@workos-inc/node 7.30.0 → 7.31.0-beta.actions1

package/lib/actions/actions.d.ts

@@ -0,0 +1,19 @@
+import { CryptoProvider } from '../common/crypto/crypto-provider';
+import { AuthenticationActionResponseData, ResponsePayload, UserRegistrationActionResponseData } from './interfaces/response-payload';
+export declare class Actions {
+    private signatureProvider;
+    constructor(cryptoProvider: CryptoProvider);
+    private get computeSignature();
+    get verifyHeader(): ({ payload, sigHeader, secret, tolerance, }: {
+        payload: any;
+        sigHeader: string;
+        secret: string;
+        tolerance?: number | undefined;
+    }) => Promise<boolean>;
+    serializeType(type: AuthenticationActionResponseData['type'] | UserRegistrationActionResponseData['type']): "authentication_action_response" | "user_registration_action_response";
+    signResponse(data: AuthenticationActionResponseData | UserRegistrationActionResponseData, secret: string): Promise<{
+        object: string;
+        payload: ResponsePayload;
+        signature: string;
+    }>;
+}

package/lib/actions/actions.js

@@ -0,0 +1,53 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Actions = void 0;
+const crypto_1 = require("../common/crypto");
+const unreachable_1 = require("../common/utils/unreachable");
+class Actions {
+    constructor(cryptoProvider) {
+        this.signatureProvider = new crypto_1.SignatureProvider(cryptoProvider);
+    }
+    get computeSignature() {
+        return this.signatureProvider.computeSignature.bind(this.signatureProvider);
+    }
+    get verifyHeader() {
+        return this.signatureProvider.verifyHeader.bind(this.signatureProvider);
+    }
+    serializeType(type) {
+        switch (type) {
+            case 'authentication':
+                return 'authentication_action_response';
+            case 'user_registration':
+                return 'user_registration_action_response';
+            default:
+                return (0, unreachable_1.unreachable)(type);
+        }
+    }
+    signResponse(data, secret) {
+        return __awaiter(this, void 0, void 0, function* () {
+            let errorMessage;
+            const { verdict, type } = data;
+            if (verdict === 'Deny' && data.errorMessage) {
+                errorMessage = data.errorMessage;
+            }
+            const responsePayload = Object.assign({ timestamp: Date.now(), verdict }, (verdict === 'Deny' &&
+                data.errorMessage && { error_message: errorMessage }));
+            const response = {
+                object: this.serializeType(type),
+                payload: responsePayload,
+                signature: yield this.computeSignature(responsePayload.timestamp, responsePayload, secret),
+            };
+            return response;
+        });
+    }
+}
+exports.Actions = Actions;

package/lib/actions/actions.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/actions/actions.spec.js

@@ -0,0 +1,78 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypto_1 = __importDefault(require("crypto"));
+const workos_1 = require("../workos");
+const action_context_json_1 = __importDefault(require("./fixtures/action-context.json"));
+const workos = new workos_1.WorkOS('sk_test_Sz3IQjepeSWaI4cMS4ms4sMuU');
+const crypto_2 = require("../common/crypto");
+describe('Actions', () => {
+    let secret;
+    beforeEach(() => {
+        secret = 'secret';
+    });
+    describe('signResponse', () => {
+        describe('type: authentication', () => {
+            it('returns a signed response', () => __awaiter(void 0, void 0, void 0, function* () {
+                const nodeCryptoProvider = new crypto_2.NodeCryptoProvider();
+                const response = yield workos.actions.signResponse({
+                    type: 'authentication',
+                    verdict: 'Allow',
+                }, secret);
+                const signedPayload = `${response.payload.timestamp}.${JSON.stringify(response.payload)}`;
+                const expectedSig = yield nodeCryptoProvider.computeHMACSignatureAsync(signedPayload, secret);
+                expect(response.object).toEqual('authentication_action_response');
+                expect(response.payload.verdict).toEqual('Allow');
+                expect(response.payload.timestamp).toBeGreaterThan(0);
+                expect(response.signature).toEqual(expectedSig);
+            }));
+        });
+        describe('type: user_registration', () => {
+            it('returns a signed response', () => __awaiter(void 0, void 0, void 0, function* () {
+                const nodeCryptoProvider = new crypto_2.NodeCryptoProvider();
+                const response = yield workos.actions.signResponse({
+                    type: 'user_registration',
+                    verdict: 'Deny',
+                    errorMessage: 'User already exists',
+                }, secret);
+                const signedPayload = `${response.payload.timestamp}.${JSON.stringify(response.payload)}`;
+                const expectedSig = yield nodeCryptoProvider.computeHMACSignatureAsync(signedPayload, secret);
+                expect(response.object).toEqual('user_registration_action_response');
+                expect(response.payload.verdict).toEqual('Deny');
+                expect(response.payload.timestamp).toBeGreaterThan(0);
+                expect(response.signature).toEqual(expectedSig);
+            }));
+        });
+    });
+    describe('verifyHeader', () => {
+        it('aliases to the signature provider', () => __awaiter(void 0, void 0, void 0, function* () {
+            const spy = jest.spyOn(
+            // tslint:disable-next-line
+            workos.actions['signatureProvider'], 'verifyHeader');
+            const timestamp = Date.now() * 1000;
+            const unhashedString = `${timestamp}.${JSON.stringify(action_context_json_1.default)}`;
+            const signatureHash = crypto_1.default
+                .createHmac('sha256', secret)
+                .update(unhashedString)
+                .digest()
+                .toString('hex');
+            yield workos.actions.verifyHeader({
+                payload: action_context_json_1.default,
+                sigHeader: `t=${timestamp}, v1=${signatureHash}`,
+                secret,
+            });
+            expect(spy).toHaveBeenCalled();
+        }));
+    });
+});

package/lib/actions/fixtures/action-context.json

@@ -0,0 +1,39 @@
+{
+    "user": {
+        "object": "user",
+        "id": "01JATCHZVEC5EPANDPEZVM68Y9",
+        "email": "jane@foocorp.com",
+        "first_name": "Jane",
+        "last_name": "Doe",
+        "email_verified": true,
+        "profile_picture_url": "https://example.com/jane.jpg",
+        "created_at": "2024-10-22T17:12:50.746Z",
+        "updated_at": "2024-10-22T17:12:50.746Z"
+    },
+    "ip_address": "50.141.123.10",
+    "user_agent": "Mozilla/5.0",
+    "issuer": "test",
+    "object": "authentication_action_context",
+    "organization": {
+        "object": "organization",
+        "id": "01JATCMZJY26PQ59XT9BNT0FNN",
+        "name": "Foo Corp",
+        "allow_profiles_outside_organization": false,
+        "domains": [],
+        "lookup_key": "my-key",
+        "created_at": "2024-10-22T17:12:50.746Z",
+        "updated_at": "2024-10-22T17:12:50.746Z"
+    },
+    "organization_membership": {
+        "object": "organization_membership",
+        "id": "01JATCNVYCHT1SZGENR4QTXKRK",
+        "user_id": "01JATCHZVEC5EPANDPEZVM68Y9",
+        "organization_id": "01JATCMZJY26PQ59XT9BNT0FNN",
+        "role": {
+            "slug": "member"
+        },
+        "status": "active",
+        "created_at": "2024-10-22T17:12:50.746Z",
+        "updated_at": "2024-10-22T17:12:50.746Z"
+    }
+}

package/lib/actions/interfaces/response-payload.d.ts

@@ -0,0 +1,23 @@
+export interface ResponsePayload {
+    timestamp: number;
+    verdict?: 'Allow' | 'Deny';
+    errorMessage?: string;
+}
+interface AllowResponseData {
+    verdict: 'Allow';
+}
+interface DenyResponseData {
+    verdict: 'Deny';
+    errorMessage?: string;
+}
+export type AuthenticationActionResponseData = (AllowResponseData & {
+    type: 'authentication';
+}) | (DenyResponseData & {
+    type: 'authentication';
+});
+export type UserRegistrationActionResponseData = (AllowResponseData & {
+    type: 'user_registration';
+}) | (DenyResponseData & {
+    type: 'user_registration';
+});
+export {};

package/lib/actions/interfaces/response-payload.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/common/crypto/CryptoProvider.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Interface encapsulating the various crypto computations used by the library,
+ * allowing pluggable underlying crypto implementations.
+ */
+export declare abstract class CryptoProvider {
+    encoder: TextEncoder;
+    /**
+     * Computes a SHA-256 HMAC given a secret and a payload (encoded in UTF-8).
+     * The output HMAC should be encoded in hexadecimal.
+     *
+     * Sample values for implementations:
+     * - computeHMACSignature('', 'test_secret') => 'f7f9bd47fb987337b5796fdc1fdb9ba221d0d5396814bfcaf9521f43fd8927fd'
+     * - computeHMACSignature('\ud83d\ude00', 'test_secret') => '837da296d05c4fe31f61d5d7ead035099d9585a5bcde87de952012a78f0b0c43
+     */
+    abstract computeHMACSignature(payload: string, secret: string): string;
+    /**
+     * Asynchronous version of `computeHMACSignature`. Some implementations may
+     * only allow support async signature computation.
+     *
+     * Computes a SHA-256 HMAC given a secret and a payload (encoded in UTF-8).
+     * The output HMAC should be encoded in hexadecimal.
+     *
+     * Sample values for implementations:
+     * - computeHMACSignature('', 'test_secret') => 'f7f9bd47fb987337b5796fdc1fdb9ba221d0d5396814bfcaf9521f43fd8927fd'
+     * - computeHMACSignature('\ud83d\ude00', 'test_secret') => '837da296d05c4fe31f61d5d7ead035099d9585a5bcde87de952012a78f0b0c43
+     */
+    abstract computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
+    /**
+     * Cryptographically determine whether two signatures are equal
+     */
+    abstract secureCompare(stringA: string, stringB: string): Promise<boolean>;
+}

package/lib/common/crypto/CryptoProvider.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CryptoProvider = void 0;
+/**
+ * Interface encapsulating the various crypto computations used by the library,
+ * allowing pluggable underlying crypto implementations.
+ */
+class CryptoProvider {
+    constructor() {
+        this.encoder = new TextEncoder();
+    }
+}
+exports.CryptoProvider = CryptoProvider;

package/lib/common/crypto/CryptoProvider.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/common/crypto/CryptoProvider.spec.js

@@ -0,0 +1,57 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypto_1 = __importDefault(require("crypto"));
+const NodeCryptoProvider_1 = require("./NodeCryptoProvider");
+const SubtleCryptoProvider_1 = require("./SubtleCryptoProvider");
+const webhook_json_1 = __importDefault(require("../../webhooks/fixtures/webhook.json"));
+const SignatureProvider_1 = require("./SignatureProvider");
+describe('CryptoProvider', () => {
+    let payload;
+    let secret;
+    let timestamp;
+    let signatureHash;
+    beforeEach(() => {
+        payload = webhook_json_1.default;
+        secret = 'secret';
+        timestamp = Date.now() * 1000;
+        const unhashedString = `${timestamp}.${JSON.stringify(payload)}`;
+        signatureHash = crypto_1.default
+            .createHmac('sha256', secret)
+            .update(unhashedString)
+            .digest()
+            .toString('hex');
+    });
+    describe('when computing HMAC signature', () => {
+        it('returns the same for the Node crypto and Web Crypto versions', () => __awaiter(void 0, void 0, void 0, function* () {
+            const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
+            const subtleCryptoProvider = new SubtleCryptoProvider_1.SubtleCryptoProvider();
+            const stringifiedPayload = JSON.stringify(payload);
+            const payloadHMAC = `${timestamp}.${stringifiedPayload}`;
+            const nodeCompare = yield nodeCryptoProvider.computeHMACSignatureAsync(payloadHMAC, secret);
+            const subtleCompare = yield subtleCryptoProvider.computeHMACSignatureAsync(payloadHMAC, secret);
+            expect(nodeCompare).toEqual(subtleCompare);
+        }));
+    });
+    describe('when securely comparing', () => {
+        it('returns the same for the Node crypto and Web Crypto versions', () => __awaiter(void 0, void 0, void 0, function* () {
+            const nodeCryptoProvider = new NodeCryptoProvider_1.NodeCryptoProvider();
+            const subtleCryptoProvider = new SubtleCryptoProvider_1.SubtleCryptoProvider();
+            const signatureProvider = new SignatureProvider_1.SignatureProvider(subtleCryptoProvider);
+            const signature = yield signatureProvider.computeSignature(timestamp, payload, secret);
+            expect(nodeCryptoProvider.secureCompare(signature, signatureHash)).toEqual(subtleCryptoProvider.secureCompare(signature, signatureHash));
+            expect(nodeCryptoProvider.secureCompare(signature, 'foo')).toEqual(subtleCryptoProvider.secureCompare(signature, 'foo'));
+        }));
+    });
+});

package/lib/common/crypto/NodeCryptoProvider.d.ts

@@ -0,0 +1,12 @@
+import { CryptoProvider } from './CryptoProvider';
+/**
+ * `CryptoProvider which uses the Node `crypto` package for its computations.
+ */
+export declare class NodeCryptoProvider extends CryptoProvider {
+    /** @override */
+    computeHMACSignature(payload: string, secret: string): string;
+    /** @override */
+    computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
+    /** @override */
+    secureCompare(stringA: string, stringB: string): Promise<boolean>;
+}

package/lib/common/crypto/NodeCryptoProvider.js

@@ -0,0 +1,73 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NodeCryptoProvider = void 0;
+const crypto = __importStar(require("crypto"));
+const CryptoProvider_1 = require("./CryptoProvider");
+/**
+ * `CryptoProvider which uses the Node `crypto` package for its computations.
+ */
+class NodeCryptoProvider extends CryptoProvider_1.CryptoProvider {
+    /** @override */
+    computeHMACSignature(payload, secret) {
+        return crypto
+            .createHmac('sha256', secret)
+            .update(payload, 'utf8')
+            .digest('hex');
+    }
+    /** @override */
+    computeHMACSignatureAsync(payload, secret) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const signature = yield this.computeHMACSignature(payload, secret);
+            return signature;
+        });
+    }
+    /** @override */
+    secureCompare(stringA, stringB) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const bufferA = this.encoder.encode(stringA);
+            const bufferB = this.encoder.encode(stringB);
+            if (bufferA.length !== bufferB.length) {
+                return false;
+            }
+            // Generate a random key for HMAC
+            const key = crypto.randomBytes(32); // Generates a 256-bit key
+            const hmacA = crypto.createHmac('sha256', key).update(bufferA).digest();
+            const hmacB = crypto.createHmac('sha256', key).update(bufferB).digest();
+            // Perform a constant time comparison
+            return crypto.timingSafeEqual(hmacA, hmacB);
+        });
+    }
+}
+exports.NodeCryptoProvider = NodeCryptoProvider;

package/lib/common/crypto/SignatureProvider.d.ts

@@ -0,0 +1,13 @@
+import { CryptoProvider } from './CryptoProvider';
+export declare class SignatureProvider {
+    private cryptoProvider;
+    constructor(cryptoProvider: CryptoProvider);
+    verifyHeader({ payload, sigHeader, secret, tolerance, }: {
+        payload: any;
+        sigHeader: string;
+        secret: string;
+        tolerance?: number;
+    }): Promise<boolean>;
+    getTimestampAndSignatureHash(sigHeader: string): [string, string];
+    computeSignature(timestamp: any, payload: any, secret: string): Promise<string>;
+}

package/lib/common/crypto/SignatureProvider.js

@@ -0,0 +1,53 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SignatureProvider = void 0;
+const exceptions_1 = require("../exceptions");
+class SignatureProvider {
+    constructor(cryptoProvider) {
+        this.cryptoProvider = cryptoProvider;
+    }
+    verifyHeader({ payload, sigHeader, secret, tolerance = 180000, }) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const [timestamp, signatureHash] = this.getTimestampAndSignatureHash(sigHeader);
+            if (!signatureHash || Object.keys(signatureHash).length === 0) {
+                throw new exceptions_1.SignatureVerificationException('No signature hash found with expected scheme v1');
+            }
+            if (parseInt(timestamp, 10) < Date.now() - tolerance) {
+                throw new exceptions_1.SignatureVerificationException('Timestamp outside the tolerance zone');
+            }
+            const expectedSig = yield this.computeSignature(timestamp, payload, secret);
+            if ((yield this.cryptoProvider.secureCompare(expectedSig, signatureHash)) ===
+                false) {
+                throw new exceptions_1.SignatureVerificationException('Signature hash does not match the expected signature hash for payload');
+            }
+            return true;
+        });
+    }
+    getTimestampAndSignatureHash(sigHeader) {
+        const signature = sigHeader;
+        const [t, v1] = signature.split(',');
+        if (typeof t === 'undefined' || typeof v1 === 'undefined') {
+            throw new exceptions_1.SignatureVerificationException('Signature or timestamp missing');
+        }
+        const { 1: timestamp } = t.split('=');
+        const { 1: signatureHash } = v1.split('=');
+        return [timestamp, signatureHash];
+    }
+    computeSignature(timestamp, payload, secret) {
+        return __awaiter(this, void 0, void 0, function* () {
+            payload = JSON.stringify(payload);
+            const signedPayload = `${timestamp}.${payload}`;
+            return yield this.cryptoProvider.computeHMACSignatureAsync(signedPayload, secret);
+        });
+    }
+}
+exports.SignatureProvider = SignatureProvider;

package/lib/common/crypto/SignatureProvider.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/common/crypto/SignatureProvider.spec.js

@@ -0,0 +1,66 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypto_1 = __importDefault(require("crypto"));
+const SubtleCryptoProvider_1 = require("./SubtleCryptoProvider");
+const webhook_json_1 = __importDefault(require("../../webhooks/fixtures/webhook.json"));
+const SignatureProvider_1 = require("./SignatureProvider");
+describe('SignatureProvider', () => {
+    let payload;
+    let secret;
+    let timestamp;
+    let signatureHash;
+    const signatureProvider = new SignatureProvider_1.SignatureProvider(new SubtleCryptoProvider_1.SubtleCryptoProvider());
+    beforeEach(() => {
+        payload = webhook_json_1.default;
+        secret = 'secret';
+        timestamp = Date.now() * 1000;
+        const unhashedString = `${timestamp}.${JSON.stringify(payload)}`;
+        signatureHash = crypto_1.default
+            .createHmac('sha256', secret)
+            .update(unhashedString)
+            .digest()
+            .toString('hex');
+    });
+    describe('verifyHeader', () => {
+        it('returns true when the signature is valid', () => __awaiter(void 0, void 0, void 0, function* () {
+            const sigHeader = `t=${timestamp}, v1=${signatureHash}`;
+            const options = { payload, sigHeader, secret };
+            const result = yield signatureProvider.verifyHeader(options);
+            expect(result).toBeTruthy();
+        }));
+    });
+    describe('getTimestampAndSignatureHash', () => {
+        it('returns the timestamp and signature when the signature is valid', () => {
+            const sigHeader = `t=${timestamp}, v1=${signatureHash}`;
+            const timestampAndSignature = signatureProvider.getTimestampAndSignatureHash(sigHeader);
+            expect(timestampAndSignature).toEqual([
+                timestamp.toString(),
+                signatureHash,
+            ]);
+        });
+    });
+    describe('computeSignature', () => {
+        it('returns the computed signature', () => __awaiter(void 0, void 0, void 0, function* () {
+            const signature = yield signatureProvider.computeSignature(timestamp, payload, secret);
+            expect(signature).toEqual(signatureHash);
+        }));
+    });
+    describe('when in an environment that supports SubtleCrypto', () => {
+        it('automatically uses the subtle crypto library', () => {
+            // tslint:disable-next-line
+            expect(signatureProvider['cryptoProvider']).toBeInstanceOf(SubtleCryptoProvider_1.SubtleCryptoProvider);
+        });
+    });
+});

package/lib/common/crypto/SubtleCryptoProvider.d.ts

@@ -0,0 +1,15 @@
+import { CryptoProvider } from './CryptoProvider';
+/**
+ * `CryptoProvider which uses the SubtleCrypto interface of the Web Crypto API.
+ *
+ * This only supports asynchronous operations.
+ */
+export declare class SubtleCryptoProvider extends CryptoProvider {
+    subtleCrypto: SubtleCrypto;
+    constructor(subtleCrypto?: SubtleCrypto);
+    computeHMACSignature(_payload: string, _secret: string): string;
+    /** @override */
+    computeHMACSignatureAsync(payload: string, secret: string): Promise<string>;
+    /** @override */
+    secureCompare(stringA: string, stringB: string): Promise<boolean>;
+}

package/lib/common/crypto/SubtleCryptoProvider.js

@@ -0,0 +1,75 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SubtleCryptoProvider = void 0;
+const CryptoProvider_1 = require("./CryptoProvider");
+/**
+ * `CryptoProvider which uses the SubtleCrypto interface of the Web Crypto API.
+ *
+ * This only supports asynchronous operations.
+ */
+class SubtleCryptoProvider extends CryptoProvider_1.CryptoProvider {
+    constructor(subtleCrypto) {
+        super();
+        // If no subtle crypto is interface, default to the global namespace. This
+        // is to allow custom interfaces (eg. using the Node webcrypto interface in
+        // tests).
+        this.subtleCrypto = subtleCrypto || crypto.subtle;
+    }
+    computeHMACSignature(_payload, _secret) {
+        throw new Error('SubleCryptoProvider cannot be used in a synchronous context.');
+    }
+    /** @override */
+    computeHMACSignatureAsync(payload, secret) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const encoder = new TextEncoder();
+            const key = yield this.subtleCrypto.importKey('raw', encoder.encode(secret), {
+                name: 'HMAC',
+                hash: { name: 'SHA-256' },
+            }, false, ['sign']);
+            const signatureBuffer = yield this.subtleCrypto.sign('hmac', key, encoder.encode(payload));
+            // crypto.subtle returns the signature in base64 format. This must be
+            // encoded in hex to match the CryptoProvider contract. We map each byte in
+            // the buffer to its corresponding hex octet and then combine into a string.
+            const signatureBytes = new Uint8Array(signatureBuffer);
+            const signatureHexCodes = new Array(signatureBytes.length);
+            for (let i = 0; i < signatureBytes.length; i++) {
+                signatureHexCodes[i] = byteHexMapping[signatureBytes[i]];
+            }
+            return signatureHexCodes.join('');
+        });
+    }
+    /** @override */
+    secureCompare(stringA, stringB) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const bufferA = this.encoder.encode(stringA);
+            const bufferB = this.encoder.encode(stringB);
+            if (bufferA.length !== bufferB.length) {
+                return false;
+            }
+            const algorithm = { name: 'HMAC', hash: 'SHA-256' };
+            const key = (yield crypto.subtle.generateKey(algorithm, false, [
+                'sign',
+                'verify',
+            ]));
+            const hmac = yield crypto.subtle.sign(algorithm, key, bufferA);
+            const equal = yield crypto.subtle.verify(algorithm, key, hmac, bufferB);
+            return equal;
+        });
+    }
+}
+exports.SubtleCryptoProvider = SubtleCryptoProvider;
+// Cached mapping of byte to hex representation. We do this once to avoid re-
+// computing every time we need to convert the result of a signature to hex.
+const byteHexMapping = new Array(256);
+for (let i = 0; i < byteHexMapping.length; i++) {
+    byteHexMapping[i] = i.toString(16).padStart(2, '0');
+}

package/lib/common/crypto/index.d.ts

@@ -0,0 +1,4 @@
+export * from './NodeCryptoProvider';
+export * from './SubtleCryptoProvider';
+export * from './CryptoProvider';
+export * from './SignatureProvider';