pkg-sdk-test 0.0.17 → 0.0.19

package/dist/esm/core/webhooks/fetchJwks.mjs

@@ -0,0 +1,153 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const CACHE_MAX_SIZE = 50;
+const cache = new Map();
+function base64UrlToBase64(base64url) {
+    let base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+    while (base64.length % 4 !== 0) {
+        base64 += "=";
+    }
+    return base64;
+}
+function jwkToPem(jwk) {
+    if (jwk.x5c != null && jwk.x5c.length > 0) {
+        const cert = jwk.x5c[0];
+        return `-----BEGIN CERTIFICATE-----\n${cert}\n-----END CERTIFICATE-----`;
+    }
+    if (jwk.kty === "RSA" && jwk.n != null && jwk.e != null) {
+        return constructRsaPem(jwk.n, jwk.e);
+    }
+    throw new Error(`Unsupported JWK key type for PEM conversion: ${jwk.kty}`);
+}
+function base64UrlToBytes(base64url) {
+    const binary = atob(base64UrlToBase64(base64url));
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+function concatBytes(arrays) {
+    const total = arrays.reduce((sum, a) => sum + a.length, 0);
+    const result = new Uint8Array(total);
+    let offset = 0;
+    for (const array of arrays) {
+        result.set(array, offset);
+        offset += array.length;
+    }
+    return result;
+}
+function constructRsaPem(nBase64Url, eBase64Url) {
+    const nBytes = base64UrlToBytes(nBase64Url);
+    const eBytes = base64UrlToBytes(eBase64Url);
+    // ASN.1 DER encoding of RSA public key
+    const nEncoded = asn1Integer(nBytes);
+    const eEncoded = asn1Integer(eBytes);
+    const sequence = asn1Sequence(concatBytes([nEncoded, eEncoded]));
+    const bitString = asn1BitString(sequence);
+    const algorithmIdentifier = asn1Sequence(new Uint8Array([
+        // OID for rsaEncryption (1.2.840.113549.1.1.1)
+        0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+        // NULL
+        0x05, 0x00,
+    ]));
+    const spki = asn1Sequence(concatBytes([algorithmIdentifier, bitString]));
+    let binary = "";
+    for (const byte of spki) {
+        binary += String.fromCharCode(byte);
+    }
+    const base64 = btoa(binary);
+    const lines = [];
+    for (let i = 0; i < base64.length; i += 64) {
+        lines.push(base64.substring(i, i + 64));
+    }
+    return `-----BEGIN PUBLIC KEY-----\n${lines.join("\n")}\n-----END PUBLIC KEY-----`;
+}
+function asn1Length(length) {
+    if (length < 0x80) {
+        return new Uint8Array([length]);
+    }
+    const bytes = [];
+    let temp = length;
+    while (temp > 0) {
+        bytes.unshift(temp & 0xff);
+        temp >>= 8;
+    }
+    return new Uint8Array([0x80 | bytes.length, ...bytes]);
+}
+function asn1Integer(bytes) {
+    // Add leading zero if high bit is set (to ensure positive integer)
+    const needsPadding = bytes[0] >= 0x80;
+    const content = needsPadding ? concatBytes([new Uint8Array([0x00]), bytes]) : bytes;
+    return concatBytes([new Uint8Array([0x02]), asn1Length(content.length), content]);
+}
+function asn1Sequence(content) {
+    return concatBytes([new Uint8Array([0x30]), asn1Length(content.length), content]);
+}
+function asn1BitString(content) {
+    // Prepend a zero byte for unused bits
+    return concatBytes([new Uint8Array([0x03]), asn1Length(content.length + 1), new Uint8Array([0x00]), content]);
+}
+function fetchKeys(url) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const cached = cache.get(url);
+        if (cached != null && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
+            return cached.keys;
+        }
+        const response = yield fetch(url);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch JWKS from ${url}: ${response.status} ${response.statusText}`);
+        }
+        const jwks = (yield response.json());
+        if (cache.size >= CACHE_MAX_SIZE) {
+            for (const key of cache.keys()) {
+                cache.delete(key);
+                break;
+            }
+        }
+        cache.set(url, { keys: jwks.keys, fetchedAt: Date.now() });
+        return jwks.keys;
+    });
+}
+/**
+ * Fetches a public key from a JWKS endpoint and returns it as a PEM string.
+ *
+ * Only RSA keys (reconstructed from `n`/`e`) and keys with an `x5c` certificate chain are supported.
+ * EC (kty: "EC") and OKP (kty: "OKP") keys are **not** supported and will throw an error.
+ *
+ * @throws {Error} If the JWKS endpoint returns a non-OK response.
+ * @throws {Error} If no key matching `keyId` is found (after one cache-busting retry).
+ * @throws {Error} If the selected key has an unsupported type (e.g. EC or OKP).
+ */
+export function fetchJwks(args) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const keys = yield fetchKeys(args.url);
+        let selectedKey;
+        if (args.keyId != null) {
+            selectedKey = keys.find((k) => k.kid === args.keyId);
+            if (selectedKey == null) {
+                // Invalidate cache and retry once
+                cache.delete(args.url);
+                const refreshedKeys = yield fetchKeys(args.url);
+                selectedKey = refreshedKeys.find((k) => k.kid === args.keyId);
+            }
+        }
+        else {
+            selectedKey = keys[0];
+        }
+        if (selectedKey == null) {
+            throw new Error(args.keyId != null
+                ? `No key found with kid "${args.keyId}" in JWKS at ${args.url}`
+                : `No keys found in JWKS at ${args.url}`);
+        }
+        return jwkToPem(selectedKey);
+    });
+}

package/dist/esm/core/webhooks/index.d.mts

@@ -0,0 +1,8 @@
+export type { ComputeHmacSignatureArgs, HmacAlgorithm } from "./computeHmacSignature.mjs";
+export { computeHmacSignature } from "./computeHmacSignature.mjs";
+export type { FetchJwksArgs } from "./fetchJwks.mjs";
+export { fetchJwks } from "./fetchJwks.mjs";
+export { timingSafeEqual } from "./timingSafeEqual.mjs";
+export type { SignatureEncoding } from "./types.mjs";
+export type { AsymmetricAlgorithm, VerifyAsymmetricSignatureArgs } from "./verifyAsymmetricSignature.mjs";
+export { verifyAsymmetricSignature } from "./verifyAsymmetricSignature.mjs";

package/dist/esm/core/webhooks/index.mjs

@@ -0,0 +1,4 @@
+export { computeHmacSignature } from "./computeHmacSignature.mjs";
+export { fetchJwks } from "./fetchJwks.mjs";
+export { timingSafeEqual } from "./timingSafeEqual.mjs";
+export { verifyAsymmetricSignature } from "./verifyAsymmetricSignature.mjs";

package/dist/esm/core/webhooks/timingSafeEqual.d.mts

@@ -0,0 +1 @@
+export declare function timingSafeEqual(a: string, b: string): Promise<boolean>;

package/dist/esm/core/webhooks/timingSafeEqual.mjs

@@ -0,0 +1,49 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { RUNTIME } from "../runtime/index.mjs";
+export function timingSafeEqual(a, b) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a;
+        if (RUNTIME.type === "node") {
+            const crypto = yield import("crypto");
+            const bufA = Buffer.from(a);
+            const bufB = Buffer.from(b);
+            if (bufA.length !== bufB.length) {
+                // Still perform comparison to avoid leaking length via timing
+                const dummy = Buffer.alloc(bufA.length);
+                crypto.timingSafeEqual(bufA, dummy);
+                return false;
+            }
+            return crypto.timingSafeEqual(bufA, bufB);
+        }
+        // Fallback: constant-time XOR comparison using Uint8Array
+        const enc = new TextEncoder();
+        const bytesA = enc.encode(a);
+        const bytesB = enc.encode(b);
+        if (bytesA.length !== bytesB.length) {
+            // XOR each byte of bytesA against bytesB[0] (a runtime value) so the
+            // loop cannot be trivially folded to a constant by the engine. This is
+            // best-effort timing-stability: JS has no guarantee, but we avoid an
+            // obvious early-exit that would trivially leak length via timing.
+            const pivot = (_a = bytesB[0]) !== null && _a !== void 0 ? _a : 0;
+            let sink = 0;
+            for (let i = 0; i < bytesA.length; i++) {
+                sink |= bytesA[i] ^ pivot;
+            }
+            void sink;
+            return false;
+        }
+        let result = 0;
+        for (let i = 0; i < bytesA.length; i++) {
+            result |= bytesA[i] ^ bytesB[i];
+        }
+        return result === 0;
+    });
+}

package/dist/esm/core/webhooks/types.d.mts

@@ -0,0 +1 @@
+export type SignatureEncoding = "base64" | "hex";

package/dist/esm/core/webhooks/types.mjs

@@ -0,0 +1 @@
+export {};

package/dist/esm/core/webhooks/verifyAsymmetricSignature.d.mts

@@ -0,0 +1,10 @@
+import type { SignatureEncoding } from "./types.mjs";
+export type AsymmetricAlgorithm = "RSA_SHA256" | "RSA_SHA384" | "RSA_SHA512" | "ECDSA_SHA256" | "ECDSA_SHA384" | "ECDSA_SHA512" | "ED25519";
+export interface VerifyAsymmetricSignatureArgs {
+    payload: string;
+    signature: string;
+    publicKey: string;
+    algorithm: AsymmetricAlgorithm;
+    encoding: SignatureEncoding;
+}
+export declare function verifyAsymmetricSignature(args: VerifyAsymmetricSignatureArgs): Promise<boolean>;

package/dist/esm/core/webhooks/verifyAsymmetricSignature.mjs

@@ -0,0 +1,174 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import { RUNTIME } from "../runtime/index.mjs";
+function getNodeAlgorithmName(algorithm) {
+    switch (algorithm) {
+        case "RSA_SHA256":
+            return "RSA-SHA256";
+        case "RSA_SHA384":
+            return "RSA-SHA384";
+        case "RSA_SHA512":
+            return "RSA-SHA512";
+        case "ECDSA_SHA256":
+            return "SHA256";
+        case "ECDSA_SHA384":
+            return "SHA384";
+        case "ECDSA_SHA512":
+            return "SHA512";
+    }
+}
+// Each ECDSA curve has a fixed coordinate size for IEEE P1363 format.
+// Web Crypto requires P1363 (r ∥ s), while Node's createVerify accepts DER (ASN.1 SEQUENCE).
+function ecdsaCoordSize(algorithm) {
+    switch (algorithm) {
+        case "ECDSA_SHA256":
+            return 32; // P-256
+        case "ECDSA_SHA384":
+            return 48; // P-384
+        case "ECDSA_SHA512":
+            return 66; // P-521
+    }
+}
+// Read a DER length field starting at der[offset]. Returns [length, bytesConsumed].
+// Handles both short form (1 byte) and long form (0x81/0x82 prefix).
+function readDerLength(der, offset) {
+    const first = der[offset];
+    if (first < 0x80) {
+        return [first, 1];
+    }
+    const numLenBytes = first & 0x7f;
+    let length = 0;
+    for (let i = 0; i < numLenBytes; i++) {
+        length = (length << 8) | der[offset + 1 + i];
+    }
+    return [length, 1 + numLenBytes];
+}
+// Convert a DER-encoded ECDSA signature (ASN.1 SEQUENCE { INTEGER r, INTEGER s })
+// to IEEE P1363 format (r ∥ s, each zero-padded to coordSize bytes).
+function derToP1363(der, coordSize) {
+    // DER structure: 0x30 <len> 0x02 <rLen> <r> 0x02 <sLen> <s>
+    // Skip the outer SEQUENCE tag (0x30) and its length (may be long-form for P-521).
+    let offset = 1; // skip 0x30
+    const [, seqLenBytes] = readDerLength(der, offset);
+    offset += seqLenBytes;
+    if (der[offset] !== 0x02) {
+        throw new Error("Invalid DER signature: expected INTEGER tag for r");
+    }
+    offset++; // skip 0x02 tag
+    const [rLen, rLenBytes] = readDerLength(der, offset);
+    offset += rLenBytes;
+    const r = der.slice(offset, offset + rLen);
+    offset += rLen;
+    if (der[offset] !== 0x02) {
+        throw new Error("Invalid DER signature: expected INTEGER tag for s");
+    }
+    offset++; // skip 0x02 tag
+    const [sLen, sLenBytes] = readDerLength(der, offset);
+    offset += sLenBytes;
+    const s = der.slice(offset, offset + sLen);
+    const result = new Uint8Array(new ArrayBuffer(coordSize * 2));
+    // r and s may have a leading 0x00 padding byte (DER positive integer) — strip it,
+    // then right-align into the fixed-size output.
+    const rStripped = r[0] === 0x00 ? r.slice(1) : r;
+    const sStripped = s[0] === 0x00 ? s.slice(1) : s;
+    result.set(rStripped, coordSize - rStripped.length);
+    result.set(sStripped, coordSize * 2 - sStripped.length);
+    return result;
+}
+function pemToBytes(pem) {
+    const lines = pem.replace(/-----[A-Z ]+-----/g, "").replace(/\s+/g, "");
+    const binary = atob(lines);
+    const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+function signatureToBytes(signature, encoding) {
+    if (encoding === "base64") {
+        const binary = atob(signature);
+        const bytes = new Uint8Array(new ArrayBuffer(binary.length));
+        for (let i = 0; i < binary.length; i++) {
+            bytes[i] = binary.charCodeAt(i);
+        }
+        return bytes;
+    }
+    // hex
+    const bytes = new Uint8Array(new ArrayBuffer(signature.length / 2));
+    for (let i = 0; i < bytes.length; i++) {
+        bytes[i] = parseInt(signature.slice(i * 2, i * 2 + 2), 16);
+    }
+    return bytes;
+}
+function getSubtleAlgorithms(algorithm) {
+    switch (algorithm) {
+        case "RSA_SHA256":
+            return {
+                importAlgorithm: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+                verifyAlgorithm: { name: "RSASSA-PKCS1-v1_5" },
+            };
+        case "RSA_SHA384":
+            return {
+                importAlgorithm: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-384" },
+                verifyAlgorithm: { name: "RSASSA-PKCS1-v1_5" },
+            };
+        case "RSA_SHA512":
+            return {
+                importAlgorithm: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-512" },
+                verifyAlgorithm: { name: "RSASSA-PKCS1-v1_5" },
+            };
+        case "ECDSA_SHA256":
+            return {
+                importAlgorithm: { name: "ECDSA", namedCurve: "P-256" },
+                verifyAlgorithm: { name: "ECDSA", hash: "SHA-256" },
+            };
+        case "ECDSA_SHA384":
+            return {
+                importAlgorithm: { name: "ECDSA", namedCurve: "P-384" },
+                verifyAlgorithm: { name: "ECDSA", hash: "SHA-384" },
+            };
+        case "ECDSA_SHA512":
+            return {
+                importAlgorithm: { name: "ECDSA", namedCurve: "P-521" },
+                verifyAlgorithm: { name: "ECDSA", hash: "SHA-512" },
+            };
+        case "ED25519":
+            return {
+                importAlgorithm: { name: "Ed25519" },
+                verifyAlgorithm: { name: "Ed25519" },
+            };
+    }
+}
+export function verifyAsymmetricSignature(args) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (RUNTIME.type === "node") {
+            const crypto = yield import("crypto");
+            if (args.algorithm === "ED25519") {
+                const signatureBytes = Uint8Array.from(Buffer.from(args.signature, args.encoding));
+                return crypto.verify(null, Uint8Array.from(Buffer.from(args.payload)), args.publicKey, signatureBytes);
+            }
+            const verifier = crypto.createVerify(getNodeAlgorithmName(args.algorithm));
+            verifier.update(args.payload);
+            return verifier.verify(args.publicKey, args.signature, args.encoding);
+        }
+        const subtle = globalThis.crypto.subtle;
+        const { importAlgorithm, verifyAlgorithm } = getSubtleAlgorithms(args.algorithm);
+        const keyBytes = pemToBytes(args.publicKey);
+        const key = yield subtle.importKey("spki", keyBytes, importAlgorithm, false, ["verify"]);
+        let signatureBytes = signatureToBytes(args.signature, args.encoding);
+        // Web Crypto requires IEEE P1363 format for ECDSA (raw r ∥ s), but the
+        // incoming signature is DER-encoded (the format Node and most libraries produce).
+        if (args.algorithm === "ECDSA_SHA256" || args.algorithm === "ECDSA_SHA384" || args.algorithm === "ECDSA_SHA512") {
+            signatureBytes = derToP1363(signatureBytes, ecdsaCoordSize(args.algorithm));
+        }
+        const payloadBytes = new TextEncoder().encode(args.payload);
+        return subtle.verify(verifyAlgorithm, key, signatureBytes, payloadBytes);
+    });
+}

package/dist/esm/index.d.mts

@@ -4,3 +4,4 @@ export { SuwardSDKClient } from "./Client.mjs";
 export { SuwardSDKEnvironment } from "./environments.mjs";
 export { SuwardSDKError, SuwardSDKTimeoutError } from "./errors/index.mjs";
 export * from "./exports.mjs";
+export * as webhooks from "./webhooks/index.mjs";

package/dist/esm/index.mjs

@@ -3,3 +3,4 @@ export { SuwardSDKClient } from "./Client.mjs";
 export { SuwardSDKEnvironment } from "./environments.mjs";
 export { SuwardSDKError, SuwardSDKTimeoutError } from "./errors/index.mjs";
 export * from "./exports.mjs";
+export * as webhooks from "./webhooks/index.mjs";

package/dist/esm/version.d.mts

@@ -1 +1 @@
-export declare const SDK_VERSION = "0.0.17";
+export declare const SDK_VERSION = "0.0.19";

package/dist/esm/version.mjs

@@ -1 +1 @@
-export const SDK_VERSION = "0.0.17";
+export const SDK_VERSION = "0.0.19";

package/dist/esm/webhooks/WebhooksHelper.d.mts

@@ -0,0 +1,9 @@
+/**
+ * Verify an asymmetric webhook signature.
+ *
+ * Extract the signature from the "X-Suward-Signature" header and pass it as the signatureHeader parameter.
+ * Extract the timestamp from the "X-Suward-Timestamp" header and pass it as the timestampHeader parameter.
+ */
+export declare class WebhooksHelper {
+    static verifySignature(requestBody: string, signatureHeader: string, publicKey: string, timestampHeader: string): Promise<boolean>;
+}

package/dist/esm/webhooks/WebhooksHelper.mjs

@@ -0,0 +1,50 @@
+// This file was auto-generated by Fern from our API Definition.
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+import * as core from "../core/index.mjs";
+const TIMESTAMP_TOLERANCE_SECONDS = 300;
+const SIGNATURE_PREFIX = "ed25519=";
+/**
+ * Verify an asymmetric webhook signature.
+ *
+ * Extract the signature from the "X-Suward-Signature" header and pass it as the signatureHeader parameter.
+ * Extract the timestamp from the "X-Suward-Timestamp" header and pass it as the timestampHeader parameter.
+ */
+export class WebhooksHelper {
+    static verifySignature(requestBody, signatureHeader, publicKey, timestampHeader) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (requestBody == null || signatureHeader == null || publicKey == null) {
+                throw new Error("Missing required parameters for webhook signature verification");
+            }
+            if (timestampHeader == null || timestampHeader === "") {
+                throw new Error("Missing timestamp header 'X-Suward-Timestamp' for webhook signature verification");
+            }
+            const timestampValue = parseInt(timestampHeader, 10);
+            if (Number.isNaN(timestampValue)) {
+                throw new Error("Invalid timestamp format: expected unix milliseconds");
+            }
+            const timestampMs = timestampValue;
+            if (Math.abs(Date.now() - timestampMs) > TIMESTAMP_TOLERANCE_SECONDS * 1000) {
+                return false;
+            }
+            const sig = signatureHeader.startsWith(SIGNATURE_PREFIX)
+                ? signatureHeader.slice(SIGNATURE_PREFIX.length)
+                : signatureHeader;
+            const payload = requestBody;
+            return yield core.verifyAsymmetricSignature({
+                payload: payload,
+                signature: sig,
+                publicKey: publicKey,
+                algorithm: "ED25519",
+                encoding: "hex",
+            });
+        });
+    }
+}

package/dist/esm/webhooks/index.d.mts

@@ -0,0 +1 @@
+export { WebhooksHelper } from "./WebhooksHelper.mjs";

package/dist/esm/webhooks/index.mjs

@@ -0,0 +1 @@
+export { WebhooksHelper } from "./WebhooksHelper.mjs";

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "pkg-sdk-test",
-    "version": "0.0.17",
+    "version": "0.0.19",
     "private": false,
     "repository": {
         "type": "git",