n8n-nodes-lemonsqueezy 0.4.0 → 0.5.0

package/README.md

@@ -13,9 +13,11 @@ An [n8n](https://n8n.io/) community node for [Lemon Squeezy](https://lemonsqueez
 - **License Key Management** - Validate, activate, and deactivate license keys
 - **Checkout Links** - Create dynamic checkout URLs with custom options
 - **Rate Limiting** - Built-in retry logic with exponential backoff
-- **Input Validation** - Email, URL, and date format validation
+- **Input Validation** - RFC 5322 compliant email validation, secure URL validation (blocks internal networks)
 - **Detailed Error Messages** - Descriptive error messages with field-level details
 - **Type Safety** - Full TypeScript support with comprehensive type definitions
+- **Advanced Query Options** - Sorting and relationship expansion for "Get Many" operations
+- **Security Hardened** - Mandatory webhook signature verification with replay attack protection
 
 ## Installation
 
@@ -147,6 +149,57 @@ Most "Get Many" operations support filtering:
 | `licenseKeyId` | Filter by license key | License Key Instances |
 | `discountId` | Filter by discount | Discount Redemptions |
 
+## Advanced Options
+
+"Get Many" operations support advanced query options for sorting and including related resources.
+
+### Sorting
+
+Sort results by any of the following fields:
+
+| Sort Field | Description |
+|------------|-------------|
+| `created_at` | Sort by creation date |
+| `updated_at` | Sort by last update date |
+
+Choose ascending or descending order.
+
+### Relationship Expansion
+
+Include related resources in a single request to reduce API calls:
+
+| Resource | Available Relationships |
+|----------|------------------------|
+| **Order** | store, customer, order-items, subscriptions, license-keys, discount-redemptions |
+| **Subscription** | store, customer, order, order-item, product, variant |
+| **Customer** | store, orders, subscriptions, license-keys |
+| **License Key** | store, customer, order, order-item, product, license-key-instances |
+| **Product** | store, variants |
+| **Variant** | product, files |
+| **Checkout** | store, variant |
+| **Discount** | store, discount-redemptions |
+
+**Example:** When fetching orders, include `customer` and `order-items` to get all related data in one request.
+
+## Security
+
+### Webhook Security
+
+The webhook trigger includes built-in security features:
+
+- **Mandatory Signature Verification** - All webhooks are verified using HMAC-SHA256 signatures
+- **Replay Attack Protection** - Events older than the configured threshold (default: 5 minutes) are rejected
+- **Configurable Event Age** - Set `Max Event Age (Minutes)` option (0 to disable)
+
+### Input Validation
+
+- **Email Validation** - RFC 5322 compliant validation
+- **URL Validation** - Blocks internal/private network URLs to prevent SSRF attacks:
+  - localhost, 127.0.0.1, 0.0.0.0
+  - Private ranges: 10.x.x.x, 172.16-31.x.x, 192.168.x.x
+  - Link-local: 169.254.x.x (AWS metadata endpoint)
+  - Only allows http:// and https:// protocols
+
 ## Error Handling
 
 The node includes built-in error handling with detailed messages:
@@ -258,6 +311,42 @@ Contributions are welcome! Please feel free to submit a Pull Request.
 
 ## Changelog
 
+### v0.5.0
+
+**Security & Stability Improvements:**
+- Mandatory webhook signature verification (removed option to disable)
+- Added replay attack protection with configurable event age threshold
+- Improved email validation using RFC 5322 compliant regex
+- Enhanced URL validation to block internal/private network URLs (SSRF protection)
+- IPv6 localhost blocking (`[::1]`) for complete SSRF protection
+- Fixed silent error catching - all errors now logged for debugging
+- Added proper null checks and type safety for custom data handling
+
+**New Features:**
+- Added sorting support (created_at, updated_at) for "Get Many" operations
+- Added relationship expansion (include) for fetching related resources in single requests
+- Advanced options available for: Order, Subscription, Customer, License Key, Product, Variant, Checkout, Discount
+- Added pagination timeout protection (default: 5 minutes) to prevent long-running requests
+- Added maxItems limit support for memory optimization on large datasets
+
+**Code Quality:**
+- Added comprehensive JSDoc documentation to all helper functions
+- Created shared field generators to reduce code duplication
+- Added TypeScript types for webhooks, errors, and pagination (WebhookMeta, ApiError, PaginationOptions)
+- Improved type safety throughout the codebase
+
+**Documentation:**
+- Added SECURITY.md with security policy and vulnerability reporting guidelines
+- Added CONTRIBUTING.md with development setup and contribution guidelines
+
+**Test Coverage:**
+- Expanded test suite from 132 to 176 tests (+33%)
+- Added tests for retry logic helpers (sleep, isRateLimitError, isRetryableError)
+- Added webhook signature edge case tests (unicode, long payloads, special characters)
+- Added shared resource options tests
+- Added input validation edge case tests
+- Overall coverage improved to 87%+ statements
+
 ### v0.4.0
 
 - Added User resource for fetching authenticated user information (`getCurrent` operation)

package/dist/nodes/LemonSqueezy/LemonSqueezy.node.js

@@ -83,12 +83,27 @@ async function handleCreate(ctx, resource, itemIndex) {
         if (additionalOptions.receiptThankYouNote) {
             productOptions.receipt_thank_you_note = additionalOptions.receiptThankYouNote;
         }
-        if (additionalOptions.customData) {
-            try {
-                checkoutData.custom = JSON.parse(additionalOptions.customData);
+        if (additionalOptions.customData !== undefined && additionalOptions.customData !== null) {
+            const customDataValue = additionalOptions.customData;
+            if (typeof customDataValue === 'string') {
+                try {
+                    const parsed = JSON.parse(customDataValue);
+                    if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
+                        checkoutData.custom = parsed;
+                    }
+                    else {
+                        throw new Error('customData must be a valid JSON object');
+                    }
+                }
+                catch (error) {
+                    throw new Error(`Invalid customData: ${error instanceof Error ? error.message : 'must be valid JSON object'}`);
+                }
+            }
+            else if (typeof customDataValue === 'object' && !Array.isArray(customDataValue)) {
+                checkoutData.custom = customDataValue;
             }
-            catch {
-                checkoutData.custom = additionalOptions.customData;
+            else {
+                throw new Error('customData must be a JSON string or object');
             }
         }
         if (additionalOptions.expiresAt) {
@@ -279,7 +294,21 @@ class LemonSqueezy {
                 else if (operation === 'getAll') {
                     const returnAll = this.getNodeParameter('returnAll', i);
                     const filters = this.getNodeParameter('filters', i, {});
+                    const advancedOptions = this.getNodeParameter('advancedOptions', i, {});
                     const qs = (0, helpers_1.buildFilterParams)(filters);
+                    // Apply sorting if specified
+                    if (advancedOptions.sortField) {
+                        const sortDirection = advancedOptions.sortDirection || 'desc';
+                        const sortPrefix = sortDirection === 'desc' ? '-' : '';
+                        qs.sort = `${sortPrefix}${advancedOptions.sortField}`;
+                    }
+                    // Apply relationship expansion if specified
+                    if (advancedOptions.include && Array.isArray(advancedOptions.include)) {
+                        const includes = advancedOptions.include;
+                        if (includes.length > 0) {
+                            qs.include = includes.join(',');
+                        }
+                    }
                     if (returnAll) {
                         responseData = await helpers_1.lemonSqueezyApiRequestAllItems.call(this, 'GET', `/${endpoint}`, qs);
                     }

package/dist/nodes/LemonSqueezy/LemonSqueezyTrigger.node.js

@@ -74,11 +74,11 @@ class LemonSqueezyTrigger {
                             description: 'Whether to only receive test mode events',
                         },
                         {
-                            displayName: 'Verify Signature',
-                            name: 'verifySignature',
-                            type: 'boolean',
-                            default: true,
-                            description: 'Whether to verify the webhook signature (recommended)',
+                            displayName: 'Max Event Age (Minutes)',
+                            name: 'maxEventAgeMinutes',
+                            type: 'number',
+                            default: 5,
+                            description: 'Maximum age of webhook events in minutes. Events older than this will be rejected to prevent replay attacks. Set to 0 to disable.',
                         },
                     ],
                 },
@@ -97,8 +97,11 @@ class LemonSqueezyTrigger {
                             await helpers_1.lemonSqueezyApiRequest.call(this, 'GET', `/webhooks/${String(webhookData.webhookId)}`);
                             return true;
                         }
-                        catch {
-                            // Webhook doesn't exist anymore
+                        catch (error) {
+                            // Webhook doesn't exist anymore or API error occurred
+                            // Log for debugging but don't fail - we'll recreate the webhook
+                            // eslint-disable-next-line no-console
+                            console.debug(`Webhook ${String(webhookData.webhookId)} check failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
                             delete webhookData.webhookId;
                             return false;
                         }
@@ -118,8 +121,11 @@ class LemonSqueezyTrigger {
                             }
                         }
                     }
-                    catch {
-                        // Error checking webhooks, assume doesn't exist
+                    catch (error) {
+                        // Error checking webhooks - log for debugging
+                        // This could indicate API issues, but we'll try to create a new webhook
+                        // eslint-disable-next-line no-console
+                        console.debug(`Error checking existing webhooks: ${error instanceof Error ? error.message : 'Unknown error'}`);
                     }
                     return false;
                 },
@@ -164,8 +170,11 @@ class LemonSqueezyTrigger {
                         try {
                             await helpers_1.lemonSqueezyApiRequest.call(this, 'DELETE', `/webhooks/${String(webhookData.webhookId)}`);
                         }
-                        catch {
-                            // Webhook might already be deleted
+                        catch (error) {
+                            // Webhook might already be deleted or API error
+                            // Log for debugging but don't fail - we're cleaning up anyway
+                            // eslint-disable-next-line no-console
+                            console.debug(`Webhook ${String(webhookData.webhookId)} deletion failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
                         }
                         delete webhookData.webhookId;
                     }
@@ -177,32 +186,68 @@ class LemonSqueezyTrigger {
     async webhook() {
         const options = this.getNodeParameter('options');
         const webhookSecret = this.getNodeParameter('webhookSecret');
-        // Verify signature if enabled
-        if (options.verifySignature !== false) {
-            const signature = this.getHeaderData()['x-signature'];
-            if (!signature) {
-                return {
-                    webhookResponse: {
-                        status: 401,
-                        body: { error: 'Missing signature header' },
-                    },
-                };
-            }
-            const bodyData = this.getBodyData();
-            const rawBody = JSON.stringify(bodyData);
-            const isValid = (0, helpers_1.verifyWebhookSignature)(rawBody, signature, webhookSecret);
-            if (!isValid) {
-                return {
-                    webhookResponse: {
-                        status: 401,
-                        body: { error: 'Invalid signature' },
-                    },
-                };
-            }
+        // Always verify signature - this is a security requirement
+        const signature = this.getHeaderData()['x-signature'];
+        if (!signature) {
+            return {
+                webhookResponse: {
+                    status: 401,
+                    body: { error: 'Missing signature header' },
+                },
+            };
+        }
+        const bodyData = this.getBodyData();
+        const rawBody = JSON.stringify(bodyData);
+        const isValid = (0, helpers_1.verifyWebhookSignature)(rawBody, signature, webhookSecret);
+        if (!isValid) {
+            return {
+                webhookResponse: {
+                    status: 401,
+                    body: { error: 'Invalid signature' },
+                },
+            };
         }
         const body = this.getBodyData();
         const meta = body.meta;
         const eventName = meta === null || meta === void 0 ? void 0 : meta.event_name;
+        // Replay attack protection: check event timestamp
+        const maxEventAgeMinutes = typeof options.maxEventAgeMinutes === 'number' ? options.maxEventAgeMinutes : 5;
+        if (maxEventAgeMinutes > 0 && (meta === null || meta === void 0 ? void 0 : meta.custom_data)) {
+            const customData = meta.custom_data;
+            const eventTimestamp = customData.event_created_at;
+            if (eventTimestamp) {
+                const eventTime = new Date(eventTimestamp).getTime();
+                const now = Date.now();
+                const maxAgeMs = maxEventAgeMinutes * 60 * 1000;
+                if (now - eventTime > maxAgeMs) {
+                    return {
+                        webhookResponse: {
+                            status: 400,
+                            body: { error: 'Event too old - possible replay attack' },
+                        },
+                    };
+                }
+            }
+        }
+        // Also check the created_at field in the data payload if available
+        if (maxEventAgeMinutes > 0) {
+            const data = body.data;
+            const attributes = data === null || data === void 0 ? void 0 : data.attributes;
+            const createdAt = attributes === null || attributes === void 0 ? void 0 : attributes.created_at;
+            if (createdAt) {
+                const eventTime = new Date(createdAt).getTime();
+                const now = Date.now();
+                const maxAgeMs = maxEventAgeMinutes * 60 * 1000;
+                if (now - eventTime > maxAgeMs) {
+                    return {
+                        webhookResponse: {
+                            status: 400,
+                            body: { error: 'Event too old - possible replay attack' },
+                        },
+                    };
+                }
+            }
+        }
         // Check if we should process this event
         const subscribedEvents = this.getNodeParameter('events');
         if (!eventName || !subscribedEvents.includes(eventName)) {