stream-chat 9.43.2 → 9.44.0

package/dist/types/client.d.ts

@@ -1246,6 +1246,38 @@ export declare class StreamChat {
      * @returns {boolean}
      */
     verifyWebhook(requestBody: string | Buffer, xSignature: string): boolean;
+    /**
+     * Verify and parse an HTTP webhook event.
+     *
+     * Decompresses `rawBody` when gzipped (detected from the body bytes),
+     * verifies the `X-Signature` header against the app's API secret, and
+     * returns the parsed `Event`. Works whether or not Stream is currently
+     * compressing payloads for this app, and stays correct behind
+     * middleware that auto-decompresses the request.
+     *
+     * @param rawBody Raw HTTP request body bytes Stream signed
+     * @param signature Value of the `X-Signature` header
+     * @throws {InvalidWebhookError} When the signature does not match or
+     *   the gzip envelope is malformed.
+     */
+    verifyAndParseWebhook(rawBody: string | Buffer, signature: string): Event;
+    /**
+     * Parse an SQS firehose event: decodes the message `Body` (base64 +
+     * optional gzip) and returns the parsed `Event`. No HMAC verification
+     * (Stream does not sign SQS bodies).
+     *
+     * @param messageBody SQS message `Body` string
+     * @throws {InvalidWebhookError} When the base64 / gzip envelope is malformed.
+     */
+    parseSqs(messageBody: string): Event;
+    /**
+     * Parse an SNS-delivered event (unwraps envelope JSON when needed, then
+     * same decode path as SQS). No HMAC verification.
+     *
+     * @param notificationBody Raw SNS POST body or pre-extracted `Message` string
+     * @throws {InvalidWebhookError} When the envelope cannot be decoded.
+     */
+    parseSns(notificationBody: string): Event;
     /** getPermission - gets the definition for a permission
      *
      * @param {string} name

package/dist/types/signing.d.ts

@@ -1,5 +1,5 @@
 import jwt from 'jsonwebtoken';
-import type { UR } from './types';
+import type { Event, UR } from './types';
 /**
  * Creates the JWT token that can be used for a UserSession
  * @method JWTUserToken
@@ -21,10 +21,104 @@ export declare function UserFromToken(token: string): string;
  */
 export declare function DevToken(userId: string): string;
 /**
+ * Constant-time HMAC-SHA256 verification of `signature` against the
+ * digest of `body` using `secret` as the key. The signature is always
+ * computed over the **uncompressed** JSON bytes, so callers that
+ * decoded a gzipped or base64-wrapped payload must pass the inflated
+ * bytes here.
  *
- * @param {string | Buffer} body the signed message
- * @param {string} secret the shared secret used to generate the signature (Stream API secret)
- * @param {string} signature the signature to validate
- * @return {boolean}
+ * The legacy `client.verifyWebhook` helper wraps this function, so
+ * callers that have already migrated to `verifyAndParseWebhook`,
+ * `parseSqs`, or `parseSns` rarely need to invoke this
+ * directly.
+ */
+export declare function verifySignature(body: string | Buffer, signature: string, secret: string): boolean;
+/**
+ * @deprecated Use {@link verifySignature} - same logic, parameters
+ * reordered to match the cross-SDK contract
+ * (`verifySignature(body, signature, secret)`).
  */
 export declare function CheckSignature(body: string | Buffer, secret: string, signature: string): boolean;
+/**
+ * Canonical failure-mode messages for {@link InvalidWebhookError}.
+ *
+ * Customers that prefer exact-match filtering (security logging, retry
+ * policy) over substring matches can compare `err.message` to these
+ * constants instead of pattern-matching free-form text.
+ */
+export declare const InvalidWebhookErrorMessages: {
+    readonly signatureMismatch: "signature mismatch";
+    readonly invalidBase64: "invalid base64 encoding";
+    readonly gzipFailed: "gzip decompression failed";
+    readonly invalidJson: "invalid JSON payload";
+};
+/**
+ * Thrown by {@link verifyAndParseWebhook} when the supplied `x-signature` does not
+ * match the HMAC of the uncompressed payload, and by all webhook helpers (including
+ * {@link parseSqs} / {@link parseSns}) when a gzip / base64 / JSON envelope is malformed.
+ *
+ * The message identifies which failure mode fired. See
+ * {@link InvalidWebhookErrorMessages} for the canonical strings.
+ */
+export declare class InvalidWebhookError extends Error {
+    name: string;
+    constructor(message?: string);
+}
+/**
+ * Returns `body` as a `Buffer`, gzip-decompressed when its first two
+ * bytes match the gzip magic (`1f 8b`, per RFC 1952). When the body is
+ * plain JSON (no compression, or middleware already decompressed), the
+ * bytes are returned unchanged.
+ *
+ * Magic-byte detection (rather than relying on a header) keeps the
+ * same handler correct when middleware - Express, Next.js, AWS Lambda
+ * - auto-decompresses the request before your code sees it.
+ */
+export declare function gunzipPayload(rawBody: string | Buffer): Buffer;
+/**
+ * Reverses the SQS firehose envelope: the message `Body` is
+ * base64-decoded, then the result is gzip-decompressed when it begins
+ * with the gzip magic. Returns the raw JSON `Buffer` Stream signed.
+ *
+ * SQS bodies are always base64-encoded so they remain valid UTF-8 over
+ * the queue. The same call works whether or not Stream is currently
+ * compressing payloads for this app.
+ */
+export declare function decodeSqsPayload(body: string): Buffer;
+/**
+ * Reverses an SNS HTTP notification envelope. When `notificationBody`
+ * is a JSON envelope (`{"Type":"Notification","Message":"..."}`), the
+ * inner `Message` field is extracted and run through the SQS pipeline
+ * (base64-decode, then gzip-if-magic). When the input is not a JSON
+ * envelope it is treated as the already-extracted `Message` string,
+ * so call sites that pre-unwrap continue to work.
+ */
+export declare function decodeSnsPayload(notificationBody: string): Buffer;
+/**
+ * Parse a JSON-encoded webhook event into a typed {@link Event}. New
+ * event types Stream introduces still parse successfully - the runtime
+ * shape is the JSON Stream sent and the `type` field stays preserved.
+ */
+export declare function parseEvent(payload: Buffer | string): Event;
+/**
+ * Decompress (when gzipped), verify the HMAC `signature`, and return
+ * the parsed {@link Event}.
+ *
+ * @param rawBody Raw HTTP request body bytes Stream signed
+ * @param signature Value of the `X-Signature` header
+ * @param secret Your app's API secret
+ * @throws {InvalidWebhookError} When the signature does not match or
+ *   the gzip envelope is malformed.
+ */
+export declare function verifyAndParseWebhook(rawBody: string | Buffer, signature: string, secret: string): Event;
+/**
+ * Decode the SQS message `Body` (base64, then gzip-if-magic) and return
+ * the parsed {@link Event}. Stream does not attach an application-level HMAC
+ * to SQS deliveries — use {@link verifyAndParseWebhook} for HTTP webhooks.
+ */
+export declare function parseSqs(messageBody: string): Event;
+/**
+ * Decode an SNS notification (unwrap the JSON envelope when needed; same
+ * inner format as SQS). No application-level HMAC verification.
+ */
+export declare function parseSns(notificationBody: string): Event;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "stream-chat",
-  "version": "9.43.2",
+  "version": "9.44.0",
   "description": "JS SDK for the Stream Chat API",
   "homepage": "https://getstream.io/chat/",
   "author": {
@@ -31,6 +31,7 @@
   "browser": {
     "https": false,
     "crypto": false,
+    "zlib": false,
     "jsonwebtoken": false,
     "ws": false
   },

package/src/channel.ts

@@ -1438,7 +1438,9 @@ export class Channel {
     }
 
     // FIXME: see #1265, adjust and count new messages even when the channel is muted
-    if (this.muteStatus().muted) return false;
+    // Read mute state directly from the client to avoid _checkInitialized() — this method
+    // is invoked from _handleChannelEvent (e.g. message.new) before .watch() resolves.
+    if (this.getClient()._muteStatus(this.cid).muted) return false;
 
     return true;
   }

package/src/client.ts

@@ -9,7 +9,15 @@ import { Channel } from './channel';
 import { ClientState } from './client_state';
 import { StableWSConnection } from './connection';
 import { UploadManager } from './uploadManager';
-import { CheckSignature, DevToken, JWTUserToken } from './signing';
+import {
+  DevToken,
+  InvalidWebhookError,
+  JWTUserToken,
+  parseSns as parseSnsHelper,
+  parseSqs as parseSqsHelper,
+  verifyAndParseWebhook as verifyAndParseWebhookHelper,
+  verifySignature,
+} from './signing';
 import { TokenManager } from './token_manager';
 import { WSConnectionFallback } from './connection_fallback';
 import { Campaign } from './campaign';
@@ -3639,7 +3647,53 @@ export class StreamChat {
    * @returns {boolean}
    */
   verifyWebhook(requestBody: string | Buffer, xSignature: string) {
-    return !!this.secret && CheckSignature(requestBody, this.secret, xSignature);
+    return !!this.secret && verifySignature(requestBody, xSignature, this.secret);
+  }
+
+  /**
+   * Verify and parse an HTTP webhook event.
+   *
+   * Decompresses `rawBody` when gzipped (detected from the body bytes),
+   * verifies the `X-Signature` header against the app's API secret, and
+   * returns the parsed `Event`. Works whether or not Stream is currently
+   * compressing payloads for this app, and stays correct behind
+   * middleware that auto-decompresses the request.
+   *
+   * @param rawBody Raw HTTP request body bytes Stream signed
+   * @param signature Value of the `X-Signature` header
+   * @throws {InvalidWebhookError} When the signature does not match or
+   *   the gzip envelope is malformed.
+   */
+  verifyAndParseWebhook(rawBody: string | Buffer, signature: string) {
+    if (!this.secret) {
+      throw new InvalidWebhookError(
+        'cannot verify webhook signature without an API secret on the client',
+      );
+    }
+    return verifyAndParseWebhookHelper(rawBody, signature, this.secret);
+  }
+
+  /**
+   * Parse an SQS firehose event: decodes the message `Body` (base64 +
+   * optional gzip) and returns the parsed `Event`. No HMAC verification
+   * (Stream does not sign SQS bodies).
+   *
+   * @param messageBody SQS message `Body` string
+   * @throws {InvalidWebhookError} When the base64 / gzip envelope is malformed.
+   */
+  parseSqs(messageBody: string) {
+    return parseSqsHelper(messageBody);
+  }
+
+  /**
+   * Parse an SNS-delivered event (unwraps envelope JSON when needed, then
+   * same decode path as SQS). No HMAC verification.
+   *
+   * @param notificationBody Raw SNS POST body or pre-extracted `Message` string
+   * @throws {InvalidWebhookError} When the envelope cannot be decoded.
+   */
+  parseSns(notificationBody: string) {
+    return parseSnsHelper(notificationBody);
   }
 
   /** getPermission - gets the definition for a permission

package/src/messageComposer/messageComposer.ts

@@ -624,6 +624,7 @@ export class MessageComposer extends WithSubscriptions {
         draft.channel_cid !== this.channel.cid
       )
         return;
+      if (this.editedMessage) return;
       this.initState({ composition: draft });
     }).unsubscribe;
 
@@ -637,6 +638,7 @@ export class MessageComposer extends WithSubscriptions {
       ) {
         return;
       }
+      if (this.editedMessage) return;
 
       this.logDraftUpdateTimestamp();
 

package/src/signing.ts

@@ -1,7 +1,8 @@
 import jwt from 'jsonwebtoken';
 import crypto from 'crypto';
+import zlib from 'zlib';
 import { decodeBase64, encodeBase64 } from './base64';
-import type { UR } from './types';
+import type { Event, UR } from './types';
 
 /**
  * Creates the JWT token that can be used for a UserSession
@@ -84,19 +85,206 @@ export function DevToken(userId: string) {
 }
 
 /**
+ * Constant-time HMAC-SHA256 verification of `signature` against the
+ * digest of `body` using `secret` as the key. The signature is always
+ * computed over the **uncompressed** JSON bytes, so callers that
+ * decoded a gzipped or base64-wrapped payload must pass the inflated
+ * bytes here.
  *
- * @param {string | Buffer} body the signed message
- * @param {string} secret the shared secret used to generate the signature (Stream API secret)
- * @param {string} signature the signature to validate
- * @return {boolean}
+ * The legacy `client.verifyWebhook` helper wraps this function, so
+ * callers that have already migrated to `verifyAndParseWebhook`,
+ * `parseSqs`, or `parseSns` rarely need to invoke this
+ * directly.
  */
-export function CheckSignature(body: string | Buffer, secret: string, signature: string) {
+export function verifySignature(
+  body: string | Buffer,
+  signature: string,
+  secret: string,
+): boolean {
   const key = Buffer.from(secret, 'utf8');
   const hash = crypto.createHmac('sha256', key).update(body).digest('hex');
-
   try {
     return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(signature));
   } catch {
     return false;
   }
 }
+
+/**
+ * @deprecated Use {@link verifySignature} - same logic, parameters
+ * reordered to match the cross-SDK contract
+ * (`verifySignature(body, signature, secret)`).
+ */
+export function CheckSignature(body: string | Buffer, secret: string, signature: string) {
+  return verifySignature(body, signature, secret);
+}
+
+/**
+ * Canonical failure-mode messages for {@link InvalidWebhookError}.
+ *
+ * Customers that prefer exact-match filtering (security logging, retry
+ * policy) over substring matches can compare `err.message` to these
+ * constants instead of pattern-matching free-form text.
+ */
+export const InvalidWebhookErrorMessages = {
+  signatureMismatch: 'signature mismatch',
+  invalidBase64: 'invalid base64 encoding',
+  gzipFailed: 'gzip decompression failed',
+  invalidJson: 'invalid JSON payload',
+} as const;
+
+/**
+ * Thrown by {@link verifyAndParseWebhook} when the supplied `x-signature` does not
+ * match the HMAC of the uncompressed payload, and by all webhook helpers (including
+ * {@link parseSqs} / {@link parseSns}) when a gzip / base64 / JSON envelope is malformed.
+ *
+ * The message identifies which failure mode fired. See
+ * {@link InvalidWebhookErrorMessages} for the canonical strings.
+ */
+export class InvalidWebhookError extends Error {
+  public name = 'InvalidWebhookError';
+
+  constructor(message: string = InvalidWebhookErrorMessages.signatureMismatch) {
+    super(message);
+  }
+}
+
+/**
+ * Returns `body` as a `Buffer`, gzip-decompressed when its first two
+ * bytes match the gzip magic (`1f 8b`, per RFC 1952). When the body is
+ * plain JSON (no compression, or middleware already decompressed), the
+ * bytes are returned unchanged.
+ *
+ * Magic-byte detection (rather than relying on a header) keeps the
+ * same handler correct when middleware - Express, Next.js, AWS Lambda
+ * - auto-decompresses the request before your code sees it.
+ */
+export function gunzipPayload(rawBody: string | Buffer): Buffer {
+  const GZIP_MAGIC = Buffer.from([0x1f, 0x8b]);
+
+  const body = Buffer.isBuffer(rawBody) ? rawBody : Buffer.from(rawBody);
+  if (body.length >= 2 && body.subarray(0, 2).equals(GZIP_MAGIC)) {
+    try {
+      return zlib.gunzipSync(body);
+    } catch {
+      throw new InvalidWebhookError(InvalidWebhookErrorMessages.gzipFailed);
+    }
+  }
+  return body;
+}
+
+/**
+ * Reverses the SQS firehose envelope: the message `Body` is
+ * base64-decoded, then the result is gzip-decompressed when it begins
+ * with the gzip magic. Returns the raw JSON `Buffer` Stream signed.
+ *
+ * SQS bodies are always base64-encoded so they remain valid UTF-8 over
+ * the queue. The same call works whether or not Stream is currently
+ * compressing payloads for this app.
+ */
+export function decodeSqsPayload(body: string): Buffer {
+  // Reject anything that isn't canonical base64 up front. Node's base64
+  // decoder is permissive (silently strips characters outside the
+  // alphabet, accepts both standard and URL-safe variants), so we have
+  // to be strict here to avoid silently corrupting the body before the
+  // signature check runs.
+  if (!/^[A-Za-z0-9+/]*={0,2}$/.test(body) || body.length % 4 !== 0) {
+    throw new InvalidWebhookError(InvalidWebhookErrorMessages.invalidBase64);
+  }
+  const decoded = Buffer.from(body, 'base64');
+  if (decoded.toString('base64').length !== body.length) {
+    throw new InvalidWebhookError(InvalidWebhookErrorMessages.invalidBase64);
+  }
+  return gunzipPayload(decoded);
+}
+
+/**
+ * Reverses an SNS HTTP notification envelope. When `notificationBody`
+ * is a JSON envelope (`{"Type":"Notification","Message":"..."}`), the
+ * inner `Message` field is extracted and run through the SQS pipeline
+ * (base64-decode, then gzip-if-magic). When the input is not a JSON
+ * envelope it is treated as the already-extracted `Message` string,
+ * so call sites that pre-unwrap continue to work.
+ */
+export function decodeSnsPayload(notificationBody: string): Buffer {
+  const inner = extractSnsMessage(notificationBody);
+  return decodeSqsPayload(inner ?? notificationBody);
+}
+
+function extractSnsMessage(notificationBody: string): string | null {
+  const trimmed = notificationBody.replace(/^[\s\uFEFF]+/, '');
+  if (!trimmed.startsWith('{')) {
+    return null;
+  }
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(trimmed);
+  } catch {
+    return null;
+  }
+  if (
+    parsed === null ||
+    typeof parsed !== 'object' ||
+    Array.isArray(parsed) ||
+    typeof (parsed as { Message?: unknown }).Message !== 'string'
+  ) {
+    return null;
+  }
+  return (parsed as { Message: string }).Message;
+}
+
+/**
+ * Parse a JSON-encoded webhook event into a typed {@link Event}. New
+ * event types Stream introduces still parse successfully - the runtime
+ * shape is the JSON Stream sent and the `type` field stays preserved.
+ */
+export function parseEvent(payload: Buffer | string): Event {
+  const text = Buffer.isBuffer(payload) ? payload.toString('utf8') : payload;
+  try {
+    return JSON.parse(text) as Event;
+  } catch {
+    throw new InvalidWebhookError(InvalidWebhookErrorMessages.invalidJson);
+  }
+}
+
+function verifyAndParse(payload: Buffer, signature: string, secret: string): Event {
+  if (!verifySignature(payload, signature, secret)) {
+    throw new InvalidWebhookError(InvalidWebhookErrorMessages.signatureMismatch);
+  }
+  return parseEvent(payload);
+}
+
+/**
+ * Decompress (when gzipped), verify the HMAC `signature`, and return
+ * the parsed {@link Event}.
+ *
+ * @param rawBody Raw HTTP request body bytes Stream signed
+ * @param signature Value of the `X-Signature` header
+ * @param secret Your app's API secret
+ * @throws {InvalidWebhookError} When the signature does not match or
+ *   the gzip envelope is malformed.
+ */
+export function verifyAndParseWebhook(
+  rawBody: string | Buffer,
+  signature: string,
+  secret: string,
+): Event {
+  return verifyAndParse(gunzipPayload(rawBody), signature, secret);
+}
+
+/**
+ * Decode the SQS message `Body` (base64, then gzip-if-magic) and return
+ * the parsed {@link Event}. Stream does not attach an application-level HMAC
+ * to SQS deliveries — use {@link verifyAndParseWebhook} for HTTP webhooks.
+ */
+export function parseSqs(messageBody: string): Event {
+  return parseEvent(decodeSqsPayload(messageBody));
+}
+
+/**
+ * Decode an SNS notification (unwrap the JSON envelope when needed; same
+ * inner format as SQS). No application-level HMAC verification.
+ */
+export function parseSns(notificationBody: string): Event {
+  return parseEvent(decodeSnsPayload(notificationBody));
+}

package/src/utils.ts

@@ -479,7 +479,7 @@ export const deleteUserMessages = ({
           : (toDeletedMessage({ message, hardDelete, deletedAt }) as LocalMessage);
     }
 
-    if (message.quoted_message?.user?.id === user.id) {
+    if (messages[i].quoted_message && message.quoted_message?.user?.id === user.id) {
       messages[i].quoted_message =
         message.quoted_message.type === 'deleted'
           ? message.quoted_message