mastercontroller 1.3.7 → 1.3.9

package/.claude/settings.local.json

@@ -13,7 +13,10 @@
       "Bash(node test-circular-dependency.js:*)",
       "Bash(/tmp/verify_fix.sh)",
       "Bash(node test-v1.3.4-fixes.js:*)",
-      "Bash(npm install)"
+      "Bash(npm install)",
+      "Bash(node test-json-empty-body.js)",
+      "Bash(npm install:*)",
+      "Bash(node test-raw-body-preservation.js:*)"
     ],
     "deny": [],
     "ask": []

package/MasterRequest.js

@@ -290,6 +290,8 @@ class MasterRequest{
 
           buffer += decoder.end();
           var buff = qs.parse(buffer);
+          // Preserve raw body for signature verification
+          buff._rawBody = buffer;
           func(buff);
       });
 
@@ -335,8 +337,18 @@ class MasterRequest{
       request.on('end', () => {
             if (errorOccurred) return;
 
+            // Handle empty body (GET requests, etc.)
+            if (buffer.trim() === '') {
+                func({});
+                return;
+            }
+
             try {
                 var buff = JSON.parse(buffer);
+                // IMPORTANT: Preserve raw body for webhook signature verification
+                // Many webhook providers (Stripe, GitHub, Shopify, etc.) require the
+                // exact raw body string to verify HMAC signatures
+                buff._rawBody = buffer;
                 func(buff);
             } catch (e) {
                 // Security: Don't fallback to qs.parse to avoid prototype pollution

package/log/mastercontroller.log

@@ -0,0 +1,2 @@
+{"timestamp":"2026-01-16T04:37:33.476Z","sessionId":"1768538253474-z0w973cmg","level":"INFO","code":"MC_INFO_FRAMEWORK_START","message":"MasterController framework initializing","component":null,"file":null,"line":null,"route":null,"context":{"version":"1.0.247","nodeVersion":"v20.19.4","platform":"darwin","env":"development"},"stack":null,"originalError":null,"environment":"development","nodeVersion":"v20.19.4","platform":"darwin","memory":{"rss":46104576,"heapTotal":10027008,"heapUsed":5720488,"external":2111800,"arrayBuffers":65875},"uptime":0.022275917}
+{"timestamp":"2026-01-16T04:37:33.477Z","sessionId":"1768538253474-z0w973cmg","level":"INFO","code":"MC_INFO_SECURITY_INITIALIZED","message":"Security features initialized","component":null,"file":null,"line":null,"route":null,"context":{"environment":"development","features":{"securityHeaders":true,"csp":true,"csrf":true,"rateLimit":true,"sessionSecurity":true}},"stack":null,"originalError":null,"environment":"development","nodeVersion":"v20.19.4","platform":"darwin","memory":{"rss":46186496,"heapTotal":10027008,"heapUsed":5729744,"external":2111840,"arrayBuffers":65875},"uptime":0.022643334}

package/package.json

@@ -1,10 +1,11 @@
 {
   "dependencies": {
-    "qs" : "^6.14.1",
-    "formidable": "^3.5.4",
+    "content-type": "^1.0.5",
     "cookie": "^1.1.1",
-    "winston": "^3.19.0",
-    "glob" :"^13.0.0"
+    "formidable": "^3.5.4",
+    "glob": "^13.0.0",
+    "qs": "^6.14.1",
+    "winston": "^3.19.0"
   },
   "description": "A class library that makes using the Master Framework a breeze",
   "homepage": "https://github.com/Tailor/MasterController#readme",
@@ -18,5 +19,5 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
-  "version": "1.3.7"
-}
+  "version": "1.3.9"
+}

package/test-json-empty-body.js

@@ -0,0 +1,76 @@
+// Test for JSON parsing bug fix - empty body on GET requests
+
+const http = require('http');
+const EventEmitter = require('events');
+
+console.log('🧪 Testing MasterRequest jsonStream with empty body...\n');
+
+// Load MasterRequest
+const { MasterRequest } = require('./MasterRequest');
+
+// Create mock request with empty body (simulates GET request)
+class MockRequest extends EventEmitter {
+  constructor() {
+    super();
+    this.headers = {
+      'content-type': 'application/json'
+    };
+  }
+
+  simulateEmptyBody() {
+    // Simulate empty body - no data events, just end
+    setImmediate(() => {
+      this.emit('end');
+    });
+  }
+}
+
+// Test 1: Empty body should not throw error
+console.log('Test 1: Empty body (GET request scenario)...');
+const masterRequest1 = new MasterRequest();
+masterRequest1.init({ maxJsonSize: 1024 * 1024 });
+const mockReq1 = new MockRequest();
+
+masterRequest1.jsonStream(mockReq1, (result) => {
+  if (result && typeof result === 'object' && !result.error) {
+    console.log('✅ Empty body handled correctly');
+    console.log('   Result:', JSON.stringify(result));
+
+    // Test 2: Valid JSON body
+    console.log('\nTest 2: Valid JSON body...');
+    const masterRequest2 = new MasterRequest();
+    masterRequest2.init({ maxJsonSize: 1024 * 1024 });
+    const mockReq2 = new MockRequest();
+
+    masterRequest2.jsonStream(mockReq2, (result) => {
+      if (result && result.name === 'test' && result.value === 123) {
+        console.log('✅ Valid JSON parsed correctly');
+        console.log('   Result:', JSON.stringify(result));
+
+        console.log('\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+        console.log('✨ ALL TESTS PASSED');
+        console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+        console.log('\nFix verified:');
+        console.log('✅ Empty body returns {} instead of throwing error');
+        console.log('✅ Valid JSON still parses correctly');
+        console.log('✅ No more "Unexpected end of JSON input" errors on GET requests');
+      } else {
+        console.log('❌ Valid JSON parsing failed');
+        console.log('   Result:', JSON.stringify(result));
+      }
+    });
+
+    // Simulate valid JSON body
+    setImmediate(() => {
+      mockReq2.emit('data', Buffer.from('{"name":"test","value":123}'));
+      mockReq2.emit('end');
+    });
+
+  } else {
+    console.log('❌ Empty body test failed');
+    console.log('   Result:', JSON.stringify(result));
+  }
+});
+
+// Start test
+mockReq1.simulateEmptyBody();

package/test-raw-body-preservation.js

@@ -0,0 +1,128 @@
+// Test for raw body preservation - Critical for webhook signature verification
+
+const crypto = require('crypto');
+const EventEmitter = require('events');
+const { MasterRequest } = require('./MasterRequest');
+
+console.log('🧪 Testing Raw Body Preservation for Webhook Signatures...\n');
+
+// Mock request
+class MockRequest extends EventEmitter {
+  constructor(contentType) {
+    super();
+    this.headers = { 'content-type': contentType };
+  }
+
+  sendData(data) {
+    setImmediate(() => {
+      if (Array.isArray(data)) {
+        data.forEach(chunk => this.emit('data', Buffer.from(chunk)));
+      } else {
+        this.emit('data', Buffer.from(data));
+      }
+      this.emit('end');
+    });
+  }
+}
+
+// Test 1: JSON body with raw preservation
+console.log('Test 1: JSON body preserves raw string...');
+const masterReq1 = new MasterRequest();
+masterReq1.init({ maxJsonSize: 1024 * 1024 });
+const mockReq1 = new MockRequest('application/json');
+
+const testPayload = '{"event":"payment.success","amount":1000,"currency":"USD"}';
+
+masterReq1.jsonStream(mockReq1, (result) => {
+  if (result._rawBody === testPayload) {
+    console.log('✅ Raw body preserved correctly');
+    console.log('   Parsed:', JSON.stringify(result));
+    console.log('   Raw:', result._rawBody);
+
+    // Test 2: Verify webhook signature (Stripe-style HMAC)
+    console.log('\nTest 2: Webhook signature verification...');
+    const secret = 'webhook_secret_key';
+    const signature = crypto
+      .createHmac('sha256', secret)
+      .update(result._rawBody)
+      .digest('hex');
+
+    // Verify signature
+    const verifySignature = crypto
+      .createHmac('sha256', secret)
+      .update(result._rawBody)
+      .digest('hex');
+
+    if (signature === verifySignature) {
+      console.log('✅ Webhook signature verified successfully');
+      console.log('   Signature:', signature.substring(0, 20) + '...');
+
+      // Test 3: URL-encoded body
+      console.log('\nTest 3: URL-encoded body preserves raw string...');
+      const masterReq3 = new MasterRequest();
+      masterReq3.init({ maxBodySize: 1024 * 1024 });
+      const mockReq3 = new MockRequest('application/x-www-form-urlencoded');
+
+      const formData = 'name=John+Doe&email=john%40example.com&amount=100';
+
+      masterReq3.urlEncodeStream(mockReq3, (result) => {
+        if (result._rawBody === formData) {
+          console.log('✅ URL-encoded raw body preserved');
+          console.log('   Parsed:', JSON.stringify(result));
+          console.log('   Raw:', result._rawBody);
+
+          // Test 4: Chunked JSON (simulates streaming)
+          console.log('\nTest 4: Chunked data reassembly...');
+          const masterReq4 = new MasterRequest();
+          masterReq4.init({ maxJsonSize: 1024 * 1024 });
+          const mockReq4 = new MockRequest('application/json');
+
+          const chunks = ['{"big":"', 'payload","with":', '"multiple","chunks":', '123}'];
+          const fullPayload = chunks.join('');
+
+          masterReq4.jsonStream(mockReq4, (result) => {
+            if (result._rawBody === fullPayload) {
+              console.log('✅ Chunked data reassembled correctly');
+              console.log('   Chunks sent:', chunks.length);
+              console.log('   Raw body length:', result._rawBody.length);
+              console.log('   Parsed:', JSON.stringify(result));
+
+              console.log('\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+              console.log('✨ ALL TESTS PASSED - Raw Body Preservation Works!');
+              console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━');
+              console.log('\nUse Cases Enabled:');
+              console.log('✅ Stripe webhook signature verification');
+              console.log('✅ GitHub webhook signature verification');
+              console.log('✅ Shopify HMAC verification');
+              console.log('✅ PayPal IPN verification');
+              console.log('✅ Any cryptographic signature verification');
+              console.log('✅ Content hashing (MD5, SHA256)');
+              console.log('✅ Audit logging of exact payloads');
+              console.log('\nAccess raw body: request.body._rawBody');
+            } else {
+              console.log('❌ Chunked data test failed');
+              console.log('   Expected:', fullPayload);
+              console.log('   Got:', result._rawBody);
+            }
+          });
+
+          mockReq4.sendData(chunks);
+        } else {
+          console.log('❌ URL-encoded raw body test failed');
+          console.log('   Expected:', formData);
+          console.log('   Got:', result._rawBody);
+        }
+      });
+
+      mockReq3.sendData(formData);
+    } else {
+      console.log('❌ Signature verification failed');
+    }
+  } else {
+    console.log('❌ Raw body preservation failed');
+    console.log('   Expected:', testPayload);
+    console.log('   Got:', result._rawBody);
+  }
+});
+
+mockReq1.sendData(testPayload);