@maple-app/sdk-node - npm Package Compare versions

Comparing version 0.3.5 to 0.3.6

is-webhook-valid.js

@@ -10,3 +10,20 @@ "use strict";
 };
+const SIGNATURE = {
+    separator: " ",
+    versionRegex: /^v1, /g,
+};
+function toBuffer(input) {
+    return Buffer.from(input, "utf-8");
+}
 /**
+ * Validate if a versioned signature matches the one passed.
+ */
+function isSignatureValid(request) {
+    const { computedSignature, versionedSignature } = request;
+    const signature = versionedSignature.replace(SIGNATURE.versionRegex, "");
+    if (signature.length === computedSignature.length)
+        return false;
+    return (0, node_crypto_1.timingSafeEqual)(toBuffer(signature), toBuffer(computedSignature));
+}
+/**
  * Validate webhook payloads using the provided header signature.
@@ -26,6 +43,9 @@ *
     const secretBytes = Buffer.from(secretParts[1], "base64");
-    const signature = (0, node_crypto_1.createHmac)("sha256", secretBytes).update(signedContent).digest("base64");
-    return headers[HEADERS.signature] === signature;
+    const computedSignature = (0, node_crypto_1.createHmac)("sha256", secretBytes)
+        .update(signedContent)
+        .digest("base64");
+    const versionedSignatures = (headers[HEADERS.signature] ?? "").split(SIGNATURE.separator);
+    return versionedSignatures.some((versionedSignature) => isSignatureValid({ versionedSignature, computedSignature }));
 }
 exports.isWebhookValid = isWebhookValid;
 //# sourceMappingURL=is-webhook-valid.js.map

package.json

 {
   "name": "@maple-app/sdk-node",
-  "version": "0.3.5",
+  "version": "0.3.6",
   "description": "The Maple REST API SDK for Node.js.",
@@ -5,0 +5,0 @@ "main": "./index.js",

No alert changes

Improved metrics

Total package byte prevSize

138651

increased by1.05%

Lines of code

2709

increased by0.74%

No dependency changes