payload-plugin-newsletter 0.21.2 → 0.21.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +15 -0
- package/dist/server.js +10 -3
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,18 @@
|
|
|
1
|
+
## [0.21.4] - 2025-08-07
|
|
2
|
+
|
|
3
|
+
### Fixed
|
|
4
|
+
- Fixed ESLint error by prefixing unused webhookId variable with underscore
|
|
5
|
+
|
|
6
|
+
## [0.21.3] - 2025-08-06
|
|
7
|
+
|
|
8
|
+
### Fixed
|
|
9
|
+
- Fixed webhook authentication by using correct Broadcast header names
|
|
10
|
+
- Changed from `x-broadcast-signature` to `broadcast-webhook-signature`
|
|
11
|
+
- Changed from `x-broadcast-timestamp` to `broadcast-webhook-timestamp`
|
|
12
|
+
- Added support for optional `broadcast-webhook-id` header
|
|
13
|
+
- Added timestamp validation to prevent replay attacks (5 minute window)
|
|
14
|
+
- Headers now match Broadcast's actual webhook implementation
|
|
15
|
+
|
|
1
16
|
## [0.21.2] - 2025-08-06
|
|
2
17
|
|
|
3
18
|
### Fixed
|
package/dist/server.js
CHANGED
|
@@ -2738,12 +2738,19 @@ var createBroadcastWebhookEndpoint = (config) => {
|
|
|
2738
2738
|
return Response.json({ error: "Webhook not configured" }, { status: 401 });
|
|
2739
2739
|
}
|
|
2740
2740
|
const headers = req.headers;
|
|
2741
|
-
const signature = headers.get("
|
|
2742
|
-
const timestamp = headers.get("
|
|
2741
|
+
const signature = headers.get("broadcast-webhook-signature");
|
|
2742
|
+
const timestamp = headers.get("broadcast-webhook-timestamp");
|
|
2743
|
+
const _webhookId = headers.get("broadcast-webhook-id");
|
|
2743
2744
|
if (!signature || !timestamp) {
|
|
2744
|
-
console.error("[Broadcast Webhook] Missing signature or timestamp");
|
|
2745
|
+
console.error("[Broadcast Webhook] Missing signature or timestamp headers");
|
|
2745
2746
|
return Response.json({ error: "Invalid request" }, { status: 401 });
|
|
2746
2747
|
}
|
|
2748
|
+
const timestampNum = parseInt(timestamp, 10);
|
|
2749
|
+
const currentTime = Math.floor(Date.now() / 1e3);
|
|
2750
|
+
if (Math.abs(currentTime - timestampNum) > 300) {
|
|
2751
|
+
console.error("[Broadcast Webhook] Timestamp too old or invalid");
|
|
2752
|
+
return Response.json({ error: "Invalid timestamp" }, { status: 401 });
|
|
2753
|
+
}
|
|
2747
2754
|
let rawBodyString;
|
|
2748
2755
|
let rawBody;
|
|
2749
2756
|
if (typeof req.json === "function") {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "payload-plugin-newsletter",
|
|
3
|
-
"version": "0.21.
|
|
3
|
+
"version": "0.21.4",
|
|
4
4
|
"description": "Complete newsletter management plugin for Payload CMS with subscriber management, magic link authentication, and email service integration",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|