settld 0.2.5 → 0.2.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/Dockerfile +2 -2
- package/package.json +2 -1
- package/packages/api-sdk/README.md +71 -0
- package/packages/api-sdk/src/client.js +1021 -0
- package/packages/api-sdk/src/express-middleware.js +163 -0
- package/packages/api-sdk/src/index.d.ts +1662 -0
- package/packages/api-sdk/src/index.js +10 -0
- package/packages/api-sdk/src/webhook-signature.js +182 -0
- package/packages/api-sdk/src/x402-autopay.js +210 -0
- package/scripts/ci/cli-pack-smoke.mjs +2 -0
- package/scripts/setup/login.mjs +6 -1
- package/scripts/setup/onboard.mjs +14 -0
- package/scripts/setup/onboarding-failure-taxonomy.mjs +11 -0
- package/services/magic-link/README.md +13 -4
- package/services/magic-link/src/buyer-auth.js +33 -2
- package/services/magic-link/src/decision-otp.js +33 -2
- package/services/magic-link/src/email-resend.js +89 -0
- package/services/magic-link/src/maintenance.js +26 -1
- package/services/magic-link/src/server.js +72 -11
- package/services/magic-link/src/smtp.js +19 -4
- package/src/api/app.js +6 -1
package/Dockerfile
CHANGED
|
@@ -30,8 +30,8 @@ COPY --from=deps /app/node_modules ./node_modules
|
|
|
30
30
|
COPY --from=deps /app/package.json ./package.json
|
|
31
31
|
COPY --from=deps /app/SETTLD_VERSION ./SETTLD_VERSION
|
|
32
32
|
|
|
33
|
-
# Runtime-writable locations should be mounted as volumes in k8s;
|
|
34
|
-
COPY --from=prep /data /data
|
|
33
|
+
# Runtime-writable locations should be mounted as volumes in k8s; copy with nonroot ownership for distroless runtime.
|
|
34
|
+
COPY --chown=65532:65532 --from=prep /data /data
|
|
35
35
|
|
|
36
36
|
# Copy application code.
|
|
37
37
|
COPY src ./src
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "settld",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.6",
|
|
4
4
|
"description": "Settld kernel CLI and local control-plane tooling",
|
|
5
5
|
"private": false,
|
|
6
6
|
"type": "module",
|
|
@@ -21,6 +21,7 @@
|
|
|
21
21
|
"docker-compose.yml",
|
|
22
22
|
"bin",
|
|
23
23
|
"conformance",
|
|
24
|
+
"packages/api-sdk/src",
|
|
24
25
|
"packages/artifact-verify/src",
|
|
25
26
|
"scripts",
|
|
26
27
|
"docs",
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
# settld-api-sdk
|
|
2
|
+
|
|
3
|
+
Node/TypeScript SDK for Settld API + x402 helpers.
|
|
4
|
+
|
|
5
|
+
## Webhook Signature Verification
|
|
6
|
+
|
|
7
|
+
Use `verifySettldWebhookSignature` to verify incoming `x-settld-signature` headers with:
|
|
8
|
+
|
|
9
|
+
- multi-signature support (`v1=...` list, including rotation windows),
|
|
10
|
+
- constant-time comparison (`crypto.timingSafeEqual`),
|
|
11
|
+
- timestamp tolerance checks (replay protection).
|
|
12
|
+
|
|
13
|
+
```js
|
|
14
|
+
import express from "express";
|
|
15
|
+
import { verifySettldWebhookSignature } from "settld-api-sdk";
|
|
16
|
+
|
|
17
|
+
const app = express();
|
|
18
|
+
|
|
19
|
+
// IMPORTANT: keep the raw body; do not JSON-parse before verification.
|
|
20
|
+
app.post("/webhooks/settld", express.raw({ type: "application/json" }), (req, res) => {
|
|
21
|
+
const signatureHeader = req.get("x-settld-signature") ?? "";
|
|
22
|
+
const timestamp = req.get("x-settld-timestamp"); // required for current Settld delivery format
|
|
23
|
+
const secret = process.env.SETTLD_WEBHOOK_SECRET;
|
|
24
|
+
|
|
25
|
+
verifySettldWebhookSignature(req.body, signatureHeader, secret, {
|
|
26
|
+
timestamp,
|
|
27
|
+
toleranceSeconds: 300
|
|
28
|
+
});
|
|
29
|
+
|
|
30
|
+
const event = JSON.parse(req.body.toString("utf8"));
|
|
31
|
+
// handle event...
|
|
32
|
+
res.status(200).json({ ok: true });
|
|
33
|
+
});
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
The verifier also supports signature headers that embed timestamp directly:
|
|
37
|
+
|
|
38
|
+
`x-settld-signature: t=1708380000,v1=<sig-new>,v1=<sig-old>`
|
|
39
|
+
|
|
40
|
+
## Express Middleware Helper
|
|
41
|
+
|
|
42
|
+
Use `verifySettldWebhook` to verify signatures in an Express-style middleware.
|
|
43
|
+
|
|
44
|
+
```js
|
|
45
|
+
import express from "express";
|
|
46
|
+
import { verifySettldWebhook } from "settld-api-sdk";
|
|
47
|
+
|
|
48
|
+
const app = express();
|
|
49
|
+
const secret = process.env.SETTLD_WEBHOOK_SECRET;
|
|
50
|
+
|
|
51
|
+
// IMPORTANT: preserve raw body bytes before JSON parsing mutates payload shape.
|
|
52
|
+
app.use(
|
|
53
|
+
express.json({
|
|
54
|
+
verify(req, _res, buf) {
|
|
55
|
+
req.rawBody = buf;
|
|
56
|
+
}
|
|
57
|
+
})
|
|
58
|
+
);
|
|
59
|
+
|
|
60
|
+
app.post(
|
|
61
|
+
"/webhooks/settld",
|
|
62
|
+
verifySettldWebhook(secret, { toleranceSeconds: 300 }),
|
|
63
|
+
(req, res) => {
|
|
64
|
+
const event = req.body;
|
|
65
|
+
// handle event...
|
|
66
|
+
res.status(200).json({ ok: true });
|
|
67
|
+
}
|
|
68
|
+
);
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
If `req.rawBody` is missing (or `req.body` is already parsed into a plain object), the middleware returns `400` with a raw-body guidance message.
|