diff --git a/.fernignore b/.fernignore index 22869d5..4c4abe8 100644 --- a/.fernignore +++ b/.fernignore @@ -2,3 +2,5 @@ README.md jsr.json +src/utils.ts +tests/webhooks/verify.test.ts diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..2ac5d4a --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright 2024 Hookdeck Technologies Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/package.json b/package.json index ad6c4f4..cb268ed 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,7 @@ { "name": "@hookdeck/sdk", "version": "0.2.0", + "license": "Apache-2.0", "private": false, "repository": "https://github.com/hookdeck/hookdeck-typescript-sdk", "main": "./index.js", @@ -12,22 +13,22 @@ "test": "jest" }, "dependencies": { - "url-join": "4.0.1", "form-data": "4.0.0", + "js-base64": "3.7.2", "node-fetch": "2.7.0", "qs": "6.11.2", - "js-base64": "3.7.2" + "url-join": "4.0.1" }, "devDependencies": { - "@types/url-join": "4.0.1", - "@types/qs": "6.9.8", - "@types/node-fetch": "2.6.9", - "jest": "29.7.0", "@types/jest": "29.5.5", - "ts-jest": "29.1.1", - "jest-environment-jsdom": "29.7.0", "@types/node": "17.0.33", - "prettier": "2.7.1", + "@types/node-fetch": "2.6.9", + "@types/qs": "6.9.8", + "@types/url-join": "4.0.1", + "jest": "^29.7.0", + "jest-environment-jsdom": "29.7.0", + "prettier": "^2.7.1", + "ts-jest": "29.1.1", "typescript": "4.6.4" } } diff --git a/src/webhooks/helpers.ts b/src/webhooks/helpers.ts new file mode 100644 index 0000000..de90951 --- /dev/null +++ b/src/webhooks/helpers.ts @@ -0,0 +1,127 @@ +const { webcrypto } = require("node:crypto"); +const { subtle } = webcrypto; + +const ALGORITHM = { name: "HMAC", hash: "SHA-256" }; + +const createSHA256Signature = async ({ signingSecret, data }: { signingSecret: string; data: string }) => { + const enc = new TextEncoder(); + + let key = await subtle.importKey("raw", enc.encode(signingSecret), ALGORITHM, false, ["sign"]); + let signatureBuffer = await subtle.sign(ALGORITHM.name, key, enc.encode(data)); + let signature = Buffer.from(signatureBuffer).toString("base64"); + + return signature; +}; + +/** + * Error thrown when there are problems with the parameters used to verify webhooks. + */ +export class HookdeckWebhookVerificationParameterError extends Error { + constructor(message: string) { + super(message); + this.name = this.constructor.name; + Object.setPrototypeOf(this, HookdeckWebhookVerificationParameterError.prototype); + } +} + +export const HOOKDECK_HEADERS = { + SIGNATURE: "x-hookdeck-signature", + SECONDARY_SIGNATURE: "x-hookdeck-signature-2", + VERIFIED_FLAG: "x-hookdeck-verified", +}; + +export type HookdeckWebhookVerificationConfig = { + checkSourceVerification?: boolean; +}; + +export type HookdeckWebhookVerificationArguments = { + headers: { [key: string]: string }; + rawBody: string; + signingSecret: string; + config?: HookdeckWebhookVerificationConfig; +}; + +export type HookdeckWebhookVerificationResult = { + isValidSignature: boolean; +}; + +/** + * Verify the Hookdeck webhook signature. + * + * @example + * const headers = request.headers; + * const rawBody = await request.text(); + * const result = await verifyWebhookSignature({ + * headers, + * rawBody, + * signingSecret: process.env.HOOKDECK_SIGNING_SECRET, + * }) + * + * if(!result.isValidSignature) { + * // Reject the webhook payload + * } + * else { + * // Proceed with the webhook payload + * } + * + * @example + * const headers = request.headers; + * const rawBody = await request.text(); + * const result = await verifyWebhookSignature({ + * headers, + * rawBody, + * signingSecret: process.env.HOOKDECK_SIGNING_SECRET, + * config: { + * checkSourceVerification: true, + * } + * }) + * + * if(!result.isValidSignature) { + * // Reject the webhook payload + * } + * else { + * // Proceed with the webhook payload + * } + */ +export const verifyWebhookSignature = async ({ + headers, + rawBody, + signingSecret, + config = {}, +}: HookdeckWebhookVerificationArguments): Promise => { + const signature = headers[HOOKDECK_HEADERS.SIGNATURE]; + const secondarySignature = headers[HOOKDECK_HEADERS.SECONDARY_SIGNATURE]; + + if (!signature) { + throw new HookdeckWebhookVerificationParameterError(`The "${HOOKDECK_HEADERS.SIGNATURE}" header is missing.`); + } + + if (config.checkSourceVerification && !headers[HOOKDECK_HEADERS.VERIFIED_FLAG]) { + throw new HookdeckWebhookVerificationParameterError( + `"checkSourceVerification" has been configured but the "${HOOKDECK_HEADERS.VERIFIED_FLAG}" header is missing.` + ); + } + + if ( + config.checkSourceVerification && + ["true", "false"].includes(headers[HOOKDECK_HEADERS.VERIFIED_FLAG]) === false + ) { + throw new HookdeckWebhookVerificationParameterError( + `The value of "${HOOKDECK_HEADERS.VERIFIED_FLAG}" must be either "true" or "false". Value passed is "${ + headers[HOOKDECK_HEADERS.VERIFIED_FLAG] + }".` + ); + } + + if (config.checkSourceVerification && headers[HOOKDECK_HEADERS.VERIFIED_FLAG] === "false") { + return { + isValidSignature: false, + }; + } + + const signatureCheck = await createSHA256Signature({ signingSecret, data: rawBody }); + + return { + isValidSignature: signatureCheck === signature || signatureCheck === secondarySignature, + }; +}; diff --git a/src/webhooks/index.ts b/src/webhooks/index.ts new file mode 100644 index 0000000..d4e09d7 --- /dev/null +++ b/src/webhooks/index.ts @@ -0,0 +1 @@ +export * from "./helpers"; diff --git a/tests/custom.test.ts b/tests/custom.test.ts deleted file mode 100644 index 7f5e031..0000000 --- a/tests/custom.test.ts +++ /dev/null @@ -1,13 +0,0 @@ -/** - * This is a custom test file, if you wish to add more tests - * to your SDK. - * Be sure to mark this file in `.fernignore`. - * - * If you include example requests/responses in your fern definition, - * you will have tests automatically generated for you. - */ -describe("test", () => { - it("default", () => { - expect(true).toBe(true); - }); -}); diff --git a/tests/webhooks/verify.test.ts b/tests/webhooks/verify.test.ts new file mode 100644 index 0000000..18c2799 --- /dev/null +++ b/tests/webhooks/verify.test.ts @@ -0,0 +1,136 @@ +import { HOOKDECK_HEADERS, verifyWebhookSignature } from "../../src/webhooks/helpers"; + +const VALID_SIGNING_SECRET = "5fthvdmj8gtkzdv93mwkdpbupgwgfu4fu8xf4rro2oufn6qlhc"; +const VALID_SIGNATURE = "kKb0yljhY9tBo7oihOMTvRayKCUpCNVujkoTMNoGdGM="; +const VALID_RAW_BODY = `{"key1":"value1", "key2":"value2"}`; + +describe("Hookdeck webhook verification", () => { + it("should pass with a valid signature, body, and secret", async () => { + const headers: { [key: string]: string } = {}; + headers[HOOKDECK_HEADERS.SIGNATURE] = VALID_SIGNATURE; + + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: VALID_SIGNING_SECRET, + }); + expect(result.isValidSignature).toEqual(true); + }); + + it("should succeed with valid additional signature", async () => { + const headers: { [key: string]: string } = {}; + headers[HOOKDECK_HEADERS.SIGNATURE] = "invalid-signature"; + headers[HOOKDECK_HEADERS.SECONDARY_SIGNATURE] = VALID_SIGNATURE; + + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: VALID_SIGNING_SECRET, + }); + expect(result.isValidSignature).toEqual(true); + }); + + it("should fail with invalid signature", async () => { + const headers: { [key: string]: string } = {}; + headers[HOOKDECK_HEADERS.SIGNATURE] = "invalid-signature"; + + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: VALID_SIGNING_SECRET, + }); + expect(result.isValidSignature).toEqual(false); + }); + + it("should fail with an invalid secret", async () => { + const headers: { [key: string]: string } = {}; + headers[HOOKDECK_HEADERS.SIGNATURE] = "invalid-signature"; + + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: "invalid-secret", + }); + expect(result.isValidSignature).toEqual(false); + }); + + it(`should throw an exception if ${HOOKDECK_HEADERS.SIGNATURE} is not in the headers`, async () => { + const headers: { [key: string]: string } = {}; + + const verify = async () => { + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: VALID_SIGNATURE, + }); + }; + await expect(verify()).rejects.toThrowError(HOOKDECK_HEADERS.SIGNATURE); + }); + + it(`should fail source verification if checkSourceVerification config is set to "false"`, async () => { + const headers: { [key: string]: string } = {}; + headers[HOOKDECK_HEADERS.SIGNATURE] = VALID_SIGNATURE; + headers[HOOKDECK_HEADERS.VERIFIED_FLAG] = "false"; + + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: VALID_SIGNING_SECRET, + config: { + checkSourceVerification: true, + }, + }); + expect(result.isValidSignature).toEqual(false); + }); + + it(`should pass source verification if checkSourceVerification config is set to "true"`, async () => { + const headers: { [key: string]: string } = {}; + headers[HOOKDECK_HEADERS.SIGNATURE] = VALID_SIGNATURE; + headers[HOOKDECK_HEADERS.VERIFIED_FLAG] = "true"; + + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: VALID_SIGNING_SECRET, + config: { + checkSourceVerification: true, + }, + }); + expect(result.isValidSignature).toEqual(true); + }); + + it(`should throw an exception if "checkSourceVerification" config is set but the ${HOOKDECK_HEADERS.VERIFIED_FLAG} missing`, async () => { + const headers: { [key: string]: string } = {}; + headers[HOOKDECK_HEADERS.SIGNATURE] = VALID_SIGNATURE; + + const verify = async () => { + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: VALID_SIGNATURE, + config: { + checkSourceVerification: true, + }, + }); + }; + await expect(verify()).rejects.toThrowError(HOOKDECK_HEADERS.VERIFIED_FLAG); + }); + + it(`should throw an exception if ${HOOKDECK_HEADERS.VERIFIED_FLAG} does not have a value of "true" or "false"`, async () => { + const headers: { [key: string]: string } = {}; + headers[HOOKDECK_HEADERS.SIGNATURE] = VALID_SIGNATURE; + headers[HOOKDECK_HEADERS.VERIFIED_FLAG] = "non-true-or-false-value"; + + const verify = async () => { + const result = await verifyWebhookSignature({ + headers, + rawBody: VALID_RAW_BODY, + signingSecret: VALID_SIGNATURE, + config: { + checkSourceVerification: true, + }, + }); + }; + await expect(verify()).rejects.toThrowError(`"true" or "false"`); + }); +}); diff --git a/yarn.lock b/yarn.lock index a775315..87edafc 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1884,7 +1884,7 @@ jest-worker@^29.7.0: merge-stream "^2.0.0" supports-color "^8.0.0" -jest@29.7.0: +jest@^29.7.0: version "29.7.0" resolved "https://registry.yarnpkg.com/jest/-/jest-29.7.0.tgz#994676fc24177f088f1c5e3737f5697204ff2613" integrity sha512-NIy3oAFp9shda19hy4HK0HRTWKtPJmGdnvywu01nOqNC2vZg+Z+fvJDxpMQA88eb2I9EcafcdjYgsDthnYTvGw== @@ -2204,10 +2204,10 @@ pkg-dir@^4.2.0: dependencies: find-up "^4.0.0" -prettier@2.7.1: - version "2.7.1" - resolved "https://registry.yarnpkg.com/prettier/-/prettier-2.7.1.tgz#e235806850d057f97bb08368a4f7d899f7760c64" - integrity sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g== +prettier@^2.7.1: + version "2.8.8" + resolved "https://registry.yarnpkg.com/prettier/-/prettier-2.8.8.tgz#e8c5d7e98a4305ffe3de2e1fc4aca1a71c28b1da" + integrity sha512-tdN8qQGvNjw4CHbY+XXk0JgCXn9QiF21a55rBe5LJAU+kDyC4WQn4+awm2Xfk2lQMk5fKup9XgzTZtGkjBdP9Q== pretty-format@^29.0.0, pretty-format@^29.7.0: version "29.7.0"