@hookflo/tern/dist/platforms/algorithms.js

A robust, scalable webhook verification framework supporting multiple platforms and signature algorithms

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.platformAlgorithmConfigs = void 0;
exports.getPlatformAlgorithmConfig = getPlatformAlgorithmConfig;
exports.platformUsesAlgorithm = platformUsesAlgorithm;
exports.getPlatformsUsingAlgorithm = getPlatformsUsingAlgorithm;
exports.validateSignatureConfig = validateSignatureConfig;
exports.platformAlgorithmConfigs = {
    github: {
        platform: 'github',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'x-hub-signature-256',
            headerFormat: 'prefixed',
            prefix: 'sha256=',
            timestampHeader: undefined,
            payloadFormat: 'raw',
        },
        description: 'GitHub webhooks use HMAC-SHA256 with sha256= prefix',
    },
    stripe: {
        platform: 'stripe',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'stripe-signature',
            headerFormat: 'comma-separated',
            timestampHeader: undefined,
            payloadFormat: 'timestamped',
            customConfig: {
                signatureFormat: 't={timestamp},v1={signature}',
            },
        },
        description: 'Stripe webhooks use HMAC-SHA256 with comma-separated format',
    },
    clerk: {
        platform: 'clerk',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'svix-signature',
            headerFormat: 'raw',
            timestampHeader: 'svix-timestamp',
            timestampFormat: 'unix',
            payloadFormat: 'custom',
            customConfig: {
                signatureFormat: 'v1={signature}',
                payloadFormat: '{id}.{timestamp}.{body}',
                encoding: 'base64',
                idHeader: 'svix-id',
            },
        },
        description: 'Clerk webhooks use HMAC-SHA256 with base64 encoding',
    },
    dodopayments: {
        platform: 'dodopayments',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'webhook-signature',
            headerFormat: 'raw',
            timestampHeader: 'webhook-timestamp',
            timestampFormat: 'unix',
            payloadFormat: 'custom',
            customConfig: {
                signatureFormat: 'v1={signature}',
                payloadFormat: '{id}.{timestamp}.{body}',
                encoding: 'base64',
                idHeader: 'webhook-id',
            },
        },
        description: 'Dodo Payments webhooks use HMAC-SHA256 with svix-style format (Standard Webhooks)',
    },
    shopify: {
        platform: 'shopify',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'x-shopify-hmac-sha256',
            headerFormat: 'raw',
            timestampHeader: 'x-shopify-shop-domain',
            payloadFormat: 'raw',
        },
        description: 'Shopify webhooks use HMAC-SHA256',
    },
    vercel: {
        platform: 'vercel',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'x-vercel-signature',
            headerFormat: 'raw',
            timestampHeader: 'x-vercel-timestamp',
            timestampFormat: 'unix',
            payloadFormat: 'raw',
        },
        description: 'Vercel webhooks use HMAC-SHA256',
    },
    polar: {
        platform: 'polar',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'x-polar-signature',
            headerFormat: 'raw',
            timestampHeader: 'x-polar-timestamp',
            timestampFormat: 'unix',
            payloadFormat: 'raw',
        },
        description: 'Polar webhooks use HMAC-SHA256',
    },
    supabase: {
        platform: 'supabase',
        signatureConfig: {
            algorithm: 'custom',
            headerName: 'x-webhook-token',
            headerFormat: 'raw',
            payloadFormat: 'raw',
            customConfig: {
                type: 'token-based',
                idHeader: 'x-webhook-id',
            },
        },
        description: 'Supabase webhooks use token-based authentication',
    },
    custom: {
        platform: 'custom',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'x-webhook-token',
            headerFormat: 'raw',
            payloadFormat: 'raw',
            customConfig: {
                type: 'token-based',
                idHeader: 'x-webhook-id',
            },
        },
        description: 'Custom webhook configuration',
    },
    unknown: {
        platform: 'unknown',
        signatureConfig: {
            algorithm: 'hmac-sha256',
            headerName: 'x-webhook-signature',
            headerFormat: 'raw',
            payloadFormat: 'raw',
        },
        description: 'Unknown platform - using default HMAC-SHA256',
    },
};
function getPlatformAlgorithmConfig(platform) {
    return exports.platformAlgorithmConfigs[platform] || exports.platformAlgorithmConfigs.unknown;
}
function platformUsesAlgorithm(platform, algorithm) {
    const config = getPlatformAlgorithmConfig(platform);
    return config.signatureConfig.algorithm === algorithm;
}
function getPlatformsUsingAlgorithm(algorithm) {
    return Object.entries(exports.platformAlgorithmConfigs)
        .filter(([_, config]) => config.signatureConfig.algorithm === algorithm)
        .map(([platform, _]) => platform);
}
function validateSignatureConfig(config) {
    if (!config.algorithm || !config.headerName) {
        return false;
    }
    switch (config.algorithm) {
        case 'hmac-sha256':
        case 'hmac-sha1':
        case 'hmac-sha512':
            return true;
        case 'rsa-sha256':
        case 'ed25519':
            return !!config.customConfig?.publicKey;
        case 'custom':
            return !!config.customConfig;
        default:
            return false;
    }
}