n8n-nodes-lemonsqueezy 0.2.0 → 0.5.0

package/README.md

@@ -2,6 +2,7 @@
 
 [![npm version](https://img.shields.io/npm/v/n8n-nodes-lemonsqueezy.svg)](https://www.npmjs.com/package/n8n-nodes-lemonsqueezy)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![CI](https://github.com/janmaaarc/n8n-nodes-lemonsqueezy/actions/workflows/ci.yml/badge.svg)](https://github.com/janmaaarc/n8n-nodes-lemonsqueezy/actions/workflows/ci.yml)
 
 An [n8n](https://n8n.io/) community node for [Lemon Squeezy](https://lemonsqueezy.com) - a platform for selling digital products, subscriptions, and software licenses.
 
@@ -12,7 +13,11 @@ An [n8n](https://n8n.io/) community node for [Lemon Squeezy](https://lemonsqueez
 - **License Key Management** - Validate, activate, and deactivate license keys
 - **Checkout Links** - Create dynamic checkout URLs with custom options
 - **Rate Limiting** - Built-in retry logic with exponential backoff
+- **Input Validation** - RFC 5322 compliant email validation, secure URL validation (blocks internal networks)
+- **Detailed Error Messages** - Descriptive error messages with field-level details
 - **Type Safety** - Full TypeScript support with comprehensive type definitions
+- **Advanced Query Options** - Sorting and relationship expansion for "Get Many" operations
+- **Security Hardened** - Mandatory webhook signature verification with replay attack protection
 
 ## Installation
 
@@ -51,11 +56,17 @@ The main node for interacting with the Lemon Squeezy API.
 | **Checkout** | Create, Get, Get Many |
 | **Customer** | Create, Update, Delete, Get, Get Many |
 | **Discount** | Create, Delete, Get, Get Many |
+| **Discount Redemption** | Get, Get Many |
 | **License Key** | Get, Get Many, Update, Validate, Activate, Deactivate |
+| **License Key Instance** | Get, Get Many |
 | **Order** | Get, Get Many, Refund |
+| **Order Item** | Get, Get Many |
 | **Product** | Get, Get Many |
 | **Store** | Get, Get Many |
 | **Subscription** | Get, Get Many, Update, Cancel, Resume |
+| **Subscription Invoice** | Get, Get Many |
+| **Usage Record** | Get, Get Many |
+| **User** | Get Current |
 | **Variant** | Get, Get Many |
 | **Webhook** | Create, Update, Delete, Get, Get Many |
 
@@ -129,19 +140,87 @@ Most "Get Many" operations support filtering:
 | Filter | Description | Available On |
 |--------|-------------|--------------|
 | `storeId` | Filter by store | All resources |
-| `status` | Filter by status | Orders, Subscriptions, Customers, License Keys |
+| `status` | Filter by status | Orders, Subscriptions, Customers, License Keys, Subscription Invoices |
 | `email` | Filter by email | Orders, Customers |
-| `productId` | Filter by product | Subscriptions, License Keys, Variants |
-| `variantId` | Filter by variant | Subscriptions, Checkouts |
-| `orderId` | Filter by order | Subscriptions, License Keys |
+| `productId` | Filter by product | Subscriptions, License Keys, Variants, Order Items |
+| `variantId` | Filter by variant | Subscriptions, Checkouts, Order Items |
+| `orderId` | Filter by order | Subscriptions, License Keys, Order Items, Discount Redemptions |
+| `subscriptionId` | Filter by subscription | Subscription Invoices |
+| `licenseKeyId` | Filter by license key | License Key Instances |
+| `discountId` | Filter by discount | Discount Redemptions |
+
+## Advanced Options
+
+"Get Many" operations support advanced query options for sorting and including related resources.
+
+### Sorting
+
+Sort results by any of the following fields:
+
+| Sort Field | Description |
+|------------|-------------|
+| `created_at` | Sort by creation date |
+| `updated_at` | Sort by last update date |
+
+Choose ascending or descending order.
+
+### Relationship Expansion
+
+Include related resources in a single request to reduce API calls:
+
+| Resource | Available Relationships |
+|----------|------------------------|
+| **Order** | store, customer, order-items, subscriptions, license-keys, discount-redemptions |
+| **Subscription** | store, customer, order, order-item, product, variant |
+| **Customer** | store, orders, subscriptions, license-keys |
+| **License Key** | store, customer, order, order-item, product, license-key-instances |
+| **Product** | store, variants |
+| **Variant** | product, files |
+| **Checkout** | store, variant |
+| **Discount** | store, discount-redemptions |
+
+**Example:** When fetching orders, include `customer` and `order-items` to get all related data in one request.
+
+## Security
+
+### Webhook Security
+
+The webhook trigger includes built-in security features:
+
+- **Mandatory Signature Verification** - All webhooks are verified using HMAC-SHA256 signatures
+- **Replay Attack Protection** - Events older than the configured threshold (default: 5 minutes) are rejected
+- **Configurable Event Age** - Set `Max Event Age (Minutes)` option (0 to disable)
+
+### Input Validation
+
+- **Email Validation** - RFC 5322 compliant validation
+- **URL Validation** - Blocks internal/private network URLs to prevent SSRF attacks:
+  - localhost, 127.0.0.1, 0.0.0.0
+  - Private ranges: 10.x.x.x, 172.16-31.x.x, 192.168.x.x
+  - Link-local: 169.254.x.x (AWS metadata endpoint)
+  - Only allows http:// and https:// protocols
 
 ## Error Handling
 
-The node includes built-in error handling:
+The node includes built-in error handling with detailed messages:
 
 - **Rate Limiting**: Automatically waits and retries when rate limited (429 errors)
 - **Retry Logic**: Retries failed requests with exponential backoff for 5xx errors
 - **Continue on Fail**: Enable to process remaining items even if some fail
+- **Detailed Errors**: Field-level error details for validation failures
+
+### Error Code Reference
+
+| Status Code | Description |
+|-------------|-------------|
+| 400 | Bad Request - Invalid or malformed request |
+| 401 | Unauthorized - Invalid or missing API key |
+| 403 | Forbidden - No permission to access resource |
+| 404 | Not Found - Resource does not exist |
+| 409 | Conflict - Resource already exists |
+| 422 | Unprocessable Entity - Invalid request data |
+| 429 | Rate Limited - Too many requests |
+| 500+ | Server Error - Something went wrong on the server |
 
 ## Troubleshooting
 
@@ -166,11 +245,28 @@ The node includes built-in error handling:
 
 ### Rate Limiting Issues
 
-The node handles rate limiting automatically, but if you're hitting limits frequently:
+The node handles rate limiting automatically with the following defaults:
+
+| Setting | Value | Description |
+|---------|-------|-------------|
+| Max Retries | 3 | Maximum retry attempts for failed requests |
+| Retry Delay | 1 second | Initial delay between retries (exponential backoff) |
+| Rate Limit Wait | 60 seconds | Wait time when rate limited (429 response) |
+
+If you're hitting rate limits frequently:
 
 1. Reduce the frequency of API calls
 2. Use "Return All" sparingly for large datasets
 3. Consider caching responses where appropriate
+4. Space out bulk operations with delays
+
+### Validation Errors
+
+If you receive validation errors:
+
+1. Check email fields contain valid email addresses
+2. Verify URLs are complete (including https://)
+3. Ensure dates are in ISO 8601 format (e.g., 2024-01-15T10:30:00Z)
 
 ## Development
 
@@ -184,11 +280,17 @@ npm run build
 # Run tests
 npm test
 
+# Run tests with coverage
+npm run test:coverage
+
 # Run linter
 npm run lint
 
 # Format code
 npm run format
+
+# Type check
+npm run typecheck
 ```
 
 ## Contributing
@@ -207,6 +309,68 @@ Contributions are welcome! Please feel free to submit a Pull Request.
 - [n8n Community Nodes Documentation](https://docs.n8n.io/integrations/community-nodes/)
 - [n8n Community Forum](https://community.n8n.io/)
 
+## Changelog
+
+### v0.5.0
+
+**Security & Stability Improvements:**
+- Mandatory webhook signature verification (removed option to disable)
+- Added replay attack protection with configurable event age threshold
+- Improved email validation using RFC 5322 compliant regex
+- Enhanced URL validation to block internal/private network URLs (SSRF protection)
+- IPv6 localhost blocking (`[::1]`) for complete SSRF protection
+- Fixed silent error catching - all errors now logged for debugging
+- Added proper null checks and type safety for custom data handling
+
+**New Features:**
+- Added sorting support (created_at, updated_at) for "Get Many" operations
+- Added relationship expansion (include) for fetching related resources in single requests
+- Advanced options available for: Order, Subscription, Customer, License Key, Product, Variant, Checkout, Discount
+- Added pagination timeout protection (default: 5 minutes) to prevent long-running requests
+- Added maxItems limit support for memory optimization on large datasets
+
+**Code Quality:**
+- Added comprehensive JSDoc documentation to all helper functions
+- Created shared field generators to reduce code duplication
+- Added TypeScript types for webhooks, errors, and pagination (WebhookMeta, ApiError, PaginationOptions)
+- Improved type safety throughout the codebase
+
+**Documentation:**
+- Added SECURITY.md with security policy and vulnerability reporting guidelines
+- Added CONTRIBUTING.md with development setup and contribution guidelines
+
+**Test Coverage:**
+- Expanded test suite from 132 to 176 tests (+33%)
+- Added tests for retry logic helpers (sleep, isRateLimitError, isRetryableError)
+- Added webhook signature edge case tests (unicode, long payloads, special characters)
+- Added shared resource options tests
+- Added input validation edge case tests
+- Overall coverage improved to 87%+ statements
+
+### v0.4.0
+
+- Added User resource for fetching authenticated user information (`getCurrent` operation)
+- Expanded test suite to 130 tests with 85%+ statement coverage
+- Added comprehensive tests for credentials, node descriptions, and helpers
+- Fixed TypeScript strict mode warnings in test files
+- Updated coverage thresholds to 70%
+
+### v0.3.0
+
+- Added new resources: Order Items, Subscription Invoices, License Key Instances, Discount Redemptions, Usage Records
+- Added input validation for emails, URLs, and dates
+- Improved error messages with field-level details
+- Added advanced filtering with sorting support
+- Added relationship expansion helpers
+- Added security audit in CI pipeline
+- Added coverage reporting with lcov output
+
+### v0.2.0
+
+- Initial release with full Lemon Squeezy API support
+- Webhook trigger node
+- Rate limiting and retry logic
+
 ## License
 
 [MIT](LICENSE)

package/dist/nodes/LemonSqueezy/LemonSqueezy.node.js

@@ -83,12 +83,27 @@ async function handleCreate(ctx, resource, itemIndex) {
         if (additionalOptions.receiptThankYouNote) {
             productOptions.receipt_thank_you_note = additionalOptions.receiptThankYouNote;
         }
-        if (additionalOptions.customData) {
-            try {
-                checkoutData.custom = JSON.parse(additionalOptions.customData);
+        if (additionalOptions.customData !== undefined && additionalOptions.customData !== null) {
+            const customDataValue = additionalOptions.customData;
+            if (typeof customDataValue === 'string') {
+                try {
+                    const parsed = JSON.parse(customDataValue);
+                    if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
+                        checkoutData.custom = parsed;
+                    }
+                    else {
+                        throw new Error('customData must be a valid JSON object');
+                    }
+                }
+                catch (error) {
+                    throw new Error(`Invalid customData: ${error instanceof Error ? error.message : 'must be valid JSON object'}`);
+                }
+            }
+            else if (typeof customDataValue === 'object' && !Array.isArray(customDataValue)) {
+                checkoutData.custom = customDataValue;
             }
-            catch {
-                checkoutData.custom = additionalOptions.customData;
+            else {
+                throw new Error('customData must be a JSON string or object');
             }
         }
         if (additionalOptions.expiresAt) {
@@ -279,7 +294,21 @@ class LemonSqueezy {
                 else if (operation === 'getAll') {
                     const returnAll = this.getNodeParameter('returnAll', i);
                     const filters = this.getNodeParameter('filters', i, {});
+                    const advancedOptions = this.getNodeParameter('advancedOptions', i, {});
                     const qs = (0, helpers_1.buildFilterParams)(filters);
+                    // Apply sorting if specified
+                    if (advancedOptions.sortField) {
+                        const sortDirection = advancedOptions.sortDirection || 'desc';
+                        const sortPrefix = sortDirection === 'desc' ? '-' : '';
+                        qs.sort = `${sortPrefix}${advancedOptions.sortField}`;
+                    }
+                    // Apply relationship expansion if specified
+                    if (advancedOptions.include && Array.isArray(advancedOptions.include)) {
+                        const includes = advancedOptions.include;
+                        if (includes.length > 0) {
+                            qs.include = includes.join(',');
+                        }
+                    }
                     if (returnAll) {
                         responseData = await helpers_1.lemonSqueezyApiRequestAllItems.call(this, 'GET', `/${endpoint}`, qs);
                     }
@@ -338,6 +367,9 @@ class LemonSqueezy {
                         });
                     }
                 }
+                else if (resource === 'user' && operation === 'getCurrent') {
+                    responseData = await helpers_1.lemonSqueezyApiRequest.call(this, 'GET', '/users/me');
+                }
                 const executionData = this.helpers.constructExecutionMetaData(this.helpers.returnJsonArray(responseData), { itemData: { item: i } });
                 returnData.push(...executionData);
             }

package/dist/nodes/LemonSqueezy/LemonSqueezyTrigger.node.js

@@ -74,11 +74,11 @@ class LemonSqueezyTrigger {
                             description: 'Whether to only receive test mode events',
                         },
                         {
-                            displayName: 'Verify Signature',
-                            name: 'verifySignature',
-                            type: 'boolean',
-                            default: true,
-                            description: 'Whether to verify the webhook signature (recommended)',
+                            displayName: 'Max Event Age (Minutes)',
+                            name: 'maxEventAgeMinutes',
+                            type: 'number',
+                            default: 5,
+                            description: 'Maximum age of webhook events in minutes. Events older than this will be rejected to prevent replay attacks. Set to 0 to disable.',
                         },
                     ],
                 },
@@ -97,8 +97,11 @@ class LemonSqueezyTrigger {
                             await helpers_1.lemonSqueezyApiRequest.call(this, 'GET', `/webhooks/${String(webhookData.webhookId)}`);
                             return true;
                         }
-                        catch {
-                            // Webhook doesn't exist anymore
+                        catch (error) {
+                            // Webhook doesn't exist anymore or API error occurred
+                            // Log for debugging but don't fail - we'll recreate the webhook
+                            // eslint-disable-next-line no-console
+                            console.debug(`Webhook ${String(webhookData.webhookId)} check failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
                             delete webhookData.webhookId;
                             return false;
                         }
@@ -118,8 +121,11 @@ class LemonSqueezyTrigger {
                             }
                         }
                     }
-                    catch {
-                        // Error checking webhooks, assume doesn't exist
+                    catch (error) {
+                        // Error checking webhooks - log for debugging
+                        // This could indicate API issues, but we'll try to create a new webhook
+                        // eslint-disable-next-line no-console
+                        console.debug(`Error checking existing webhooks: ${error instanceof Error ? error.message : 'Unknown error'}`);
                     }
                     return false;
                 },
@@ -164,8 +170,11 @@ class LemonSqueezyTrigger {
                         try {
                             await helpers_1.lemonSqueezyApiRequest.call(this, 'DELETE', `/webhooks/${String(webhookData.webhookId)}`);
                         }
-                        catch {
-                            // Webhook might already be deleted
+                        catch (error) {
+                            // Webhook might already be deleted or API error
+                            // Log for debugging but don't fail - we're cleaning up anyway
+                            // eslint-disable-next-line no-console
+                            console.debug(`Webhook ${String(webhookData.webhookId)} deletion failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
                         }
                         delete webhookData.webhookId;
                     }
@@ -177,32 +186,68 @@ class LemonSqueezyTrigger {
     async webhook() {
         const options = this.getNodeParameter('options');
         const webhookSecret = this.getNodeParameter('webhookSecret');
-        // Verify signature if enabled
-        if (options.verifySignature !== false) {
-            const signature = this.getHeaderData()['x-signature'];
-            if (!signature) {
-                return {
-                    webhookResponse: {
-                        status: 401,
-                        body: { error: 'Missing signature header' },
-                    },
-                };
-            }
-            const bodyData = this.getBodyData();
-            const rawBody = JSON.stringify(bodyData);
-            const isValid = (0, helpers_1.verifyWebhookSignature)(rawBody, signature, webhookSecret);
-            if (!isValid) {
-                return {
-                    webhookResponse: {
-                        status: 401,
-                        body: { error: 'Invalid signature' },
-                    },
-                };
-            }
+        // Always verify signature - this is a security requirement
+        const signature = this.getHeaderData()['x-signature'];
+        if (!signature) {
+            return {
+                webhookResponse: {
+                    status: 401,
+                    body: { error: 'Missing signature header' },
+                },
+            };
+        }
+        const bodyData = this.getBodyData();
+        const rawBody = JSON.stringify(bodyData);
+        const isValid = (0, helpers_1.verifyWebhookSignature)(rawBody, signature, webhookSecret);
+        if (!isValid) {
+            return {
+                webhookResponse: {
+                    status: 401,
+                    body: { error: 'Invalid signature' },
+                },
+            };
         }
         const body = this.getBodyData();
         const meta = body.meta;
         const eventName = meta === null || meta === void 0 ? void 0 : meta.event_name;
+        // Replay attack protection: check event timestamp
+        const maxEventAgeMinutes = typeof options.maxEventAgeMinutes === 'number' ? options.maxEventAgeMinutes : 5;
+        if (maxEventAgeMinutes > 0 && (meta === null || meta === void 0 ? void 0 : meta.custom_data)) {
+            const customData = meta.custom_data;
+            const eventTimestamp = customData.event_created_at;
+            if (eventTimestamp) {
+                const eventTime = new Date(eventTimestamp).getTime();
+                const now = Date.now();
+                const maxAgeMs = maxEventAgeMinutes * 60 * 1000;
+                if (now - eventTime > maxAgeMs) {
+                    return {
+                        webhookResponse: {
+                            status: 400,
+                            body: { error: 'Event too old - possible replay attack' },
+                        },
+                    };
+                }
+            }
+        }
+        // Also check the created_at field in the data payload if available
+        if (maxEventAgeMinutes > 0) {
+            const data = body.data;
+            const attributes = data === null || data === void 0 ? void 0 : data.attributes;
+            const createdAt = attributes === null || attributes === void 0 ? void 0 : attributes.created_at;
+            if (createdAt) {
+                const eventTime = new Date(createdAt).getTime();
+                const now = Date.now();
+                const maxAgeMs = maxEventAgeMinutes * 60 * 1000;
+                if (now - eventTime > maxAgeMs) {
+                    return {
+                        webhookResponse: {
+                            status: 400,
+                            body: { error: 'Event too old - possible replay attack' },
+                        },
+                    };
+                }
+            }
+        }
         // Check if we should process this event
         const subscribedEvents = this.getNodeParameter('events');
         if (!eventName || !subscribedEvents.includes(eventName)) {

package/dist/nodes/LemonSqueezy/constants.js

@@ -15,15 +15,20 @@ exports.RATE_LIMIT_DELAY_MS = 60000;
 exports.RESOURCE_ENDPOINTS = {
     product: 'products',
     order: 'orders',
+    orderItem: 'order-items',
     subscription: 'subscriptions',
+    subscriptionInvoice: 'subscription-invoices',
     customer: 'customers',
     licenseKey: 'license-keys',
+    licenseKeyInstance: 'license-key-instances',
     discount: 'discounts',
+    discountRedemption: 'discount-redemptions',
     store: 'stores',
     variant: 'variants',
     checkout: 'checkouts',
     webhook: 'webhooks',
-    licenseKeyInstance: 'license-key-instances',
+    usageRecord: 'usage-records',
+    user: 'users',
 };
 /**
  * Resource to ID parameter mapping
@@ -31,15 +36,19 @@ exports.RESOURCE_ENDPOINTS = {
 exports.RESOURCE_ID_PARAMS = {
     product: 'productId',
     order: 'orderId',
+    orderItem: 'orderItemId',
     subscription: 'subscriptionId',
+    subscriptionInvoice: 'subscriptionInvoiceId',
     customer: 'customerId',
     licenseKey: 'licenseKeyId',
+    licenseKeyInstance: 'licenseKeyInstanceId',
     discount: 'discountId',
+    discountRedemption: 'discountRedemptionId',
     store: 'storeId',
     variant: 'variantId',
     checkout: 'checkoutId',
     webhook: 'webhookId',
-    licenseKeyInstance: 'licenseKeyInstanceId',
+    usageRecord: 'usageRecordId',
 };
 /**
  * Webhook event types with descriptions