n8n-nodes-lemonsqueezy 0.4.0 → 0.6.0

package/README.md

@@ -13,9 +13,11 @@ An [n8n](https://n8n.io/) community node for [Lemon Squeezy](https://lemonsqueez
 - **License Key Management** - Validate, activate, and deactivate license keys
 - **Checkout Links** - Create dynamic checkout URLs with custom options
 - **Rate Limiting** - Built-in retry logic with exponential backoff
-- **Input Validation** - Email, URL, and date format validation
+- **Input Validation** - RFC 5322 compliant email validation, secure URL validation (blocks internal networks)
 - **Detailed Error Messages** - Descriptive error messages with field-level details
 - **Type Safety** - Full TypeScript support with comprehensive type definitions
+- **Advanced Query Options** - Sorting and relationship expansion for "Get Many" operations
+- **Security Hardened** - Mandatory webhook signature verification with replay attack protection
 
 ## Installation
 
@@ -147,6 +149,57 @@ Most "Get Many" operations support filtering:
 | `licenseKeyId` | Filter by license key | License Key Instances |
 | `discountId` | Filter by discount | Discount Redemptions |
 
+## Advanced Options
+
+"Get Many" operations support advanced query options for sorting and including related resources.
+
+### Sorting
+
+Sort results by any of the following fields:
+
+| Sort Field | Description |
+|------------|-------------|
+| `created_at` | Sort by creation date |
+| `updated_at` | Sort by last update date |
+
+Choose ascending or descending order.
+
+### Relationship Expansion
+
+Include related resources in a single request to reduce API calls:
+
+| Resource | Available Relationships |
+|----------|------------------------|
+| **Order** | store, customer, order-items, subscriptions, license-keys, discount-redemptions |
+| **Subscription** | store, customer, order, order-item, product, variant |
+| **Customer** | store, orders, subscriptions, license-keys |
+| **License Key** | store, customer, order, order-item, product, license-key-instances |
+| **Product** | store, variants |
+| **Variant** | product, files |
+| **Checkout** | store, variant |
+| **Discount** | store, discount-redemptions |
+
+**Example:** When fetching orders, include `customer` and `order-items` to get all related data in one request.
+
+## Security
+
+### Webhook Security
+
+The webhook trigger includes built-in security features:
+
+- **Mandatory Signature Verification** - All webhooks are verified using HMAC-SHA256 signatures
+- **Replay Attack Protection** - Events older than the configured threshold (default: 5 minutes) are rejected
+- **Configurable Event Age** - Set `Max Event Age (Minutes)` option (0 to disable)
+
+### Input Validation
+
+- **Email Validation** - RFC 5322 compliant validation
+- **URL Validation** - Blocks internal/private network URLs to prevent SSRF attacks:
+  - localhost, 127.0.0.1, 0.0.0.0
+  - Private ranges: 10.x.x.x, 172.16-31.x.x, 192.168.x.x
+  - Link-local: 169.254.x.x (AWS metadata endpoint)
+  - Only allows http:// and https:// protocols
+
 ## Error Handling
 
 The node includes built-in error handling with detailed messages:
@@ -258,6 +311,65 @@ Contributions are welcome! Please feel free to submit a Pull Request.
 
 ## Changelog
 
+### v0.6.0
+
+**Reliability & Error Handling:**
+- Improved webhook management error handling with proper 404 vs other error distinction
+- Added detailed logging for webhook lifecycle (create, check, delete operations)
+- Added logging for filtered/unsubscribed webhook events to aid debugging
+- Added rate limit visibility logging with wait time information
+- Added retry attempt logging with exponential backoff details
+
+**Input Validation:**
+- Added pre-API validation for email fields (customer create/update, checkout)
+- Added pre-API validation for URL fields (webhook URL, redirect URLs, receipt link URLs)
+- Added webhook secret minimum length validation (16 characters) for security
+- Validation errors now fail fast before making API requests
+
+**Performance:**
+- Added configurable request timeout (default: 30 seconds) for all API requests
+- Timeout prevents hanging requests and improves workflow reliability
+
+**Code Quality:**
+- Added common filter field generators to reduce code duplication
+- Added createFiltersField, createStatusFilter factory functions
+
+### v0.5.0
+
+**Security & Stability Improvements:**
+- Mandatory webhook signature verification (removed option to disable)
+- Added replay attack protection with configurable event age threshold
+- Improved email validation using RFC 5322 compliant regex
+- Enhanced URL validation to block internal/private network URLs (SSRF protection)
+- IPv6 localhost blocking (`[::1]`) for complete SSRF protection
+- Fixed silent error catching - all errors now logged for debugging
+- Added proper null checks and type safety for custom data handling
+
+**New Features:**
+- Added sorting support (created_at, updated_at) for "Get Many" operations
+- Added relationship expansion (include) for fetching related resources in single requests
+- Advanced options available for: Order, Subscription, Customer, License Key, Product, Variant, Checkout, Discount
+- Added pagination timeout protection (default: 5 minutes) to prevent long-running requests
+- Added maxItems limit support for memory optimization on large datasets
+
+**Code Quality:**
+- Added comprehensive JSDoc documentation to all helper functions
+- Created shared field generators to reduce code duplication
+- Added TypeScript types for webhooks, errors, and pagination (WebhookMeta, ApiError, PaginationOptions)
+- Improved type safety throughout the codebase
+
+**Documentation:**
+- Added SECURITY.md with security policy and vulnerability reporting guidelines
+- Added CONTRIBUTING.md with development setup and contribution guidelines
+
+**Test Coverage:**
+- Expanded test suite from 132 to 176 tests (+33%)
+- Added tests for retry logic helpers (sleep, isRateLimitError, isRetryableError)
+- Added webhook signature edge case tests (unicode, long payloads, special characters)
+- Added shared resource options tests
+- Added input validation edge case tests
+- Overall coverage improved to 87%+ statements
+
 ### v0.4.0
 
 - Added User resource for fetching authenticated user information (`getCurrent` operation)

package/dist/nodes/LemonSqueezy/LemonSqueezy.node.js

@@ -10,6 +10,8 @@ async function handleCreate(ctx, resource, itemIndex) {
         const name = ctx.getNodeParameter('customerName', itemIndex);
         const email = ctx.getNodeParameter('customerEmail', itemIndex);
         const additionalFields = ctx.getNodeParameter('additionalFields', itemIndex);
+        // Validate required fields before API call
+        (0, helpers_1.validateField)('email', email, 'email');
         const body = (0, helpers_1.buildJsonApiBody)('customers', { name, email, ...additionalFields }, { store: { type: 'stores', id: storeId } });
         return await helpers_1.lemonSqueezyApiRequest.call(ctx, 'POST', '/customers', body);
     }
@@ -63,6 +65,8 @@ async function handleCreate(ctx, resource, itemIndex) {
             attributes.custom_price = additionalOptions.customPrice;
         }
         if (additionalOptions.email) {
+            // Validate email before API call
+            (0, helpers_1.validateField)('email', additionalOptions.email, 'email');
             checkoutData.email = additionalOptions.email;
         }
         if (additionalOptions.name) {
@@ -72,23 +76,42 @@ async function handleCreate(ctx, resource, itemIndex) {
             checkoutData.discount_code = additionalOptions.discountCode;
         }
         if (additionalOptions.redirectUrl) {
+            // Validate URL before API call
+            (0, helpers_1.validateField)('redirectUrl', additionalOptions.redirectUrl, 'url');
             productOptions.redirect_url = additionalOptions.redirectUrl;
         }
         if (additionalOptions.receiptButtonText) {
             productOptions.receipt_button_text = additionalOptions.receiptButtonText;
         }
         if (additionalOptions.receiptLinkUrl) {
+            // Validate URL before API call
+            (0, helpers_1.validateField)('receiptLinkUrl', additionalOptions.receiptLinkUrl, 'url');
             productOptions.receipt_link_url = additionalOptions.receiptLinkUrl;
         }
         if (additionalOptions.receiptThankYouNote) {
             productOptions.receipt_thank_you_note = additionalOptions.receiptThankYouNote;
         }
-        if (additionalOptions.customData) {
-            try {
-                checkoutData.custom = JSON.parse(additionalOptions.customData);
+        if (additionalOptions.customData !== undefined && additionalOptions.customData !== null) {
+            const customDataValue = additionalOptions.customData;
+            if (typeof customDataValue === 'string') {
+                try {
+                    const parsed = JSON.parse(customDataValue);
+                    if (parsed !== null && typeof parsed === 'object' && !Array.isArray(parsed)) {
+                        checkoutData.custom = parsed;
+                    }
+                    else {
+                        throw new Error('customData must be a valid JSON object');
+                    }
+                }
+                catch (error) {
+                    throw new Error(`Invalid customData: ${error instanceof Error ? error.message : 'must be valid JSON object'}`);
+                }
             }
-            catch {
-                checkoutData.custom = additionalOptions.customData;
+            else if (typeof customDataValue === 'object' && !Array.isArray(customDataValue)) {
+                checkoutData.custom = customDataValue;
+            }
+            else {
+                throw new Error('customData must be a JSON string or object');
             }
         }
         if (additionalOptions.expiresAt) {
@@ -139,6 +162,12 @@ async function handleCreate(ctx, resource, itemIndex) {
         const events = ctx.getNodeParameter('webhookEvents', itemIndex);
         const secret = ctx.getNodeParameter('webhookSecret', itemIndex);
         const additionalOptions = ctx.getNodeParameter('additionalOptions', itemIndex, {});
+        // Validate URL before API call
+        (0, helpers_1.validateField)('url', url, 'url');
+        // Validate webhook secret minimum length for security
+        if (secret.length < 16) {
+            throw new Error('Webhook secret must be at least 16 characters for security');
+        }
         const attributes = { url, events, secret };
         if (additionalOptions.testMode !== undefined) {
             attributes.test_mode = additionalOptions.testMode;
@@ -187,6 +216,8 @@ async function handleUpdate(ctx, resource, itemIndex) {
             attributes.name = updateFields.name;
         }
         if (updateFields.email) {
+            // Validate email before API call
+            (0, helpers_1.validateField)('email', updateFields.email, 'email');
             attributes.email = updateFields.email;
         }
         if (updateFields.city) {
@@ -225,12 +256,18 @@ async function handleUpdate(ctx, resource, itemIndex) {
         const updateFields = ctx.getNodeParameter('updateFields', itemIndex);
         const attributes = {};
         if (updateFields.url) {
+            // Validate URL before API call
+            (0, helpers_1.validateField)('url', updateFields.url, 'url');
             attributes.url = updateFields.url;
         }
         if (updateFields.events) {
             attributes.events = updateFields.events;
         }
         if (updateFields.secret) {
+            // Validate webhook secret minimum length for security
+            if (updateFields.secret.length < 16) {
+                throw new Error('Webhook secret must be at least 16 characters for security');
+            }
             attributes.secret = updateFields.secret;
         }
         const body = (0, helpers_1.buildJsonApiBody)('webhooks', attributes, undefined, webhookId);
@@ -279,7 +316,21 @@ class LemonSqueezy {
                 else if (operation === 'getAll') {
                     const returnAll = this.getNodeParameter('returnAll', i);
                     const filters = this.getNodeParameter('filters', i, {});
+                    const advancedOptions = this.getNodeParameter('advancedOptions', i, {});
                     const qs = (0, helpers_1.buildFilterParams)(filters);
+                    // Apply sorting if specified
+                    if (advancedOptions.sortField) {
+                        const sortDirection = advancedOptions.sortDirection || 'desc';
+                        const sortPrefix = sortDirection === 'desc' ? '-' : '';
+                        qs.sort = `${sortPrefix}${advancedOptions.sortField}`;
+                    }
+                    // Apply relationship expansion if specified
+                    if (advancedOptions.include && Array.isArray(advancedOptions.include)) {
+                        const includes = advancedOptions.include;
+                        if (includes.length > 0) {
+                            qs.include = includes.join(',');
+                        }
+                    }
                     if (returnAll) {
                         responseData = await helpers_1.lemonSqueezyApiRequestAllItems.call(this, 'GET', `/${endpoint}`, qs);
                     }

package/dist/nodes/LemonSqueezy/LemonSqueezyTrigger.node.js

@@ -74,11 +74,11 @@ class LemonSqueezyTrigger {
                             description: 'Whether to only receive test mode events',
                         },
                         {
-                            displayName: 'Verify Signature',
-                            name: 'verifySignature',
-                            type: 'boolean',
-                            default: true,
-                            description: 'Whether to verify the webhook signature (recommended)',
+                            displayName: 'Max Event Age (Minutes)',
+                            name: 'maxEventAgeMinutes',
+                            type: 'number',
+                            default: 5,
+                            description: 'Maximum age of webhook events in minutes. Events older than this will be rejected to prevent replay attacks. Set to 0 to disable.',
                         },
                     ],
                 },
@@ -90,6 +90,14 @@ class LemonSqueezyTrigger {
                     const webhookUrl = this.getNodeWebhookUrl('default');
                     const storeId = this.getNodeParameter('storeId');
                     const webhookData = this.getWorkflowStaticData('node');
+                    // Helper to check if error is a 404 (webhook not found)
+                    const isNotFoundError = (error) => {
+                        if (error && typeof error === 'object') {
+                            const err = error;
+                            return err.statusCode === 404 || err.httpCode === 404 || err.code === 404;
+                        }
+                        return false;
+                    };
                     // Check if we have stored webhook data
                     if (webhookData.webhookId) {
                         try {
@@ -97,8 +105,18 @@ class LemonSqueezyTrigger {
                             await helpers_1.lemonSqueezyApiRequest.call(this, 'GET', `/webhooks/${String(webhookData.webhookId)}`);
                             return true;
                         }
-                        catch {
-                            // Webhook doesn't exist anymore
+                        catch (error) {
+                            const webhookId = String(webhookData.webhookId);
+                            if (isNotFoundError(error)) {
+                                // Webhook was deleted externally - this is expected, recreate it
+                                // eslint-disable-next-line no-console
+                                console.log(`[LemonSqueezy] Webhook ${webhookId} not found (404) - will recreate`);
+                            }
+                            else {
+                                // Unexpected error - could be auth, network, or server issue
+                                // eslint-disable-next-line no-console
+                                console.warn(`[LemonSqueezy] Webhook ${webhookId} check failed with unexpected error: ${error instanceof Error ? error.message : 'Unknown error'}. Will attempt to recreate.`);
+                            }
                             delete webhookData.webhookId;
                             return false;
                         }
@@ -114,12 +132,16 @@ class LemonSqueezyTrigger {
                             const existingWebhook = webhooks.find((webhook) => { var _a; return ((_a = webhook.attributes) === null || _a === void 0 ? void 0 : _a.url) === webhookUrl; });
                             if (existingWebhook) {
                                 webhookData.webhookId = existingWebhook.id;
+                                // eslint-disable-next-line no-console
+                                console.log(`[LemonSqueezy] Found existing webhook ${String(existingWebhook.id)} for URL ${webhookUrl}`);
                                 return true;
                             }
                         }
                     }
-                    catch {
-                        // Error checking webhooks, assume doesn't exist
+                    catch (error) {
+                        // Error checking webhooks - this is more serious as it could indicate API/auth issues
+                        // eslint-disable-next-line no-console
+                        console.error(`[LemonSqueezy] Error checking existing webhooks for store ${storeId}: ${error instanceof Error ? error.message : 'Unknown error'}. Will attempt to create new webhook.`);
                     }
                     return false;
                 },
@@ -161,11 +183,28 @@ class LemonSqueezyTrigger {
                 async delete() {
                     const webhookData = this.getWorkflowStaticData('node');
                     if (webhookData.webhookId) {
+                        const webhookId = String(webhookData.webhookId);
                         try {
-                            await helpers_1.lemonSqueezyApiRequest.call(this, 'DELETE', `/webhooks/${String(webhookData.webhookId)}`);
+                            await helpers_1.lemonSqueezyApiRequest.call(this, 'DELETE', `/webhooks/${webhookId}`);
+                            // eslint-disable-next-line no-console
+                            console.log(`[LemonSqueezy] Webhook ${webhookId} deleted successfully`);
                         }
-                        catch {
-                            // Webhook might already be deleted
+                        catch (error) {
+                            // Check if it's a 404 (already deleted) vs other errors
+                            const is404 = error &&
+                                typeof error === 'object' &&
+                                (error.statusCode === 404 ||
+                                    error.httpCode === 404);
+                            if (is404) {
+                                // Webhook was already deleted - this is fine
+                                // eslint-disable-next-line no-console
+                                console.log(`[LemonSqueezy] Webhook ${webhookId} already deleted (404)`);
+                            }
+                            else {
+                                // Unexpected error during deletion - log as warning
+                                // eslint-disable-next-line no-console
+                                console.warn(`[LemonSqueezy] Webhook ${webhookId} deletion failed: ${error instanceof Error ? error.message : 'Unknown error'}. Continuing cleanup.`);
+                            }
                         }
                         delete webhookData.webhookId;
                     }
@@ -177,40 +216,79 @@ class LemonSqueezyTrigger {
     async webhook() {
         const options = this.getNodeParameter('options');
         const webhookSecret = this.getNodeParameter('webhookSecret');
-        // Verify signature if enabled
-        if (options.verifySignature !== false) {
-            const signature = this.getHeaderData()['x-signature'];
-            if (!signature) {
-                return {
-                    webhookResponse: {
-                        status: 401,
-                        body: { error: 'Missing signature header' },
-                    },
-                };
-            }
-            const bodyData = this.getBodyData();
-            const rawBody = JSON.stringify(bodyData);
-            const isValid = (0, helpers_1.verifyWebhookSignature)(rawBody, signature, webhookSecret);
-            if (!isValid) {
-                return {
-                    webhookResponse: {
-                        status: 401,
-                        body: { error: 'Invalid signature' },
-                    },
-                };
-            }
+        // Always verify signature - this is a security requirement
+        const signature = this.getHeaderData()['x-signature'];
+        if (!signature) {
+            return {
+                webhookResponse: {
+                    status: 401,
+                    body: { error: 'Missing signature header' },
+                },
+            };
+        }
+        const bodyData = this.getBodyData();
+        const rawBody = JSON.stringify(bodyData);
+        const isValid = (0, helpers_1.verifyWebhookSignature)(rawBody, signature, webhookSecret);
+        if (!isValid) {
+            return {
+                webhookResponse: {
+                    status: 401,
+                    body: { error: 'Invalid signature' },
+                },
+            };
         }
         const body = this.getBodyData();
         const meta = body.meta;
         const eventName = meta === null || meta === void 0 ? void 0 : meta.event_name;
+        // Replay attack protection: check event timestamp
+        const maxEventAgeMinutes = typeof options.maxEventAgeMinutes === 'number' ? options.maxEventAgeMinutes : 5;
+        if (maxEventAgeMinutes > 0 && (meta === null || meta === void 0 ? void 0 : meta.custom_data)) {
+            const customData = meta.custom_data;
+            const eventTimestamp = customData.event_created_at;
+            if (eventTimestamp) {
+                const eventTime = new Date(eventTimestamp).getTime();
+                const now = Date.now();
+                const maxAgeMs = maxEventAgeMinutes * 60 * 1000;
+                if (now - eventTime > maxAgeMs) {
+                    return {
+                        webhookResponse: {
+                            status: 400,
+                            body: { error: 'Event too old - possible replay attack' },
+                        },
+                    };
+                }
+            }
+        }
+        // Also check the created_at field in the data payload if available
+        if (maxEventAgeMinutes > 0) {
+            const data = body.data;
+            const attributes = data === null || data === void 0 ? void 0 : data.attributes;
+            const createdAt = attributes === null || attributes === void 0 ? void 0 : attributes.created_at;
+            if (createdAt) {
+                const eventTime = new Date(createdAt).getTime();
+                const now = Date.now();
+                const maxAgeMs = maxEventAgeMinutes * 60 * 1000;
+                if (now - eventTime > maxAgeMs) {
+                    return {
+                        webhookResponse: {
+                            status: 400,
+                            body: { error: 'Event too old - possible replay attack' },
+                        },
+                    };
+                }
+            }
+        }
         // Check if we should process this event
         const subscribedEvents = this.getNodeParameter('events');
         if (!eventName || !subscribedEvents.includes(eventName)) {
             // Event not subscribed, acknowledge but don't trigger workflow
+            // Log for debugging - helps identify misconfigured webhooks
+            // eslint-disable-next-line no-console
+            console.log(`[LemonSqueezy] Received event '${eventName || 'unknown'}' but not in subscribed events [${subscribedEvents.join(', ')}]. Acknowledged but not processed.`);
             return {
                 webhookResponse: {
                     status: 200,
-                    body: { received: true, processed: false },
+                    body: { received: true, processed: false, event: eventName },
                 },
             };
         }

package/dist/nodes/LemonSqueezy/constants.d.ts

@@ -6,6 +6,8 @@ export declare const DEFAULT_PAGE_SIZE = 100;
 export declare const MAX_RETRIES = 3;
 export declare const RETRY_DELAY_MS = 1000;
 export declare const RATE_LIMIT_DELAY_MS = 60000;
+/** Default timeout for API requests in milliseconds (30 seconds) */
+export declare const DEFAULT_REQUEST_TIMEOUT_MS = 30000;
 /**
  * Resource to API endpoint mapping
  */

package/dist/nodes/LemonSqueezy/constants.js

@@ -3,12 +3,14 @@
  * Lemon Squeezy API constants
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.INTERVAL_TYPES = exports.PRODUCT_STATUSES = exports.PAUSE_MODES = exports.DISCOUNT_DURATION_TYPES = exports.DISCOUNT_AMOUNT_TYPES = exports.LICENSE_KEY_STATUSES = exports.CUSTOMER_STATUSES = exports.ORDER_STATUSES = exports.SUBSCRIPTION_STATUSES = exports.WEBHOOK_EVENTS = exports.RESOURCE_ID_PARAMS = exports.RESOURCE_ENDPOINTS = exports.RATE_LIMIT_DELAY_MS = exports.RETRY_DELAY_MS = exports.MAX_RETRIES = exports.DEFAULT_PAGE_SIZE = exports.API_BASE_URL = void 0;
+exports.INTERVAL_TYPES = exports.PRODUCT_STATUSES = exports.PAUSE_MODES = exports.DISCOUNT_DURATION_TYPES = exports.DISCOUNT_AMOUNT_TYPES = exports.LICENSE_KEY_STATUSES = exports.CUSTOMER_STATUSES = exports.ORDER_STATUSES = exports.SUBSCRIPTION_STATUSES = exports.WEBHOOK_EVENTS = exports.RESOURCE_ID_PARAMS = exports.RESOURCE_ENDPOINTS = exports.DEFAULT_REQUEST_TIMEOUT_MS = exports.RATE_LIMIT_DELAY_MS = exports.RETRY_DELAY_MS = exports.MAX_RETRIES = exports.DEFAULT_PAGE_SIZE = exports.API_BASE_URL = void 0;
 exports.API_BASE_URL = 'https://api.lemonsqueezy.com/v1';
 exports.DEFAULT_PAGE_SIZE = 100;
 exports.MAX_RETRIES = 3;
 exports.RETRY_DELAY_MS = 1000;
 exports.RATE_LIMIT_DELAY_MS = 60000;
+/** Default timeout for API requests in milliseconds (30 seconds) */
+exports.DEFAULT_REQUEST_TIMEOUT_MS = 30000;
 /**
  * Resource to API endpoint mapping
  */