billsdk 0.3.2 → 0.4.0

package/dist/index.js

@@ -9,6 +9,137 @@ import { z } from 'zod';
 import { getBillingSchema, TABLES } from '@billsdk/core/db';
 
 // src/index.ts
+
+// src/utils/csrf.ts
+var ALGORITHM = "HMAC";
+var HASH = "SHA-256";
+var SEPARATOR = ".";
+var DEFAULT_TTL_SECONDS = 3600;
+async function importKey(secret) {
+  const encoder = new TextEncoder();
+  return crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: ALGORITHM, hash: HASH },
+    false,
+    ["sign", "verify"]
+  );
+}
+function bufferToHex(buffer) {
+  return Array.from(new Uint8Array(buffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function hexToBuffer(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+  }
+  return bytes;
+}
+function generateRandom() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return bufferToHex(bytes.buffer);
+}
+async function generateCsrfToken(secret) {
+  const timestamp = Math.floor(Date.now() / 1e3).toString(16);
+  const random = generateRandom();
+  const payload = `${timestamp}${SEPARATOR}${random}`;
+  const key = await importKey(secret);
+  const encoder = new TextEncoder();
+  const signature = await crypto.subtle.sign(
+    ALGORITHM,
+    key,
+    encoder.encode(payload)
+  );
+  return `${payload}${SEPARATOR}${bufferToHex(signature)}`;
+}
+async function verifyCsrfToken(token, secret, ttlSeconds = DEFAULT_TTL_SECONDS) {
+  const lastSep = token.lastIndexOf(SEPARATOR);
+  if (lastSep === -1) return false;
+  const payload = token.slice(0, lastSep);
+  const signatureHex = token.slice(lastSep + 1);
+  if (!payload || !signatureHex) return false;
+  const firstSep = payload.indexOf(SEPARATOR);
+  if (firstSep === -1) return false;
+  const timestampHex = payload.slice(0, firstSep);
+  const timestamp = Number.parseInt(timestampHex, 16);
+  if (Number.isNaN(timestamp)) return false;
+  const nowSeconds = Math.floor(Date.now() / 1e3);
+  if (nowSeconds - timestamp > ttlSeconds) return false;
+  try {
+    const key = await importKey(secret);
+    const encoder = new TextEncoder();
+    const signatureBytes = hexToBuffer(signatureHex);
+    return crypto.subtle.verify(
+      ALGORITHM,
+      key,
+      signatureBytes,
+      encoder.encode(payload)
+    );
+  } catch {
+    return false;
+  }
+}
+function parseCsrfCookie(cookieHeader, cookieName) {
+  if (!cookieHeader) return null;
+  const match = cookieHeader.split(";").map((c) => c.trim()).find((c) => c.startsWith(`${cookieName}=`));
+  return match ? match.slice(cookieName.length + 1) : null;
+}
+function buildCsrfCookieHeader(cookieName, token, secure) {
+  const parts = [
+    `${cookieName}=${token}`,
+    "HttpOnly",
+    "SameSite=Lax",
+    "Path=/",
+    `Max-Age=${DEFAULT_TTL_SECONDS}`
+  ];
+  if (secure) {
+    parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+
+// src/utils/trusted-origins.ts
+function getOrigin(url) {
+  try {
+    const parsed = new URL(url);
+    return parsed.origin;
+  } catch {
+    return null;
+  }
+}
+function getHost(url) {
+  try {
+    const parsed = new URL(url);
+    return parsed.host;
+  } catch {
+    return null;
+  }
+}
+function wildcardToRegExp(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+  const withWildcards = escaped.replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^.]+").replace(/\{\{GLOBSTAR\}\}/g, ".*");
+  return new RegExp(`^${withWildcards}$`);
+}
+function matchesOriginPattern(url, pattern) {
+  if (!url || !pattern) return false;
+  const hasWildcard = pattern.includes("*");
+  if (!hasWildcard) {
+    const urlOrigin = getOrigin(url);
+    return urlOrigin ? pattern === urlOrigin : false;
+  }
+  if (pattern.includes("://")) {
+    const urlOrigin = getOrigin(url);
+    if (!urlOrigin) return false;
+    return wildcardToRegExp(pattern).test(urlOrigin);
+  }
+  const host = getHost(url);
+  if (!host) return false;
+  return wildcardToRegExp(pattern).test(host);
+}
+function matchesAnyOrigin(url, trustedOrigins) {
+  return trustedOrigins.some((pattern) => matchesOriginPattern(url, pattern));
+}
 var createCustomerSchema = z.object({
   externalId: z.string().min(1),
   email: z.string().email(),
@@ -1361,6 +1492,10 @@ var webhookEndpoints = {
 };
 
 // src/api/router.ts
+var CSRF_COOKIE_NAME = "__billsdk_csrf";
+var CSRF_HEADER_NAME = "x-billsdk-csrf";
+var SAFE_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
+var SECURITY_SKIP_PATHS = /* @__PURE__ */ new Set(["/webhook"]);
 function getEndpoints(ctx) {
   const baseEndpoints = {
     ...healthEndpoint,
@@ -1410,12 +1545,134 @@ function jsonResponse(data, status = 200) {
 function errorResponse(code, message, status = 400) {
   return jsonResponse({ error: { code, message } }, status);
 }
+function checkOrigin(request, trustedOrigins) {
+  if (trustedOrigins.length === 0) return null;
+  const origin = request.headers.get("origin") || request.headers.get("referer") || "";
+  if (!origin || origin === "null") {
+    return {
+      error: errorResponse(
+        "INVALID_ORIGIN",
+        "Missing or null Origin header. Add your app's URL to trustedOrigins.",
+        403
+      )
+    };
+  }
+  if (!matchesAnyOrigin(origin, trustedOrigins)) {
+    return {
+      error: errorResponse(
+        "INVALID_ORIGIN",
+        "Origin is not in trustedOrigins. Add it to your billsdk config.",
+        403
+      )
+    };
+  }
+  return null;
+}
+async function checkCsrf(request, secret) {
+  const csrfHeader = request.headers.get(CSRF_HEADER_NAME);
+  if (!csrfHeader) {
+    return {
+      error: errorResponse(
+        "INVALID_CSRF_TOKEN",
+        "Missing CSRF token. The BillSDK client handles this automatically.",
+        403
+      )
+    };
+  }
+  const cookieHeader = request.headers.get("cookie");
+  const csrfCookie = parseCsrfCookie(cookieHeader, CSRF_COOKIE_NAME);
+  if (!csrfCookie) {
+    return {
+      error: errorResponse(
+        "INVALID_CSRF_TOKEN",
+        "Missing CSRF cookie. Ensure credentials are included in requests.",
+        403
+      )
+    };
+  }
+  if (csrfHeader !== csrfCookie) {
+    return {
+      error: errorResponse("INVALID_CSRF_TOKEN", "CSRF token mismatch.", 403)
+    };
+  }
+  const isValid = await verifyCsrfToken(csrfHeader, secret);
+  if (!isValid) {
+    return {
+      error: errorResponse(
+        "INVALID_CSRF_TOKEN",
+        "CSRF token signature invalid.",
+        403
+      )
+    };
+  }
+  return null;
+}
+async function timingSafeEqual(a, b) {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode("billsdk-compare-key"),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const [macA, macB] = await Promise.all([
+    crypto.subtle.sign("HMAC", key, encoder.encode(a)),
+    crypto.subtle.sign("HMAC", key, encoder.encode(b))
+  ]);
+  const viewA = new Uint8Array(macA);
+  const viewB = new Uint8Array(macB);
+  if (viewA.length !== viewB.length) return false;
+  let diff = 0;
+  for (let i = 0; i < viewA.length; i++) {
+    diff |= viewA[i] ^ viewB[i];
+  }
+  return diff === 0;
+}
+async function checkBearerAuth(request, secret) {
+  const authHeader = request.headers.get("authorization");
+  if (!authHeader) return false;
+  const parts = authHeader.trim().split(/\s+/);
+  if (parts.length !== 2) return false;
+  if (parts[0].toLowerCase() !== "bearer") return false;
+  return timingSafeEqual(parts[1], secret);
+}
+async function handleCsrfTokenEndpoint(ctx) {
+  const token = await generateCsrfToken(ctx.secret);
+  const isSecure = typeof globalThis.process !== "undefined" && globalThis.process.env?.NODE_ENV === "production";
+  const cookieHeader = buildCsrfCookieHeader(CSRF_COOKIE_NAME, token, isSecure);
+  return new Response(JSON.stringify({ csrfToken: token }), {
+    status: 200,
+    headers: {
+      "Content-Type": "application/json",
+      "Set-Cookie": cookieHeader
+    }
+  });
+}
 function createRouter(ctx) {
   const endpoints = getEndpoints(ctx);
   const handler = async (request) => {
     const method = request.method.toUpperCase();
     const { path, query } = parseUrl(request.url, ctx.basePath);
     ctx.logger.debug(`${method} ${path}`);
+    if (path === "/csrf-token" && method === "GET") {
+      return handleCsrfTokenEndpoint(ctx);
+    }
+    if (!SAFE_METHODS.has(method) && !SECURITY_SKIP_PATHS.has(path)) {
+      const isBearerAuth = await checkBearerAuth(request, ctx.secret);
+      if (!isBearerAuth) {
+        const originResult = checkOrigin(request, ctx.trustedOrigins);
+        if (originResult) {
+          ctx.logger.warn("Origin check failed", { path });
+          return originResult.error;
+        }
+        const csrfResult = await checkCsrf(request, ctx.secret);
+        if (csrfResult) {
+          ctx.logger.warn("CSRF check failed", { path });
+          return csrfResult.error;
+        }
+      }
+    }
     if (ctx.options.hooks.before) {
       const result = await ctx.options.hooks.before({
         request,
@@ -1855,12 +2112,47 @@ function createLogger(options) {
     }
   };
 }
+function resolveTrustedOrigins(configOrigins) {
+  const origins = [];
+  if (configOrigins) {
+    origins.push(...configOrigins);
+  }
+  const envOrigins = typeof globalThis.process !== "undefined" ? globalThis.process.env?.BILLSDK_TRUSTED_ORIGINS : void 0;
+  if (envOrigins) {
+    origins.push(
+      ...envOrigins.split(",").map((o) => o.trim()).filter(Boolean)
+    );
+  }
+  return origins;
+}
+function resolveSecret(configSecret) {
+  if (configSecret) return configSecret;
+  const envSecret = typeof globalThis.process !== "undefined" ? globalThis.process.env?.BILLSDK_SECRET : void 0;
+  if (envSecret) return envSecret;
+  throw new Error(
+    "[billsdk] Secret is required. Set BILLSDK_SECRET in your environment or pass `secret` to billsdk(). Generate one with: openssl rand -base64 32"
+  );
+}
+function validateSecurity(secret, trustedOrigins, logger) {
+  if (secret.length < 32) {
+    logger.warn(
+      "Secret should be at least 32 characters for adequate security. Generate one with: openssl rand -base64 32"
+    );
+  }
+  const isProduction = typeof globalThis.process !== "undefined" && globalThis.process.env?.NODE_ENV === "production";
+  if (isProduction && trustedOrigins.length === 0) {
+    logger.warn(
+      "No trustedOrigins configured. Set trustedOrigins in your config or BILLSDK_TRUSTED_ORIGINS env var to protect mutating endpoints from cross-site requests."
+    );
+  }
+}
 function resolveOptions(options, adapter) {
   return {
     database: adapter,
     payment: options.payment,
     basePath: options.basePath ?? "/api/billing",
-    secret: options.secret ?? generateDefaultSecret(),
+    secret: resolveSecret(options.secret),
+    trustedOrigins: resolveTrustedOrigins(options.trustedOrigins),
     plans: options.plans,
     features: options.features,
     plugins: options.plugins ?? [],
@@ -1872,9 +2164,6 @@ function resolveOptions(options, adapter) {
     }
   };
 }
-function generateDefaultSecret() {
-  return "billsdk-development-secret-change-in-production";
-}
 async function createBillingContext(adapter, options) {
   const resolvedOptions = resolveOptions(options, adapter);
   const logger = createLogger(options.logger);
@@ -1892,6 +2181,11 @@ async function createBillingContext(adapter, options) {
     options.features ?? [],
     getNow
   );
+  validateSecurity(
+    resolvedOptions.secret,
+    resolvedOptions.trustedOrigins,
+    logger
+  );
   const context = {
     options: resolvedOptions,
     basePath: resolvedOptions.basePath,
@@ -1902,6 +2196,7 @@ async function createBillingContext(adapter, options) {
     plugins,
     logger,
     secret: resolvedOptions.secret,
+    trustedOrigins: resolvedOptions.trustedOrigins,
     timeProvider: createDefaultTimeProvider(),
     hasPlugin(id) {
       return plugins.some((p) => p.id === id);