stream-chat 9.43.1 → 9.44.0

package/dist/types/client.d.ts

@@ -1246,6 +1246,38 @@ export declare class StreamChat {
      * @returns {boolean}
      */
     verifyWebhook(requestBody: string | Buffer, xSignature: string): boolean;
+    /**
+     * Verify and parse an HTTP webhook event.
+     *
+     * Decompresses `rawBody` when gzipped (detected from the body bytes),
+     * verifies the `X-Signature` header against the app's API secret, and
+     * returns the parsed `Event`. Works whether or not Stream is currently
+     * compressing payloads for this app, and stays correct behind
+     * middleware that auto-decompresses the request.
+     *
+     * @param rawBody Raw HTTP request body bytes Stream signed
+     * @param signature Value of the `X-Signature` header
+     * @throws {InvalidWebhookError} When the signature does not match or
+     *   the gzip envelope is malformed.
+     */
+    verifyAndParseWebhook(rawBody: string | Buffer, signature: string): Event;
+    /**
+     * Parse an SQS firehose event: decodes the message `Body` (base64 +
+     * optional gzip) and returns the parsed `Event`. No HMAC verification
+     * (Stream does not sign SQS bodies).
+     *
+     * @param messageBody SQS message `Body` string
+     * @throws {InvalidWebhookError} When the base64 / gzip envelope is malformed.
+     */
+    parseSqs(messageBody: string): Event;
+    /**
+     * Parse an SNS-delivered event (unwraps envelope JSON when needed, then
+     * same decode path as SQS). No HMAC verification.
+     *
+     * @param notificationBody Raw SNS POST body or pre-extracted `Message` string
+     * @throws {InvalidWebhookError} When the envelope cannot be decoded.
+     */
+    parseSns(notificationBody: string): Event;
     /** getPermission - gets the definition for a permission
      *
      * @param {string} name
@@ -2039,7 +2071,7 @@ export declare class StreamChat {
      *
      * @return {Promise<PredefinedFilterResponse>} The created predefined filter
      */
-    createPredefinedFilter(options: CreatePredefinedFilterOptions): Promise<PredefinedFilterResponse>;
+    createPredefinedFilter<F extends Record<string, unknown> = Record<string, unknown>>(options: CreatePredefinedFilterOptions<F>): Promise<PredefinedFilterResponse<F>>;
     /**
      * getPredefinedFilter - Gets a predefined filter by name (server-side only)
      *
@@ -2047,7 +2079,7 @@ export declare class StreamChat {
      *
      * @return {Promise<PredefinedFilterResponse>} The predefined filter
      */
-    getPredefinedFilter(name: string): Promise<PredefinedFilterResponse>;
+    getPredefinedFilter<F extends Record<string, unknown> = Record<string, unknown>>(name: string): Promise<PredefinedFilterResponse<F>>;
     /**
      * updatePredefinedFilter - Updates a predefined filter (server-side only)
      *
@@ -2056,7 +2088,7 @@ export declare class StreamChat {
      *
      * @return {Promise<PredefinedFilterResponse>} The updated predefined filter
      */
-    updatePredefinedFilter(name: string, options: UpdatePredefinedFilterOptions): Promise<PredefinedFilterResponse>;
+    updatePredefinedFilter<F extends Record<string, unknown> = Record<string, unknown>>(name: string, options: UpdatePredefinedFilterOptions<F>): Promise<PredefinedFilterResponse<F>>;
     /**
      * deletePredefinedFilter - Deletes a predefined filter (server-side only)
      *
@@ -2072,7 +2104,7 @@ export declare class StreamChat {
      *
      * @return {Promise<ListPredefinedFiltersResponse>} The list of predefined filters
      */
-    listPredefinedFilters(options?: ListPredefinedFiltersOptions): Promise<ListPredefinedFiltersResponse>;
+    listPredefinedFilters<F extends Record<string, unknown> = Record<string, unknown>>(options?: ListPredefinedFiltersOptions): Promise<ListPredefinedFiltersResponse<F>>;
     /**
      * setRetentionPolicy - Creates or updates a retention policy for the app.
      * Server-side only.

package/dist/types/messageComposer/middleware/textComposer/index.d.ts

@@ -2,6 +2,7 @@ export * from './activeCommandGuard';
 export * from './commands';
 export * from './commandEffects';
 export * from './commandStringExtraction';
+export * from './commandUtils';
 export * from './mentions';
 export * from './validation';
 export * from './TextComposerMiddlewareExecutor';

package/dist/types/signing.d.ts

@@ -1,5 +1,5 @@
 import jwt from 'jsonwebtoken';
-import type { UR } from './types';
+import type { Event, UR } from './types';
 /**
  * Creates the JWT token that can be used for a UserSession
  * @method JWTUserToken
@@ -21,10 +21,104 @@ export declare function UserFromToken(token: string): string;
  */
 export declare function DevToken(userId: string): string;
 /**
+ * Constant-time HMAC-SHA256 verification of `signature` against the
+ * digest of `body` using `secret` as the key. The signature is always
+ * computed over the **uncompressed** JSON bytes, so callers that
+ * decoded a gzipped or base64-wrapped payload must pass the inflated
+ * bytes here.
  *
- * @param {string | Buffer} body the signed message
- * @param {string} secret the shared secret used to generate the signature (Stream API secret)
- * @param {string} signature the signature to validate
- * @return {boolean}
+ * The legacy `client.verifyWebhook` helper wraps this function, so
+ * callers that have already migrated to `verifyAndParseWebhook`,
+ * `parseSqs`, or `parseSns` rarely need to invoke this
+ * directly.
+ */
+export declare function verifySignature(body: string | Buffer, signature: string, secret: string): boolean;
+/**
+ * @deprecated Use {@link verifySignature} - same logic, parameters
+ * reordered to match the cross-SDK contract
+ * (`verifySignature(body, signature, secret)`).
  */
 export declare function CheckSignature(body: string | Buffer, secret: string, signature: string): boolean;
+/**
+ * Canonical failure-mode messages for {@link InvalidWebhookError}.
+ *
+ * Customers that prefer exact-match filtering (security logging, retry
+ * policy) over substring matches can compare `err.message` to these
+ * constants instead of pattern-matching free-form text.
+ */
+export declare const InvalidWebhookErrorMessages: {
+    readonly signatureMismatch: "signature mismatch";
+    readonly invalidBase64: "invalid base64 encoding";
+    readonly gzipFailed: "gzip decompression failed";
+    readonly invalidJson: "invalid JSON payload";
+};
+/**
+ * Thrown by {@link verifyAndParseWebhook} when the supplied `x-signature` does not
+ * match the HMAC of the uncompressed payload, and by all webhook helpers (including
+ * {@link parseSqs} / {@link parseSns}) when a gzip / base64 / JSON envelope is malformed.
+ *
+ * The message identifies which failure mode fired. See
+ * {@link InvalidWebhookErrorMessages} for the canonical strings.
+ */
+export declare class InvalidWebhookError extends Error {
+    name: string;
+    constructor(message?: string);
+}
+/**
+ * Returns `body` as a `Buffer`, gzip-decompressed when its first two
+ * bytes match the gzip magic (`1f 8b`, per RFC 1952). When the body is
+ * plain JSON (no compression, or middleware already decompressed), the
+ * bytes are returned unchanged.
+ *
+ * Magic-byte detection (rather than relying on a header) keeps the
+ * same handler correct when middleware - Express, Next.js, AWS Lambda
+ * - auto-decompresses the request before your code sees it.
+ */
+export declare function gunzipPayload(rawBody: string | Buffer): Buffer;
+/**
+ * Reverses the SQS firehose envelope: the message `Body` is
+ * base64-decoded, then the result is gzip-decompressed when it begins
+ * with the gzip magic. Returns the raw JSON `Buffer` Stream signed.
+ *
+ * SQS bodies are always base64-encoded so they remain valid UTF-8 over
+ * the queue. The same call works whether or not Stream is currently
+ * compressing payloads for this app.
+ */
+export declare function decodeSqsPayload(body: string): Buffer;
+/**
+ * Reverses an SNS HTTP notification envelope. When `notificationBody`
+ * is a JSON envelope (`{"Type":"Notification","Message":"..."}`), the
+ * inner `Message` field is extracted and run through the SQS pipeline
+ * (base64-decode, then gzip-if-magic). When the input is not a JSON
+ * envelope it is treated as the already-extracted `Message` string,
+ * so call sites that pre-unwrap continue to work.
+ */
+export declare function decodeSnsPayload(notificationBody: string): Buffer;
+/**
+ * Parse a JSON-encoded webhook event into a typed {@link Event}. New
+ * event types Stream introduces still parse successfully - the runtime
+ * shape is the JSON Stream sent and the `type` field stays preserved.
+ */
+export declare function parseEvent(payload: Buffer | string): Event;
+/**
+ * Decompress (when gzipped), verify the HMAC `signature`, and return
+ * the parsed {@link Event}.
+ *
+ * @param rawBody Raw HTTP request body bytes Stream signed
+ * @param signature Value of the `X-Signature` header
+ * @param secret Your app's API secret
+ * @throws {InvalidWebhookError} When the signature does not match or
+ *   the gzip envelope is malformed.
+ */
+export declare function verifyAndParseWebhook(rawBody: string | Buffer, signature: string, secret: string): Event;
+/**
+ * Decode the SQS message `Body` (base64, then gzip-if-magic) and return
+ * the parsed {@link Event}. Stream does not attach an application-level HMAC
+ * to SQS deliveries — use {@link verifyAndParseWebhook} for HTTP webhooks.
+ */
+export declare function parseSqs(messageBody: string): Event;
+/**
+ * Decode an SNS notification (unwrap the JSON envelope when needed; same
+ * inner format as SQS). No application-level HMAC verification.
+ */
+export declare function parseSns(notificationBody: string): Event;

package/dist/types/types.d.ts

@@ -900,13 +900,29 @@ export type ChannelOptions = {
     user_id?: string;
     watch?: boolean;
     /**
-     * Name of a predefined filter to use instead of filter_conditions.
-     * When provided, filter_conditions and sort parameters are ignored.
+     * Name of a predefined filter to use instead of sending raw
+     * `filter_conditions`.
+     *
+     * The backend resolves the filter template by name and interpolates it using
+     * `filter_values`.
+     *
+     * A regular `sort` can still be passed to `queryChannels()`, but backend
+     * precedence rules apply:
+     *
+     * - if the predefined filter has its own stored sort template, that stored
+     *   sort takes precedence and the request `sort` is ignored
+     * - if the predefined filter does not define a sort template, the request
+     *   `sort` can still be used
      */
     predefined_filter?: string;
     /**
-     * Values to interpolate into the predefined filter template placeholders.
-     * Only used when predefined_filter is provided.
+     * Values used to interpolate placeholders inside the predefined filter's
+     * `filter` template.
+     *
+     * Example: a template value like `{{user_id}}` can be resolved with
+     * `{ user_id: 'alice' }`.
+     *
+     * Only used when `predefined_filter` is provided.
      */
     filter_values?: Record<string, unknown>;
     /**
@@ -3510,33 +3526,114 @@ export type UpdateChannelsBatchResponse = {
  */
 export type PredefinedFilterOperation = 'QueryChannels';
 export type PredefinedFilterSortParam = {
+    /**
+     * Field name to sort by.
+     *
+     * This may be a literal field name such as `created_at`, or a placeholder
+     * template such as `{{sort_field}}` that will be interpolated server-side.
+     */
     field: string;
+    /**
+     * Sort direction. `1` means ascending and `-1` means descending.
+     *
+     * The backend defaults this to `1` when omitted.
+     */
     direction?: AscDesc;
+    /**
+     * Optional server-side hint describing how the sort field value should be
+     * interpreted.
+     *
+     * This is mainly relevant for predefined-filter sort templates and is not
+     * part of the regular `queryChannels()` sort shape. Omitting it uses the
+     * backend default string behavior. Known backend values include:
+     *
+     * - `number`: cast custom-field values to numeric before sorting
+     * - `boolean`: cast custom-field values to boolean before sorting
+     *
+     * Other values are backend-defined. In most cases this should be omitted
+     * unless you are sorting by a custom field whose stored JSON value is not
+     * string-like.
+     */
     type?: string;
 };
-export type PredefinedFilter = {
+/**
+ * Stored predefined filter definition as returned by the server.
+ *
+ * `F` represents the raw filter template shape. It defaults to a generic record
+ * because predefined filters are server-managed templates and may include
+ * placeholders or app-specific structures.
+ */
+export type PredefinedFilter<F extends Record<string, unknown> = Record<string, unknown>> = {
+    /**
+     * Unique predefined filter name within the app.
+     */
     name: string;
+    /**
+     * Operation this predefined filter is valid for.
+     */
     operation: PredefinedFilterOperation;
-    filter: Record<string, unknown>;
+    /**
+     * Filter template stored on the server.
+     *
+     * This is not necessarily the fully interpolated runtime filter; placeholder
+     * values such as `{{user_id}}` may still be present.
+     */
+    filter: F;
+    /**
+     * Server creation timestamp in ISO-8601 format.
+     */
     created_at: string;
+    /**
+     * Server update timestamp in ISO-8601 format.
+     */
     updated_at: string;
+    /**
+     * Optional human-readable description.
+     */
     description?: string;
+    /**
+     * Optional sort template stored with the predefined filter.
+     */
     sort?: PredefinedFilterSortParam[];
+    /**
+     * Query identifier generated by the backend for the filter/sort pattern.
+     *
+     * The exact value is backend-generated and primarily useful for correlating
+     * predefined filters with query analysis / query performance data.
+     */
     query_id?: number;
 };
-export type CreatePredefinedFilterOptions = {
+export type CreatePredefinedFilterOptions<F extends Record<string, unknown> = Record<string, unknown>> = {
+    /**
+     * Unique predefined filter name.
+     */
     name: string;
+    /**
+     * Operation this predefined filter will be used with.
+     */
     operation: PredefinedFilterOperation;
-    filter: Record<string, unknown>;
+    /**
+     * Filter template to store on the server.
+     */
+    filter: F;
+    /**
+     * Optional human-readable description.
+     */
     description?: string;
+    /**
+     * Optional sort template stored with the predefined filter.
+     */
     sort?: PredefinedFilterSortParam[];
 };
-export type UpdatePredefinedFilterOptions = Omit<CreatePredefinedFilterOptions, 'name'>;
-export type PredefinedFilterResponse = APIResponse & {
-    predefined_filter: PredefinedFilter;
+export type UpdatePredefinedFilterOptions<F extends Record<string, unknown> = Record<string, unknown>> = Omit<CreatePredefinedFilterOptions<F>, 'name'>;
+export type PredefinedFilterResponse<F extends Record<string, unknown> = Record<string, unknown>> = APIResponse & {
+    predefined_filter: PredefinedFilter<F>;
 };
-export type ListPredefinedFiltersResponse = APIResponse & {
-    predefined_filters: PredefinedFilter[];
+/**
+ * Paginated response returned when listing predefined filters.
+ */
+export type ListPredefinedFiltersResponse<F extends Record<string, unknown> = Record<string, unknown>> = APIResponse & {
+    predefined_filters: PredefinedFilter<F>[];
     next?: string;
     prev?: string;
 };
@@ -3544,9 +3641,18 @@ export type ListPredefinedFiltersResponse = APIResponse & {
  * Contains the interpolated filter and sort from a predefined filter.
  * This is returned in the QueryChannels response when using a predefined filter.
  */
-export type ParsedPredefinedFilterResponse = {
+export type ParsedPredefinedFilterResponse<F extends Record<string, unknown> = Record<string, unknown>> = {
+    /**
+     * Name of the predefined filter that was resolved.
+     */
     name: string;
-    filter: Record<string, unknown>;
+    /**
+     * Fully interpolated filter that the backend executed.
+     */
+    filter: F;
+    /**
+     * Fully interpolated sort parameters resolved from the predefined filter.
+     */
     sort?: PredefinedFilterSortParam[];
 };
 export type PredefinedFilterSort = SortParam[];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "stream-chat",
-  "version": "9.43.1",
+  "version": "9.44.0",
   "description": "JS SDK for the Stream Chat API",
   "homepage": "https://getstream.io/chat/",
   "author": {
@@ -31,6 +31,7 @@
   "browser": {
     "https": false,
     "crypto": false,
+    "zlib": false,
     "jsonwebtoken": false,
     "ws": false
   },

package/src/channel.ts

@@ -1438,7 +1438,9 @@ export class Channel {
     }
 
     // FIXME: see #1265, adjust and count new messages even when the channel is muted
-    if (this.muteStatus().muted) return false;
+    // Read mute state directly from the client to avoid _checkInitialized() — this method
+    // is invoked from _handleChannelEvent (e.g. message.new) before .watch() resolves.
+    if (this.getClient()._muteStatus(this.cid).muted) return false;
 
     return true;
   }

package/src/client.ts

@@ -9,7 +9,15 @@ import { Channel } from './channel';
 import { ClientState } from './client_state';
 import { StableWSConnection } from './connection';
 import { UploadManager } from './uploadManager';
-import { CheckSignature, DevToken, JWTUserToken } from './signing';
+import {
+  DevToken,
+  InvalidWebhookError,
+  JWTUserToken,
+  parseSns as parseSnsHelper,
+  parseSqs as parseSqsHelper,
+  verifyAndParseWebhook as verifyAndParseWebhookHelper,
+  verifySignature,
+} from './signing';
 import { TokenManager } from './token_manager';
 import { WSConnectionFallback } from './connection_fallback';
 import { Campaign } from './campaign';
@@ -1907,6 +1915,7 @@ export class StreamChat {
     }
 
     const { predefined_filter, filter_values, sort_values, ...restOptions } = options;
+    const normalizedSort = normalizeQuerySort(sort);
 
     // Build payload based on whether we're using a predefined filter or traditional filters
     const payload = predefined_filter
@@ -1914,12 +1923,13 @@ export class StreamChat {
           predefined_filter,
           filter_values,
           sort_values,
+          sort: normalizedSort,
           ...defaultOptions,
           ...restOptions,
         }
       : {
           filter_conditions: filterConditions,
-          sort: normalizeQuerySort(sort),
+          sort: normalizedSort,
           ...defaultOptions,
           ...restOptions,
         };
@@ -1929,6 +1939,9 @@ export class StreamChat {
       payload,
     );
 
+    // FIXME: In the next major release, return the full QueryChannelsAPIResponse
+    // instead of only `data.channels` so top-level metadata such as
+    // `predefined_filter` is not lost.
     return data.channels;
   }
 
@@ -3634,7 +3647,53 @@ export class StreamChat {
    * @returns {boolean}
    */
   verifyWebhook(requestBody: string | Buffer, xSignature: string) {
-    return !!this.secret && CheckSignature(requestBody, this.secret, xSignature);
+    return !!this.secret && verifySignature(requestBody, xSignature, this.secret);
+  }
+
+  /**
+   * Verify and parse an HTTP webhook event.
+   *
+   * Decompresses `rawBody` when gzipped (detected from the body bytes),
+   * verifies the `X-Signature` header against the app's API secret, and
+   * returns the parsed `Event`. Works whether or not Stream is currently
+   * compressing payloads for this app, and stays correct behind
+   * middleware that auto-decompresses the request.
+   *
+   * @param rawBody Raw HTTP request body bytes Stream signed
+   * @param signature Value of the `X-Signature` header
+   * @throws {InvalidWebhookError} When the signature does not match or
+   *   the gzip envelope is malformed.
+   */
+  verifyAndParseWebhook(rawBody: string | Buffer, signature: string) {
+    if (!this.secret) {
+      throw new InvalidWebhookError(
+        'cannot verify webhook signature without an API secret on the client',
+      );
+    }
+    return verifyAndParseWebhookHelper(rawBody, signature, this.secret);
+  }
+
+  /**
+   * Parse an SQS firehose event: decodes the message `Body` (base64 +
+   * optional gzip) and returns the parsed `Event`. No HMAC verification
+   * (Stream does not sign SQS bodies).
+   *
+   * @param messageBody SQS message `Body` string
+   * @throws {InvalidWebhookError} When the base64 / gzip envelope is malformed.
+   */
+  parseSqs(messageBody: string) {
+    return parseSqsHelper(messageBody);
+  }
+
+  /**
+   * Parse an SNS-delivered event (unwraps envelope JSON when needed, then
+   * same decode path as SQS). No HMAC verification.
+   *
+   * @param notificationBody Raw SNS POST body or pre-extracted `Message` string
+   * @throws {InvalidWebhookError} When the envelope cannot be decoded.
+   */
+  parseSns(notificationBody: string) {
+    return parseSnsHelper(notificationBody);
   }
 
   /** getPermission - gets the definition for a permission
@@ -4981,9 +5040,11 @@ export class StreamChat {
    *
    * @return {Promise<PredefinedFilterResponse>} The created predefined filter
    */
-  async createPredefinedFilter(options: CreatePredefinedFilterOptions) {
+  async createPredefinedFilter<
+    F extends Record<string, unknown> = Record<string, unknown>,
+  >(options: CreatePredefinedFilterOptions<F>) {
     this.validateServerSideAuth();
-    return await this.post<PredefinedFilterResponse>(
+    return await this.post<PredefinedFilterResponse<F>>(
       `${this.baseURL}/predefined_filters`,
       options,
     );
@@ -4996,9 +5057,11 @@ export class StreamChat {
    *
    * @return {Promise<PredefinedFilterResponse>} The predefined filter
    */
-  async getPredefinedFilter(name: string) {
+  async getPredefinedFilter<F extends Record<string, unknown> = Record<string, unknown>>(
+    name: string,
+  ) {
     this.validateServerSideAuth();
-    return await this.get<PredefinedFilterResponse>(
+    return await this.get<PredefinedFilterResponse<F>>(
       `${this.baseURL}/predefined_filters/${encodeURIComponent(name)}`,
     );
   }
@@ -5011,9 +5074,11 @@ export class StreamChat {
    *
    * @return {Promise<PredefinedFilterResponse>} The updated predefined filter
    */
-  async updatePredefinedFilter(name: string, options: UpdatePredefinedFilterOptions) {
+  async updatePredefinedFilter<
+    F extends Record<string, unknown> = Record<string, unknown>,
+  >(name: string, options: UpdatePredefinedFilterOptions<F>) {
     this.validateServerSideAuth();
-    return await this.put<PredefinedFilterResponse>(
+    return await this.put<PredefinedFilterResponse<F>>(
       `${this.baseURL}/predefined_filters/${encodeURIComponent(name)}`,
       options,
     );
@@ -5040,10 +5105,12 @@ export class StreamChat {
    *
    * @return {Promise<ListPredefinedFiltersResponse>} The list of predefined filters
    */
-  async listPredefinedFilters(options: ListPredefinedFiltersOptions = {}) {
+  async listPredefinedFilters<
+    F extends Record<string, unknown> = Record<string, unknown>,
+  >(options: ListPredefinedFiltersOptions = {}) {
     this.validateServerSideAuth();
     const { sort, ...paginationOptions } = options;
-    return await this.get<ListPredefinedFiltersResponse>(
+    return await this.get<ListPredefinedFiltersResponse<F>>(
       `${this.baseURL}/predefined_filters`,
       {
         ...paginationOptions,

package/src/messageComposer/messageComposer.ts

@@ -624,6 +624,7 @@ export class MessageComposer extends WithSubscriptions {
         draft.channel_cid !== this.channel.cid
       )
         return;
+      if (this.editedMessage) return;
       this.initState({ composition: draft });
     }).unsubscribe;
 
@@ -637,6 +638,7 @@ export class MessageComposer extends WithSubscriptions {
       ) {
         return;
       }
+      if (this.editedMessage) return;
 
       this.logDraftUpdateTimestamp();
 

package/src/messageComposer/middleware/textComposer/index.ts

@@ -2,6 +2,7 @@ export * from './activeCommandGuard';
 export * from './commands';
 export * from './commandEffects';
 export * from './commandStringExtraction';
+export * from './commandUtils';
 export * from './mentions';
 export * from './validation';
 export * from './TextComposerMiddlewareExecutor';