
-
await options.onUnhandledEvent(event,
|
|
131
|
+
await options.onUnhandledEvent(event, parsedPayload, context);
|
|
42
132
|
}
|
|
43
133
|
return new Response("OK", { status: 200 });
|
|
44
134
|
} catch {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/webhooks/verify.ts","../../src/adapters/nextjs.ts"],"sourcesContent":["import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n secret,\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(payload, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import { verifyWebhook } from \"../webhooks/verify.js\";\nimport type { WebhookPayload } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (request: Request) => Promise<Response> {\n return async function webhookHandler(request: Request): Promise<Response> {\n try {\n const rawPayload = await request.text();\n const signature = request.headers.get(\"X-Webhook-Signature\") ?? \"\";\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n secret: options.secret,\n });\n\n if (!isValid) {\n return new Response(\"Invalid signature\", { status: 401 });\n }\n\n const payload = JSON.parse(rawPayload) as WebhookPayload;\n const event = payload.event;\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(payload);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, payload);\n }\n\n return new Response(\"OK\", { status: 200 });\n } catch {\n return new Response(\"Internal error\", { status: 500 });\n }\n };\n}\n"],"mappings":";AAAA,SAAS,YAAY,uBAAuB;AAerC,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,OAAQ,QAAO;AAE9C,QAAM,WAAW,WAAW,UAAU,MAAM,EACzC,OAAO,SAAS,MAAM,EACtB,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AAEjD,MAAI;AACF,WAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AChCO,SAAS,qBACd,SACyC;AACzC,SAAO,eAAe,eAAe,SAAqC;AACxE,QAAI;AACF,YAAM,aAAa,MAAM,QAAQ,KAAK;AACtC,YAAM,YAAY,QAAQ,QAAQ,IAAI,qBAAqB,KAAK;AAEhE,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,eAAO,IAAI,SAAS,qBAAqB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC1D;AAEA,YAAM,UAAU,KAAK,MAAM,UAAU;AACrC,YAAM,QAAQ,QAAQ;AACtB,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,OAAO;AAAA,MACvB,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,OAAO;AAAA,MAC/C;AAEA,aAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3C,QAAQ;AACN,aAAO,IAAI,SAAS,kBAAkB,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvD;AAAA,EACF;AACF;","names":[]}
|
|
1
|
+
{"version":3,"sources":["../../src/webhooks/verify.ts","../../src/webhooks/types.ts","../../src/adapters/nextjs.ts"],"sourcesContent":["import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nexport interface VerifyWebhookParams {\n /** Raw request body as a string (NOT parsed JSON) */\n payload: string;\n /** Value of the X-Webhook-Signature header */\n signature: string;\n /** Value of the X-Webhook-Timestamp header (Unix epoch in seconds) */\n timestamp: string | number;\n /** App's webhook secret (provided during app installation) */\n secret: string;\n /** Maximum timestamp drift allowed in seconds. Defaults to 300 seconds. */\n toleranceSeconds?: number;\n /** Current Unix epoch time in seconds. Intended for tests. */\n currentTime?: number;\n}\n\n/**\n * Verify webhook signature using HMAC-SHA256 over `${timestamp}.${payload}`.\n * Uses timing-safe comparison to prevent timing attacks.\n */\nexport function verifyWebhook({\n payload,\n signature,\n timestamp,\n secret,\n toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,\n currentTime = Math.floor(Date.now() / 1000),\n}: VerifyWebhookParams): boolean {\n if (!payload || !signature || !secret || timestamp === \"\") return false;\n\n const timestampString = String(timestamp);\n const timestampValue =\n typeof timestamp === \"number\" ? timestamp : Number(timestamp);\n\n if (!Number.isInteger(timestampValue)) return false;\n if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;\n if (!Number.isFinite(currentTime)) return false;\n\n const ageSeconds = Math.abs(currentTime - timestampValue);\n if (ageSeconds > toleranceSeconds) return false;\n\n const expected = createHmac(\"sha256\", secret)\n .update(`${timestampString}.${payload}`, \"utf8\")\n .digest(\"hex\");\n\n if (expected.length !== signature.length) return false;\n if (!/^[a-f0-9]+$/i.test(signature)) return false;\n\n try {\n return timingSafeEqual(\n Buffer.from(expected, \"hex\"),\n Buffer.from(signature, \"hex\")\n );\n } catch {\n return false;\n }\n}\n","import {\n PUBLIC_WEBHOOK_EVENTS,\n isPublicWebhookEvent,\n type PublicWebhookEvent,\n} from \"@whatalo/protocol/events\";\nimport type { Product, Order, Customer } from \"../client/types.js\";\n\nexport const WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;\n\n/** All supported webhook event types */\nexport type WebhookEvent = PublicWebhookEvent;\n\n/** Validate an event header against the public runtime webhook event set. */\nexport function isWebhookEvent(value: string): value is WebhookEvent {\n return isPublicWebhookEvent(value);\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n\nfunction hasStringId(value: unknown): value is { id: string } {\n return isRecord(value) && typeof value.id === \"string\";\n}\n\nfunction isOptionalString(\n value: Record<string, unknown>,\n key: string\n): boolean {\n return value[key] === undefined || typeof value[key] === \"string\";\n}\n\nfunction isRuntimeWebhookStore(value: unknown): value is RuntimeWebhookStore {\n return (\n isRecord(value) &&\n typeof value.id === \"string\" &&\n typeof value.timezone === \"string\" &&\n (value.name === undefined || typeof value.name === \"string\")\n );\n}\n\nfunction hasValidBasePayloadFields(value: Record<string, unknown>): boolean {\n if (!isOptionalString(value, \"event_id\")) return false;\n if (!isOptionalString(value, \"occurred_at\")) return false;\n\n return isRuntimeWebhookStore(value.store);\n}\n\nfunction isRuntimeOrderWebhookPayload(value: Record<string, unknown>): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n (value.customer === undefined || hasStringId(value.customer))\n );\n}\n\nfunction isRuntimeProductWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.product);\n}\n\nfunction isRuntimeCustomerWebhookPayload(value: Record<string, unknown>): boolean {\n return hasValidBasePayloadFields(value) && hasStringId(value.customer);\n}\n\nfunction isRuntimeCheckoutCompletedWebhookPayload(\n value: Record<string, unknown>\n): boolean {\n return (\n hasValidBasePayloadFields(value) &&\n hasStringId(value.order) &&\n hasStringId(value.customer) &&\n isRuntimeWebhookStore(value.store)\n );\n}\n\nexport interface OrderCreatedWebhookData {\n order: Order;\n}\n\nexport interface OrderUpdatedWebhookData {\n order: Order;\n changes: string[];\n}\n\nexport interface OrderCancelledWebhookData {\n orderId: string;\n reason?: string;\n}\n\nexport interface OrderCompletedWebhookData {\n order: Order;\n}\n\nexport interface ProductCreatedWebhookData {\n product: Product;\n}\n\nexport interface ProductUpdatedWebhookData {\n product: Product;\n changes: string[];\n}\n\nexport interface ProductDeletedWebhookProduct {\n id: string;\n}\n\nexport interface ProductDeletedWebhookData {\n product: ProductDeletedWebhookProduct;\n}\n\nexport interface CustomerCreatedWebhookData {\n customer: Customer;\n}\n\nexport interface CustomerUpdatedWebhookData {\n customer: Customer;\n changes: string[];\n}\n\nexport interface CheckoutCompletedWebhookData {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\n/** Map of webhook events to their payload data shapes */\nexport interface WebhookEventData {\n \"order.created\": OrderCreatedWebhookData;\n \"order.updated\": OrderUpdatedWebhookData;\n \"order.cancelled\": OrderCancelledWebhookData;\n \"order.completed\": OrderCompletedWebhookData;\n \"product.created\": ProductCreatedWebhookData;\n \"product.updated\": ProductUpdatedWebhookData;\n \"product.deleted\": ProductDeletedWebhookData;\n \"customer.created\": CustomerCreatedWebhookData;\n \"customer.updated\": CustomerUpdatedWebhookData;\n \"checkout.completed\": CheckoutCompletedWebhookData;\n}\n\n/** Legacy envelope payload. Runtime webhook deliveries do not include the event field in the body. */\nexport interface WebhookPayload<E extends WebhookEvent = WebhookEvent> {\n event: E;\n timestamp: string;\n storeId: string;\n data: WebhookEventData[E];\n}\n\nexport interface RuntimeWebhookStore {\n id: string;\n name?: string;\n timezone: string;\n}\n\nexport interface RuntimeWebhookBasePayload {\n event_id?: string;\n occurred_at?: string;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookOrder {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookProduct {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeWebhookCustomer {\n id: string;\n [key: string]: unknown;\n}\n\nexport interface RuntimeOrderWebhookPayload extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer?: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeProductWebhookPayload extends RuntimeWebhookBasePayload {\n product: RuntimeWebhookProduct;\n}\n\nexport interface RuntimeCustomerWebhookPayload extends RuntimeWebhookBasePayload {\n customer: RuntimeWebhookCustomer;\n}\n\nexport interface RuntimeCheckoutCompletedWebhookPayload\n extends RuntimeWebhookBasePayload {\n order: RuntimeWebhookOrder;\n customer: RuntimeWebhookCustomer;\n store: RuntimeWebhookStore;\n}\n\nexport interface RuntimeWebhookEventData {\n \"order.created\": RuntimeOrderWebhookPayload;\n \"order.updated\": RuntimeOrderWebhookPayload;\n \"order.cancelled\": RuntimeOrderWebhookPayload;\n \"order.completed\": RuntimeOrderWebhookPayload;\n \"product.created\": RuntimeProductWebhookPayload;\n \"product.updated\": RuntimeProductWebhookPayload;\n \"product.deleted\": RuntimeProductWebhookPayload;\n \"customer.created\": RuntimeCustomerWebhookPayload;\n \"customer.updated\": RuntimeCustomerWebhookPayload;\n \"checkout.completed\": RuntimeCheckoutCompletedWebhookPayload;\n}\n\n/** Runtime body delivered to subscriber endpoints. The event comes from X-Webhook-Event. */\nexport type RuntimeWebhookPayload<E extends WebhookEvent = WebhookEvent> =\n RuntimeWebhookEventData[E];\n\n/** Validate the minimum runtime payload shape before invoking typed handlers. */\nexport function isRuntimeWebhookPayload<E extends WebhookEvent>(\n value: unknown,\n event: E\n): value is RuntimeWebhookPayload<E> {\n if (!isRecord(value)) return false;\n\n switch (event) {\n case WEBHOOK_EVENTS.ORDER_CREATED:\n case WEBHOOK_EVENTS.ORDER_UPDATED:\n case WEBHOOK_EVENTS.ORDER_CANCELLED:\n case WEBHOOK_EVENTS.ORDER_COMPLETED:\n return isRuntimeOrderWebhookPayload(value);\n case WEBHOOK_EVENTS.PRODUCT_CREATED:\n case WEBHOOK_EVENTS.PRODUCT_UPDATED:\n case WEBHOOK_EVENTS.PRODUCT_DELETED:\n return isRuntimeProductWebhookPayload(value);\n case WEBHOOK_EVENTS.CUSTOMER_CREATED:\n case WEBHOOK_EVENTS.CUSTOMER_UPDATED:\n return isRuntimeCustomerWebhookPayload(value);\n case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:\n return isRuntimeCheckoutCompletedWebhookPayload(value);\n default:\n return false;\n }\n}\n","import { verifyWebhook } from \"../webhooks/verify.js\";\nimport { isRuntimeWebhookPayload, isWebhookEvent } from \"../webhooks/types.js\";\nimport type { WebhookEventHandler, WebhookHandlerOptions } from \"./types.js\";\n\nexport function createWebhookHandler(\n options: WebhookHandlerOptions\n): (request: Request) => Promise<Response> {\n return async function webhookHandler(request: Request): Promise<Response> {\n try {\n const rawPayload = await request.text();\n const signature = request.headers.get(\"X-Webhook-Signature\") ?? \"\";\n const timestamp = request.headers.get(\"X-Webhook-Timestamp\") ?? \"\";\n const event = request.headers.get(\"X-Webhook-Event\") ?? \"\";\n const deliveryId = request.headers.get(\"X-Webhook-Id\") ?? \"\";\n\n const isValid = verifyWebhook({\n payload: rawPayload,\n signature,\n timestamp,\n secret: options.secret,\n });\n\n if (!isValid) {\n return new Response(\"Invalid signature\", { status: 401 });\n }\n\n if (!event) {\n return new Response(\"Missing event header\", { status: 400 });\n }\n\n if (!isWebhookEvent(event)) {\n return new Response(\"Invalid event header\", { status: 400 });\n }\n\n let parsedPayload: unknown;\n try {\n parsedPayload = JSON.parse(rawPayload) as unknown;\n } catch {\n return new Response(\"Invalid JSON\", { status: 400 });\n }\n\n if (!isRuntimeWebhookPayload(parsedPayload, event)) {\n return new Response(\"Invalid payload\", { status: 400 });\n }\n\n const context = { deliveryId, event, timestamp };\n const handler = options.handlers[event] as\n | WebhookEventHandler<typeof event>\n | undefined;\n\n if (handler) {\n await handler(parsedPayload, context);\n } else if (options.onUnhandledEvent) {\n await options.onUnhandledEvent(event, parsedPayload, context);\n }\n\n return new Response(\"OK\", { status: 200 });\n } catch {\n return new Response(\"Internal error\", { status: 500 });\n }\n };\n}\n"],"mappings":";AAAA,SAAS,YAAY,uBAAuB;AAE5C,IAAM,4BAA4B;AAqB3B,SAAS,cAAc;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,mBAAmB;AAAA,EACnB,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC5C,GAAiC;AAC/B,MAAI,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,cAAc,GAAI,QAAO;AAElE,QAAM,kBAAkB,OAAO,SAAS;AACxC,QAAM,iBACJ,OAAO,cAAc,WAAW,YAAY,OAAO,SAAS;AAE9D,MAAI,CAAC,OAAO,UAAU,cAAc,EAAG,QAAO;AAC9C,MAAI,CAAC,OAAO,SAAS,gBAAgB,KAAK,mBAAmB,EAAG,QAAO;AACvE,MAAI,CAAC,OAAO,SAAS,WAAW,EAAG,QAAO;AAE1C,QAAM,aAAa,KAAK,IAAI,cAAc,cAAc;AACxD,MAAI,aAAa,iBAAkB,QAAO;AAE1C,QAAM,WAAW,WAAW,UAAU,MAAM,EACzC,OAAO,GAAG,eAAe,IAAI,OAAO,IAAI,MAAM,EAC9C,OAAO,KAAK;AAEf,MAAI,SAAS,WAAW,UAAU,OAAQ,QAAO;AACjD,MAAI,CAAC,eAAe,KAAK,SAAS,EAAG,QAAO;AAE5C,MAAI;AACF,WAAO;AAAA,MACL,OAAO,KAAK,UAAU,KAAK;AAAA,MAC3B,OAAO,KAAK,WAAW,KAAK;AAAA,IAC9B;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AC3DA;AAAA,EACE;AAAA,EACA;AAAA,OAEK;AAGA,IAAM,iBAAiB;AAMvB,SAAS,eAAe,OAAsC;AACnE,SAAO,qBAAqB,KAAK;AACnC;AAEA,SAAS,SAAS,OAAkD;AAClE,SAAO,OAAO,UAAU,YAAY,UAAU,QAAQ,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAyC;AAC5D,SAAO,SAAS,KAAK,KAAK,OAAO,MAAM,OAAO;AAChD;AAEA,SAAS,iBACP,OACA,KACS;AACT,SAAO,MAAM,GAAG,MAAM,UAAa,OAAO,MAAM,GAAG,MAAM;AAC3D;AAEA,SAAS,sBAAsB,OAA8C;AAC3E,SACE,SAAS,KAAK,KACd,OAAO,MAAM,OAAO,YACpB,OAAO,MAAM,aAAa,aACzB,MAAM,SAAS,UAAa,OAAO,MAAM,SAAS;AAEvD;AAEA,SAAS,0BAA0B,OAAyC;AAC1E,MAAI,CAAC,iBAAiB,OAAO,UAAU,EAAG,QAAO;AACjD,MAAI,CAAC,iBAAiB,OAAO,aAAa,EAAG,QAAO;AAEpD,SAAO,sBAAsB,MAAM,KAAK;AAC1C;AAEA,SAAS,6BAA6B,OAAyC;AAC7E,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,MACtB,MAAM,aAAa,UAAa,YAAY,MAAM,QAAQ;AAE/D;AAEA,SAAS,+BAA+B,OAAyC;AAC/E,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,OAAO;AACtE;AAEA,SAAS,gCAAgC,OAAyC;AAChF,SAAO,0BAA0B,KAAK,KAAK,YAAY,MAAM,QAAQ;AACvE;AAEA,SAAS,yCACP,OACS;AACT,SACE,0BAA0B,KAAK,KAC/B,YAAY,MAAM,KAAK,KACvB,YAAY,MAAM,QAAQ,KAC1B,sBAAsB,MAAM,KAAK;AAErC;AA2IO,SAAS,wBACd,OACA,OACmC;AACnC,MAAI,CAAC,SAAS,KAAK,EAAG,QAAO;AAE7B,UAAQ,OAAO;AAAA,IACb,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,6BAA6B,KAAK;AAAA,IAC3C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,+BAA+B,KAAK;AAAA,IAC7C,KAAK,eAAe;AAAA,IACpB,KAAK,eAAe;AAClB,aAAO,gCAAgC,KAAK;AAAA,IAC9C,KAAK,eAAe;AAClB,aAAO,yCAAyC,KAAK;AAAA,IACvD;AACE,aAAO;AAAA,EACX;AACF;;;ACxOO,SAAS,qBACd,SACyC;AACzC,SAAO,eAAe,eAAe,SAAqC;AACxE,QAAI;AACF,YAAM,aAAa,MAAM,QAAQ,KAAK;AACtC,YAAM,YAAY,QAAQ,QAAQ,IAAI,qBAAqB,KAAK;AAChE,YAAM,YAAY,QAAQ,QAAQ,IAAI,qBAAqB,KAAK;AAChE,YAAM,QAAQ,QAAQ,QAAQ,IAAI,iBAAiB,KAAK;AACxD,YAAM,aAAa,QAAQ,QAAQ,IAAI,cAAc,KAAK;AAE1D,YAAM,UAAU,cAAc;AAAA,QAC5B,SAAS;AAAA,QACT;AAAA,QACA;AAAA,QACA,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAED,UAAI,CAAC,SAAS;AACZ,eAAO,IAAI,SAAS,qBAAqB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC1D;AAEA,UAAI,CAAC,OAAO;AACV,eAAO,IAAI,SAAS,wBAAwB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC7D;AAEA,UAAI,CAAC,eAAe,KAAK,GAAG;AAC1B,eAAO,IAAI,SAAS,wBAAwB,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC7D;AAEA,UAAI;AACJ,UAAI;AACF,wBAAgB,KAAK,MAAM,UAAU;AAAA,MACvC,QAAQ;AACN,eAAO,IAAI,SAAS,gBAAgB,EAAE,QAAQ,IAAI,CAAC;AAAA,MACrD;AAEA,UAAI,CAAC,wBAAwB,eAAe,KAAK,GAAG;AAClD,eAAO,IAAI,SAAS,mBAAmB,EAAE,QAAQ,IAAI,CAAC;AAAA,MACxD;AAEA,YAAM,UAAU,EAAE,YAAY,OAAO,UAAU;AAC/C,YAAM,UAAU,QAAQ,SAAS,KAAK;AAItC,UAAI,SAAS;AACX,cAAM,QAAQ,eAAe,OAAO;AAAA,MACtC,WAAW,QAAQ,kBAAkB;AACnC,cAAM,QAAQ,iBAAiB,OAAO,eAAe,OAAO;AAAA,MAC9D;AAEA,aAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3C,QAAQ;AACN,aAAO,IAAI,SAAS,kBAAkB,EAAE,QAAQ,IAAI,CAAC;AAAA,IACvD;AAAA,EACF;AACF;","names":[]}
|
package/dist/bridge/index.cjs
CHANGED
|
@@ -42,8 +42,11 @@ var DATA_RESOURCE_SCOPE = {
|
|
|
42
42
|
products: "read:products",
|
|
43
43
|
orders: "read:orders",
|
|
44
44
|
customers: "read:customers",
|
|
45
|
-
categories: "read:products"
|
|
45
|
+
categories: "read:products",
|
|
46
46
|
// categories share the products scope
|
|
47
|
+
store: "read:store",
|
|
48
|
+
geo: "read:store"
|
|
49
|
+
// geo is global reference data, scoped to read:store
|
|
47
50
|
};
|
|
48
51
|
var BILLING_OPERATION = {
|
|
49
52
|
GET_PLANS: "getPlans",
|
|
@@ -455,11 +458,39 @@ function useWhataloData() {
|
|
|
455
458
|
},
|
|
456
459
|
[fetchResource]
|
|
457
460
|
);
|
|
461
|
+
const storeGet = (0, import_react3.useCallback)(async () => {
|
|
462
|
+
const ack = await fetchResource("store", "get");
|
|
463
|
+
return extractAckData(ack);
|
|
464
|
+
}, [fetchResource]);
|
|
465
|
+
const geoCountries = (0, import_react3.useCallback)(
|
|
466
|
+
async (params) => {
|
|
467
|
+
const ack = await fetchResource(
|
|
468
|
+
"geo",
|
|
469
|
+
"list",
|
|
470
|
+
{ ...params, _sub: "countries" }
|
|
471
|
+
);
|
|
472
|
+
return extractAckData(ack);
|
|
473
|
+
},
|
|
474
|
+
[fetchResource]
|
|
475
|
+
);
|
|
476
|
+
const geoProvinces = (0, import_react3.useCallback)(
|
|
477
|
+
async (countryIso2) => {
|
|
478
|
+
const ack = await fetchResource(
|
|
479
|
+
"geo",
|
|
480
|
+
"list",
|
|
481
|
+
{ _sub: "provinces", country: countryIso2 }
|
|
482
|
+
);
|
|
483
|
+
return extractAckData(ack);
|
|
484
|
+
},
|
|
485
|
+
[fetchResource]
|
|
486
|
+
);
|
|
458
487
|
return {
|
|
459
488
|
products: { list: productsList, get: productsGet },
|
|
460
489
|
orders: { list: ordersList, get: ordersGet },
|
|
461
490
|
customers: { list: customersList, get: customersGet },
|
|
462
|
-
categories: { list: categoriesList, get: categoriesGet }
|
|
491
|
+
categories: { list: categoriesList, get: categoriesGet },
|
|
492
|
+
store: { get: storeGet },
|
|
493
|
+
geo: { countries: geoCountries, provinces: geoProvinces }
|
|
463
494
|
};
|
|
464
495
|
}
|
|
465
496
|
// Annotate the CommonJS export names for ESM import in node:
|