@whatalo/plugin-sdk 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/dist/adapters/express.cjs +101 -10
  2. package/dist/adapters/express.cjs.map +1 -1
  3. package/dist/adapters/express.d.cts +9 -7
  4. package/dist/adapters/express.d.ts +9 -7
  5. package/dist/adapters/express.mjs +104 -10
  6. package/dist/adapters/express.mjs.map +1 -1
  7. package/dist/adapters/hono.cjs +94 -7
  8. package/dist/adapters/hono.cjs.map +1 -1
  9. package/dist/adapters/hono.d.cts +4 -3
  10. package/dist/adapters/hono.d.ts +4 -3
  11. package/dist/adapters/hono.mjs +97 -7
  12. package/dist/adapters/hono.mjs.map +1 -1
  13. package/dist/adapters/nextjs.cjs +94 -7
  14. package/dist/adapters/nextjs.cjs.map +1 -1
  15. package/dist/adapters/nextjs.d.cts +4 -3
  16. package/dist/adapters/nextjs.d.ts +4 -3
  17. package/dist/adapters/nextjs.mjs +97 -7
  18. package/dist/adapters/nextjs.mjs.map +1 -1
  19. package/dist/bridge/index.cjs +33 -2
  20. package/dist/bridge/index.cjs.map +1 -1
  21. package/dist/bridge/index.d.cts +17 -5
  22. package/dist/bridge/index.d.ts +17 -5
  23. package/dist/bridge/index.mjs +33 -2
  24. package/dist/bridge/index.mjs.map +1 -1
  25. package/dist/client/index.cjs +33 -2
  26. package/dist/client/index.cjs.map +1 -1
  27. package/dist/client/index.d.cts +29 -1
  28. package/dist/client/index.d.ts +29 -1
  29. package/dist/client/index.mjs +33 -2
  30. package/dist/client/index.mjs.map +1 -1
  31. package/dist/index.cjs +146 -24
  32. package/dist/index.cjs.map +1 -1
  33. package/dist/index.d.cts +6 -3
  34. package/dist/index.d.ts +6 -3
  35. package/dist/index.mjs +146 -24
  36. package/dist/index.mjs.map +1 -1
  37. package/dist/manifest/index.cjs +2 -17
  38. package/dist/manifest/index.cjs.map +1 -1
  39. package/dist/manifest/index.d.cts +10 -4
  40. package/dist/manifest/index.d.ts +10 -4
  41. package/dist/manifest/index.mjs +2 -17
  42. package/dist/manifest/index.mjs.map +1 -1
  43. package/dist/{types-DcmArIC2.d.ts → types-B8BAV362.d.cts} +24 -1
  44. package/dist/{types-DcmArIC2.d.cts → types-B8BAV362.d.ts} +24 -1
  45. package/dist/types-BU71_xQm.d.cts +25 -0
  46. package/dist/types-BhtVJPgF.d.ts +25 -0
  47. package/dist/types-Bo9GbqrM.d.ts +133 -0
  48. package/dist/types-rA6kVlpV.d.cts +133 -0
  49. package/dist/webhooks/index.cjs +78 -3
  50. package/dist/webhooks/index.cjs.map +1 -1
  51. package/dist/webhooks/index.d.cts +11 -4
  52. package/dist/webhooks/index.d.ts +11 -4
  53. package/dist/webhooks/index.mjs +78 -3
  54. package/dist/webhooks/index.mjs.map +1 -1
  55. package/package.json +4 -1
  56. package/dist/types-C9mg4aQg.d.ts +0 -19
  57. package/dist/types-DMuHSL_a.d.cts +0 -19
  58. package/dist/types-DTjA3FHe.d.ts +0 -68
  59. package/dist/types-tHUO9u-c.d.cts +0 -68
package/dist/index.mjs CHANGED
@@ -111,6 +111,8 @@ var WhataloClient = class {
111
111
  inventory;
112
112
  /** Webhook resource methods */
113
113
  webhooks;
114
+ /** Geo reference data methods */
115
+ geo;
114
116
  constructor(options) {
115
117
  if (typeof window !== "undefined" && typeof process === "undefined") {
116
118
  console.warn(
@@ -132,6 +134,7 @@ var WhataloClient = class {
132
134
  this.store = new StoreResource(this);
133
135
  this.inventory = new InventoryResource(this);
134
136
  this.webhooks = new WebhookResource(this);
137
+ this.geo = new GeoResource(this);
135
138
  }
136
139
  /**
137
140
  * Internal request method shared by all resource namespaces.
@@ -373,10 +376,10 @@ var InventoryResource = class {
373
376
  this.client = client;
374
377
  }
375
378
  async get(productId) {
376
- return this.client.request("GET", `/products/${productId}/inventory`);
379
+ return this.client.request("GET", `/inventory/products/${productId}`);
377
380
  }
378
381
  async adjust(productId, data) {
379
- return this.client.request("PATCH", `/products/${productId}/inventory`, {
382
+ return this.client.request("PATCH", `/inventory/products/${productId}`, {
380
383
  body: data
381
384
  });
382
385
  }
@@ -398,17 +401,57 @@ var WebhookResource = class {
398
401
  return this.client.request("DELETE", `/webhooks/${id}`);
399
402
  }
400
403
  };
404
+ var GeoResource = class {
405
+ constructor(client) {
406
+ this.client = client;
407
+ }
408
+ /**
409
+ * List countries.
410
+ * By default returns only supported countries (is_supported=true).
411
+ * Pass `{ all: true }` to retrieve all 250 countries.
412
+ */
413
+ async listCountries(params) {
414
+ return this.client.request("GET", "/geo/countries", {
415
+ params: params?.all !== void 0 ? { all: params.all } : void 0
416
+ });
417
+ }
418
+ /**
419
+ * Get a single country by ISO 3166-1 alpha-2 code.
420
+ */
421
+ async getCountry(iso2) {
422
+ return this.client.request("GET", `/geo/countries/${iso2.toUpperCase()}`);
423
+ }
424
+ /**
425
+ * List provinces (states, departments, regions) for a country.
426
+ * Returns an empty array for countries with no province data.
427
+ */
428
+ async listProvinces(countryIso2) {
429
+ return this.client.request("GET", `/geo/countries/${countryIso2.toUpperCase()}/provinces`);
430
+ }
431
+ };
401
432
 
402
433
  // src/webhooks/verify.ts
403
434
  import { createHmac, timingSafeEqual } from "crypto";
435
+ var DEFAULT_TOLERANCE_SECONDS = 300;
404
436
  function verifyWebhook({
405
437
  payload,
406
438
  signature,
407
- secret
439
+ timestamp,
440
+ secret,
441
+ toleranceSeconds = DEFAULT_TOLERANCE_SECONDS,
442
+ currentTime = Math.floor(Date.now() / 1e3)
408
443
  }) {
409
- if (!payload || !signature || !secret) return false;
410
- const expected = createHmac("sha256", secret).update(payload, "utf8").digest("hex");
444
+ if (!payload || !signature || !secret || timestamp === "") return false;
445
+ const timestampString = String(timestamp);
446
+ const timestampValue = typeof timestamp === "number" ? timestamp : Number(timestamp);
447
+ if (!Number.isInteger(timestampValue)) return false;
448
+ if (!Number.isFinite(toleranceSeconds) || toleranceSeconds < 0) return false;
449
+ if (!Number.isFinite(currentTime)) return false;
450
+ const ageSeconds = Math.abs(currentTime - timestampValue);
451
+ if (ageSeconds > toleranceSeconds) return false;
452
+ const expected = createHmac("sha256", secret).update(`${timestampString}.${payload}`, "utf8").digest("hex");
411
453
  if (expected.length !== signature.length) return false;
454
+ if (!/^[a-f0-9]+$/i.test(signature)) return false;
412
455
  try {
413
456
  return timingSafeEqual(
414
457
  Buffer.from(expected, "hex"),
@@ -419,7 +462,68 @@ function verifyWebhook({
419
462
  }
420
463
  }
421
464
 
465
+ // src/webhooks/types.ts
466
+ import {
467
+ PUBLIC_WEBHOOK_EVENTS,
468
+ isPublicWebhookEvent
469
+ } from "@whatalo/protocol/events";
470
+ var WEBHOOK_EVENTS = PUBLIC_WEBHOOK_EVENTS;
471
+ function isWebhookEvent(value) {
472
+ return isPublicWebhookEvent(value);
473
+ }
474
+ function isRecord(value) {
475
+ return typeof value === "object" && value !== null && !Array.isArray(value);
476
+ }
477
+ function hasStringId(value) {
478
+ return isRecord(value) && typeof value.id === "string";
479
+ }
480
+ function isOptionalString(value, key) {
481
+ return value[key] === void 0 || typeof value[key] === "string";
482
+ }
483
+ function isRuntimeWebhookStore(value) {
484
+ return isRecord(value) && typeof value.id === "string" && typeof value.timezone === "string" && (value.name === void 0 || typeof value.name === "string");
485
+ }
486
+ function hasValidBasePayloadFields(value) {
487
+ if (!isOptionalString(value, "event_id")) return false;
488
+ if (!isOptionalString(value, "occurred_at")) return false;
489
+ return isRuntimeWebhookStore(value.store);
490
+ }
491
+ function isRuntimeOrderWebhookPayload(value) {
492
+ return hasValidBasePayloadFields(value) && hasStringId(value.order) && (value.customer === void 0 || hasStringId(value.customer));
493
+ }
494
+ function isRuntimeProductWebhookPayload(value) {
495
+ return hasValidBasePayloadFields(value) && hasStringId(value.product);
496
+ }
497
+ function isRuntimeCustomerWebhookPayload(value) {
498
+ return hasValidBasePayloadFields(value) && hasStringId(value.customer);
499
+ }
500
+ function isRuntimeCheckoutCompletedWebhookPayload(value) {
501
+ return hasValidBasePayloadFields(value) && hasStringId(value.order) && hasStringId(value.customer) && isRuntimeWebhookStore(value.store);
502
+ }
503
+ function isRuntimeWebhookPayload(value, event) {
504
+ if (!isRecord(value)) return false;
505
+ switch (event) {
506
+ case WEBHOOK_EVENTS.ORDER_CREATED:
507
+ case WEBHOOK_EVENTS.ORDER_UPDATED:
508
+ case WEBHOOK_EVENTS.ORDER_CANCELLED:
509
+ case WEBHOOK_EVENTS.ORDER_COMPLETED:
510
+ return isRuntimeOrderWebhookPayload(value);
511
+ case WEBHOOK_EVENTS.PRODUCT_CREATED:
512
+ case WEBHOOK_EVENTS.PRODUCT_UPDATED:
513
+ case WEBHOOK_EVENTS.PRODUCT_DELETED:
514
+ return isRuntimeProductWebhookPayload(value);
515
+ case WEBHOOK_EVENTS.CUSTOMER_CREATED:
516
+ case WEBHOOK_EVENTS.CUSTOMER_UPDATED:
517
+ return isRuntimeCustomerWebhookPayload(value);
518
+ case WEBHOOK_EVENTS.CHECKOUT_COMPLETED:
519
+ return isRuntimeCheckoutCompletedWebhookPayload(value);
520
+ default:
521
+ return false;
522
+ }
523
+ }
524
+
422
525
  // src/manifest/validate.ts
526
+ import { SCOPE_LIST } from "@whatalo/protocol/scopes";
423
527
  var ManifestValidationError = class extends Error {
424
528
  errors;
425
529
  constructor(errors) {
@@ -432,23 +536,7 @@ var ManifestValidationError = class extends Error {
432
536
  var ID_REGEX = /^[a-z0-9][a-z0-9-]*[a-z0-9]$/;
433
537
  var SEMVER_REGEX = /^\d+\.\d+\.\d+$/;
434
538
  var EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
435
- var VALID_PERMISSIONS = /* @__PURE__ */ new Set([
436
- "read:products",
437
- "write:products",
438
- "read:orders",
439
- "write:orders",
440
- "read:customers",
441
- "write:customers",
442
- "read:inventory",
443
- "write:inventory",
444
- "read:store",
445
- "write:store",
446
- "read:webhooks",
447
- "write:webhooks",
448
- "read:discounts",
449
- "write:discounts",
450
- "read:analytics"
451
- ]);
539
+ var VALID_PERMISSIONS = new Set(SCOPE_LIST.map((s) => s.token));
452
540
  var VALID_CATEGORIES = /* @__PURE__ */ new Set([
453
541
  "analytics",
454
542
  "marketing",
@@ -543,8 +631,11 @@ var DATA_RESOURCE_SCOPE = {
543
631
  products: "read:products",
544
632
  orders: "read:orders",
545
633
  customers: "read:customers",
546
- categories: "read:products"
634
+ categories: "read:products",
547
635
  // categories share the products scope
636
+ store: "read:store",
637
+ geo: "read:store"
638
+ // geo is global reference data, scoped to read:store
548
639
  };
549
640
  var BILLING_OPERATION = {
550
641
  GET_PLANS: "getPlans",
@@ -956,11 +1047,39 @@ function useWhataloData() {
956
1047
  },
957
1048
  [fetchResource]
958
1049
  );
1050
+ const storeGet = useCallback3(async () => {
1051
+ const ack = await fetchResource("store", "get");
1052
+ return extractAckData(ack);
1053
+ }, [fetchResource]);
1054
+ const geoCountries = useCallback3(
1055
+ async (params) => {
1056
+ const ack = await fetchResource(
1057
+ "geo",
1058
+ "list",
1059
+ { ...params, _sub: "countries" }
1060
+ );
1061
+ return extractAckData(ack);
1062
+ },
1063
+ [fetchResource]
1064
+ );
1065
+ const geoProvinces = useCallback3(
1066
+ async (countryIso2) => {
1067
+ const ack = await fetchResource(
1068
+ "geo",
1069
+ "list",
1070
+ { _sub: "provinces", country: countryIso2 }
1071
+ );
1072
+ return extractAckData(ack);
1073
+ },
1074
+ [fetchResource]
1075
+ );
959
1076
  return {
960
1077
  products: { list: productsList, get: productsGet },
961
1078
  orders: { list: ordersList, get: ordersGet },
962
1079
  customers: { list: customersList, get: customersGet },
963
- categories: { list: categoriesList, get: categoriesGet }
1080
+ categories: { list: categoriesList, get: categoriesGet },
1081
+ store: { get: storeGet },
1082
+ geo: { countries: geoCountries, provinces: geoProvinces }
964
1083
  };
965
1084
  }
966
1085
 
@@ -977,10 +1096,13 @@ export {
977
1096
  RateLimitError,
978
1097
  SDK_VERSION,
979
1098
  ValidationError,
1099
+ WEBHOOK_EVENTS,
980
1100
  WhataloAPIError,
981
1101
  WhataloClient,
982
1102
  clearSessionTokenCache,
983
1103
  defineApp,
1104
+ isRuntimeWebhookPayload,
1105
+ isWebhookEvent,
984
1106
  sessionToken,
985
1107
  useAppBridge,
986
1108
  useWhataloAction,