npm - realtimex-crm - Versions diffs - 0.8.1 → 0.9.2 - Mend

realtimex-crm 0.8.1 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/src/components/ui/alert-dialog.tsx ADDED Viewed

@@ -0,0 +1,155 @@
+import * as React from "react"
+import * as AlertDialogPrimitive from "@radix-ui/react-alert-dialog"
+import { cn } from "@/lib/utils"
+import { buttonVariants } from "@/components/ui/button"
+function AlertDialog({
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Root>) {
+  return <AlertDialogPrimitive.Root data-slot="alert-dialog" {...props} />
+}
+function AlertDialogTrigger({
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Trigger>) {
+  return (
+    <AlertDialogPrimitive.Trigger data-slot="alert-dialog-trigger" {...props} />
+  )
+}
+function AlertDialogPortal({
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Portal>) {
+  return (
+    <AlertDialogPrimitive.Portal data-slot="alert-dialog-portal" {...props} />
+  )
+}
+function AlertDialogOverlay({
+  className,
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Overlay>) {
+  return (
+    <AlertDialogPrimitive.Overlay
+      data-slot="alert-dialog-overlay"
+      className={cn(
+        "data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 fixed inset-0 z-50 bg-black/50",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+function AlertDialogContent({
+  className,
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Content>) {
+  return (
+    <AlertDialogPortal>
+      <AlertDialogOverlay />
+      <AlertDialogPrimitive.Content
+        data-slot="alert-dialog-content"
+        className={cn(
+          "bg-background data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 fixed top-[50%] left-[50%] z-50 grid w-full max-w-[calc(100%-2rem)] translate-x-[-50%] translate-y-[-50%] gap-4 rounded-lg border p-6 shadow-lg duration-200 sm:max-w-lg",
+          className
+        )}
+        {...props}
+      />
+    </AlertDialogPortal>
+  )
+}
+function AlertDialogHeader({
+  className,
+  ...props
+}: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="alert-dialog-header"
+      className={cn("flex flex-col gap-2 text-center sm:text-left", className)}
+      {...props}
+    />
+  )
+}
+function AlertDialogFooter({
+  className,
+  ...props
+}: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="alert-dialog-footer"
+      className={cn(
+        "flex flex-col-reverse gap-2 sm:flex-row sm:justify-end",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+function AlertDialogTitle({
+  className,
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Title>) {
+  return (
+    <AlertDialogPrimitive.Title
+      data-slot="alert-dialog-title"
+      className={cn("text-lg font-semibold", className)}
+      {...props}
+    />
+  )
+}
+function AlertDialogDescription({
+  className,
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Description>) {
+  return (
+    <AlertDialogPrimitive.Description
+      data-slot="alert-dialog-description"
+      className={cn("text-muted-foreground text-sm", className)}
+      {...props}
+    />
+  )
+}
+function AlertDialogAction({
+  className,
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Action>) {
+  return (
+    <AlertDialogPrimitive.Action
+      className={cn(buttonVariants(), className)}
+      {...props}
+    />
+  )
+}
+function AlertDialogCancel({
+  className,
+  ...props
+}: React.ComponentProps<typeof AlertDialogPrimitive.Cancel>) {
+  return (
+    <AlertDialogPrimitive.Cancel
+      className={cn(buttonVariants({ variant: "outline" }), className)}
+      {...props}
+    />
+  )
+}
+export {
+  AlertDialog,
+  AlertDialogPortal,
+  AlertDialogOverlay,
+  AlertDialogTrigger,
+  AlertDialogContent,
+  AlertDialogHeader,
+  AlertDialogFooter,
+  AlertDialogTitle,
+  AlertDialogDescription,
+  AlertDialogAction,
+  AlertDialogCancel,
+}

package/src/lib/api-key-utils.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Generate a new API key in format: ak_live_<32 hex chars>
+ */
+export function generateApiKey(): string {
+  const array = new Uint8Array(16);
+  crypto.getRandomValues(array);
+  const hex = Array.from(array)
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+  return `ak_live_${hex}`;
+}
+/**
+ * Hash API key using SHA-256
+ */
+export async function hashApiKey(apiKey: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(apiKey);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+}

package/supabase/fix_webhook_hardcoded.sql ADDED Viewed

@@ -0,0 +1,34 @@
+-- ==================================================================================
+-- HARDCODED WEBHOOK FIX (Bypasses Permission Issues)
+-- ==================================================================================
+-- 1. Ensure extensions are active
+CREATE EXTENSION IF NOT EXISTS pg_net WITH SCHEMA extensions;
+CREATE EXTENSION IF NOT EXISTS pg_cron WITH SCHEMA extensions;
+-- 2. Remove the old dynamic job that relies on missing settings
+SELECT cron.unschedule(jobid)
+FROM cron.job
+WHERE jobname = 'webhook-dispatcher';
+-- 3. Schedule the new job with HARDCODED credentials
+-- !!! IMPORTANT: Replace [YOUR_SERVICE_ROLE_KEY] below before running !!!
+SELECT cron.schedule(
+    'webhook-dispatcher',
+    '* * * * *', -- Run every minute
+    $$
+    select
+      net.http_post(
+          url:='https://xydvyhnspkzcsocewhuy.supabase.co/functions/v1/webhook-dispatcher',
+          headers:=jsonb_build_object(
+              'Content-Type','application/json',
+              'Authorization', 'Bearer [YOUR_SERVICE_ROLE_KEY]'
+          ),
+          body:='{}'::jsonb
+      ) as request_id;
+    $$
+);
+-- 4. Check that the job is scheduled
+SELECT jobid, jobname, command FROM cron.job WHERE jobname = 'webhook-dispatcher';

package/supabase/functions/_shared/apiKeyAuth.ts ADDED Viewed

@@ -0,0 +1,171 @@
+import { supabaseAdmin } from "./supabaseAdmin.ts";
+import { createErrorResponse } from "./utils.ts";
+// Rate limiting: Simple in-memory store (resets on function restart)
+const rateLimitStore = new Map<string, { count: number; resetAt: number }>();
+const RATE_LIMIT_MAX = 100; // requests per window
+const RATE_LIMIT_WINDOW = 60 * 1000; // 60 seconds
+interface ApiKey {
+  id: number;
+  sales_id: number;
+  name: string;
+  scopes: string[];
+  is_active: boolean;
+  expires_at: string | null;
+}
+/**
+ * Extract and validate API key from request
+ * Returns api key record or error response
+ */
+export async function validateApiKey(
+  req: Request
+): Promise<{ apiKey: ApiKey } | Response> {
+  const authHeader = req.headers.get("Authorization");
+  if (!authHeader || !authHeader.startsWith("Bearer ")) {
+    return createErrorResponse(401, "Missing or invalid Authorization header");
+  }
+  const apiKeyValue = authHeader.replace("Bearer ", "");
+  if (!apiKeyValue.startsWith("ak_live_")) {
+    return createErrorResponse(401, "Invalid API key format");
+  }
+  // Hash the API key for lookup
+  const encoder = new TextEncoder();
+  const data = encoder.encode(apiKeyValue);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const keyHash = hashArray.map((b) => b.toString(16).padStart(2, "0")).join(
+    ""
+  );
+  // Lookup API key in database
+  const { data: apiKey, error } = await supabaseAdmin
+    .from("api_keys")
+    .select("id, sales_id, name, scopes, is_active, expires_at")
+    .eq("key_hash", keyHash)
+    .single();
+  if (error || !apiKey) {
+    return createErrorResponse(401, "Invalid API key");
+  }
+  // Check if active
+  if (!apiKey.is_active) {
+    return createErrorResponse(401, "API key is disabled");
+  }
+  // Check expiration
+  if (apiKey.expires_at && new Date(apiKey.expires_at) < new Date()) {
+    return createErrorResponse(401, "API key has expired");
+  }
+  // Update last_used_at (fire and forget)
+  supabaseAdmin
+    .from("api_keys")
+    .update({ last_used_at: new Date().toISOString() })
+    .eq("id", apiKey.id)
+    .then(() => {});
+  return { apiKey };
+}
+/**
+ * Check rate limit for API key
+ */
+export function checkRateLimit(apiKeyId: number): Response | null {
+  const now = Date.now();
+  const key = `ratelimit:${apiKeyId}`;
+  let bucket = rateLimitStore.get(key);
+  if (!bucket || now > bucket.resetAt) {
+    // Create new bucket
+    bucket = {
+      count: 1,
+      resetAt: now + RATE_LIMIT_WINDOW,
+    };
+    rateLimitStore.set(key, bucket);
+    return null;
+  }
+  if (bucket.count >= RATE_LIMIT_MAX) {
+    const retryAfter = Math.ceil((bucket.resetAt - now) / 1000);
+    return new Response(
+      JSON.stringify({
+        status: 429,
+        message: "Rate limit exceeded",
+        retry_after: retryAfter,
+      }),
+      {
+        status: 429,
+        headers: {
+          "Content-Type": "application/json",
+          "Retry-After": retryAfter.toString(),
+          "X-RateLimit-Limit": RATE_LIMIT_MAX.toString(),
+          "X-RateLimit-Remaining": "0",
+          "X-RateLimit-Reset": bucket.resetAt.toString(),
+        },
+      }
+    );
+  }
+  bucket.count++;
+  return null;
+}
+/**
+ * Check if API key has required scope
+ */
+export function hasScope(apiKey: ApiKey, requiredScope: string): boolean {
+  // Check for wildcard scope
+  if (apiKey.scopes.includes("*")) {
+    return true;
+  }
+  // Check for exact scope match
+  if (apiKey.scopes.includes(requiredScope)) {
+    return true;
+  }
+  // Check for resource wildcard (e.g., "contacts:*" matches "contacts:read")
+  const [resource] = requiredScope.split(":");
+  if (apiKey.scopes.includes(`${resource}:*`)) {
+    return true;
+  }
+  return false;
+}
+/**
+ * Log API request
+ */
+export async function logApiRequest(
+  apiKeyId: number,
+  endpoint: string,
+  method: string,
+  statusCode: number,
+  responseTimeMs: number,
+  req: Request,
+  errorMessage?: string
+) {
+  const ip = req.headers.get("x-forwarded-for")?.split(",")[0]?.trim();
+  const userAgent = req.headers.get("user-agent");
+  await supabaseAdmin.from("api_logs").insert({
+    api_key_id: apiKeyId,
+    endpoint,
+    method,
+    status_code: statusCode,
+    response_time_ms: responseTimeMs,
+    ip_address: ip,
+    user_agent: userAgent,
+    error_message: errorMessage,
+  });
+}

package/supabase/functions/_shared/ingestionGuard.ts ADDED Viewed

@@ -0,0 +1,128 @@
+import { createErrorResponse } from "./utils.ts";
+import { supabaseAdmin } from "./supabaseAdmin.ts";
+/**
+ * Validates the request signature or API key.
+ * Returns the resolved provider config or an error response.
+ * Note: For Twilio, signature validation must be done separately after body parsing
+ * using validateTwilioWebhook()
+ */
+export async function validateIngestionRequest(req: Request) {
+  const url = new URL(req.url);
+  const providerCode = url.searchParams.get("provider");
+  // Check for ingestion key in header (preferred) or URL query param (backward compatibility)
+  const ingestionKey = req.headers.get("x-ingestion-key") || url.searchParams.get("key");
+  // 1. Internal/Manual API Key (Bearer)
+  const authHeader = req.headers.get("Authorization");
+  if (authHeader?.startsWith("Bearer ak_live_")) {
+    // Validate Internal API Key (already implemented in apiKeyAuth.ts)
+    // For V1, we trust internal keys as "generic" provider
+    return { provider: { id: null, provider_code: "generic", sales_id: null } };
+  }
+  // 2. Identify Provider by 'ingestion_key' (Preferred)
+  if (ingestionKey) {
+    const { data: provider, error } = await supabaseAdmin
+      .from("ingestion_providers")
+      .select("*")
+      .eq("ingestion_key", ingestionKey)
+      .eq("is_active", true)
+      .single();
+    if (error || !provider) {
+      return { error: createErrorResponse(401, "Invalid Ingestion Key") };
+    }
+    return { provider };
+  }
+  // 3. Fallback: Identify by Query Param (Legacy/Public Webhooks)
+  if (providerCode === "twilio") {
+      // In this case, we need to find WHICH Twilio config to use.
+      // Usually, we match by the 'To' phone number in the body, but that requires parsing the body first.
+      // For strict security, we REJECT requests without an ingestion_key in the URL.
+      return { error: createErrorResponse(401, "Missing 'key' parameter in webhook URL") };
+  }
+  return { error: createErrorResponse(400, "Unknown Provider or Missing Authentication") };
+}
+/**
+ * Validates a Twilio webhook request after body parsing
+ * Call this after validateIngestionRequest() and body parsing
+ */
+export async function validateTwilioWebhook(
+  req: Request,
+  authToken: string,
+  body: Record<string, any>
+): Promise<boolean> {
+  return await validateTwilioSignature(req, authToken, body);
+}
+/**
+ * Validates Twilio X-Twilio-Signature using HMAC-SHA1
+ * Implementation follows Twilio's security specification:
+ * https://www.twilio.com/docs/usage/security#validating-requests
+ */
+async function validateTwilioSignature(
+  req: Request,
+  authToken: string,
+  body: Record<string, any>
+): Promise<boolean> {
+  const signature = req.headers.get("X-Twilio-Signature");
+  if (!signature) return false;
+  try {
+    // 1. Get the full URL (including protocol, host, path, and query params)
+    const url = req.url;
+    // 2. Sort POST parameters alphabetically and concatenate
+    const sortedParams = Object.keys(body)
+      .sort()
+      .map((key) => `${key}${body[key]}`)
+      .join("");
+    // 3. Concatenate URL + sorted params
+    const data = url + sortedParams;
+    // 4. Compute HMAC-SHA1
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(authToken);
+    const messageData = encoder.encode(data);
+    const cryptoKey = await crypto.subtle.importKey(
+      "raw",
+      keyData,
+      { name: "HMAC", hash: "SHA-1" },
+      false,
+      ["sign"]
+    );
+    const signatureBuffer = await crypto.subtle.sign("HMAC", cryptoKey, messageData);
+    // 5. Convert to Base64
+    const signatureArray = Array.from(new Uint8Array(signatureBuffer));
+    const signatureBase64 = btoa(String.fromCharCode(...signatureArray));
+    // 6. Constant-time comparison to prevent timing attacks
+    return constantTimeCompare(signature, signatureBase64);
+  } catch (error) {
+    console.error("Twilio signature validation error:", error);
+    return false;
+  }
+}
+/**
+ * Constant-time string comparison to prevent timing attacks
+ */
+function constantTimeCompare(a: string, b: string): boolean {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}

package/supabase/functions/_shared/utils.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 export const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Headers":
-    "authorization, x-client-info, apikey, content-type",
+    "authorization, x-client-info, apikey, content-type, x-ingestion-key",
   "Access-Control-Allow-Methods": "POST, PATCH, PUT, DELETE",
 };

package/supabase/functions/_shared/webhookSignature.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Generate HMAC-SHA256 signature for webhook payload
+ */
+export async function generateWebhookSignature(
+  secret: string,
+  payload: string
+): Promise<string> {
+  const encoder = new TextEncoder();
+  const keyData = encoder.encode(secret);
+  const messageData = encoder.encode(payload);
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    keyData,
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const signature = await crypto.subtle.sign("HMAC", cryptoKey, messageData);
+  const hashArray = Array.from(new Uint8Array(signature));
+  return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+}

package/supabase/functions/api-v1-activities/index.ts ADDED Viewed

@@ -0,0 +1,137 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { supabaseAdmin } from "../_shared/supabaseAdmin.ts";
+import { corsHeaders, createErrorResponse } from "../_shared/utils.ts";
+import {
+  validateApiKey,
+  checkRateLimit,
+  hasScope,
+  logApiRequest,
+} from "../_shared/apiKeyAuth.ts";
+Deno.serve(async (req: Request) => {
+  const startTime = Date.now();
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders });
+  }
+  const authResult = await validateApiKey(req);
+  if ("status" in authResult) {
+    return authResult;
+  }
+  const { apiKey } = authResult;
+  const rateLimitError = checkRateLimit(apiKey.id);
+  if (rateLimitError) {
+    await logApiRequest(
+      apiKey.id,
+      "/v1/activities",
+      req.method,
+      429,
+      Date.now() - startTime,
+      req
+    );
+    return rateLimitError;
+  }
+  try {
+    if (req.method === "POST") {
+      const response = await createActivity(apiKey, req);
+      const responseTime = Date.now() - startTime;
+      await logApiRequest(
+        apiKey.id,
+        "/v1/activities",
+        req.method,
+        response.status,
+        responseTime,
+        req
+      );
+      return response;
+    } else {
+      return createErrorResponse(404, "Not found");
+    }
+  } catch (error) {
+    const responseTime = Date.now() - startTime;
+    await logApiRequest(
+      apiKey.id,
+      "/v1/activities",
+      req.method,
+      500,
+      responseTime,
+      req,
+      error.message
+    );
+    return createErrorResponse(500, "Internal server error");
+  }
+});
+async function createActivity(apiKey: any, req: Request) {
+  if (!hasScope(apiKey, "activities:write")) {
+    return createErrorResponse(403, "Insufficient permissions");
+  }
+  const body = await req.json();
+  const { type, ...activityData } = body;
+  // Activities can be notes or tasks
+  if (type === "note" || type === "contact_note") {
+    const { data, error } = await supabaseAdmin
+      .from("contactNotes")
+      .insert({
+        ...activityData,
+        sales_id: apiKey.sales_id,
+      })
+      .select()
+      .single();
+    if (error) {
+      return createErrorResponse(400, error.message);
+    }
+    return new Response(JSON.stringify({ data, type: "note" }), {
+      status: 201,
+      headers: { "Content-Type": "application/json", ...corsHeaders },
+    });
+  } else if (type === "task") {
+    const { data, error } = await supabaseAdmin
+      .from("tasks")
+      .insert({
+        ...activityData,
+        sales_id: apiKey.sales_id,
+      })
+      .select()
+      .single();
+    if (error) {
+      return createErrorResponse(400, error.message);
+    }
+    return new Response(JSON.stringify({ data, type: "task" }), {
+      status: 201,
+      headers: { "Content-Type": "application/json", ...corsHeaders },
+    });
+  } else if (type === "deal_note") {
+    const { data, error } = await supabaseAdmin
+      .from("dealNotes")
+      .insert({
+        ...activityData,
+        sales_id: apiKey.sales_id,
+      })
+      .select()
+      .single();
+    if (error) {
+      return createErrorResponse(400, error.message);
+    }
+    return new Response(JSON.stringify({ data, type: "deal_note" }), {
+      status: 201,
+      headers: { "Content-Type": "application/json", ...corsHeaders },
+    });
+  } else {
+    return createErrorResponse(
+      400,
+      "Invalid activity type. Must be 'note', 'contact_note', 'task', or 'deal_note'"
+    );
+  }
+}