@withaevum/sdk 1.3.7 → 1.3.9

package/dist/index.d.ts

@@ -8,5 +8,7 @@ export { CalendarAPI } from './calendar';
 export { AnalyticsAPI } from './analytics';
 export { AvailabilityAPI } from './availability';
 export { PaymentsAPI } from './payments';
+export { verifyWebhook, WebhookVerificationError } from './webhooks';
+export type { WebhookEvent } from './webhooks';
 export * from './types';
 export * from './errors';

package/dist/index.js

@@ -9,5 +9,6 @@ export { CalendarAPI } from './calendar';
 export { AnalyticsAPI } from './analytics';
 export { AvailabilityAPI } from './availability';
 export { PaymentsAPI } from './payments';
+export { verifyWebhook, WebhookVerificationError } from './webhooks';
 export * from './types';
 export * from './errors';

package/dist/webhooks.d.ts

@@ -0,0 +1,20 @@
+export interface WebhookEvent {
+    type: string;
+    version: string;
+    id: string;
+    delivery_id: string;
+    timestamp: string;
+    data: Record<string, unknown>;
+}
+export declare class WebhookVerificationError extends Error {
+    constructor(message: string);
+}
+/**
+ * Verify webhook signature and parse event
+ * @param body - Raw request body as string
+ * @param signature - Signature from X-Aevum-Signature header
+ * @param secret - Webhook secret
+ * @returns Parsed webhook event
+ * @throws WebhookVerificationError if signature verification fails
+ */
+export declare function verifyWebhook(body: string, signature: string, secret: string): WebhookEvent;

package/dist/webhooks.js

@@ -0,0 +1,50 @@
+// packages/sdk/src/webhooks.ts
+// Webhook verification utilities
+import crypto from 'crypto';
+export class WebhookVerificationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'WebhookVerificationError';
+    }
+}
+/**
+ * Verify webhook signature and parse event
+ * @param body - Raw request body as string
+ * @param signature - Signature from X-Aevum-Signature header
+ * @param secret - Webhook secret
+ * @returns Parsed webhook event
+ * @throws WebhookVerificationError if signature verification fails
+ */
+export function verifyWebhook(body, signature, secret) {
+    if (!body || !signature || !secret) {
+        throw new WebhookVerificationError('Missing required parameters: body, signature, or secret');
+    }
+    // Extract signature from format: sha256=<hex>
+    const signatureMatch = signature.match(/^sha256=(.+)$/);
+    if (!signatureMatch) {
+        throw new WebhookVerificationError('Invalid signature format. Expected format: sha256=<hex>');
+    }
+    const providedSignature = signatureMatch[1];
+    // Compute signature with secret
+    const computedSignature = crypto
+        .createHmac('sha256', secret)
+        .update(body)
+        .digest('hex');
+    // Compare signatures using constant-time comparison
+    if (!crypto.timingSafeEqual(Buffer.from(providedSignature, 'hex'), Buffer.from(computedSignature, 'hex'))) {
+        throw new WebhookVerificationError('Invalid webhook signature');
+    }
+    // Parse and validate event
+    let event;
+    try {
+        event = JSON.parse(body);
+    }
+    catch (error) {
+        throw new WebhookVerificationError(`Invalid JSON payload: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    // Validate event structure
+    if (!event.type || !event.version || !event.id || !event.delivery_id) {
+        throw new WebhookVerificationError('Invalid event structure: missing required fields');
+    }
+    return event;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@withaevum/sdk",
-  "version": "1.3.7",
+  "version": "1.3.9",
   "description": "TypeScript SDK for the Aevum API",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",