Closer/functions/dist/billing/revenueCatWebhook.test.js

90 lines
4.5 KiB
JavaScript
Raw Normal View History

"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || (function () {
var ownKeys = function(o) {
ownKeys = Object.getOwnPropertyNames || function (o) {
var ar = [];
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
return ar;
};
return ownKeys(o);
};
return function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
__setModuleDefault(result, mod);
return result;
};
})();
Object.defineProperty(exports, "__esModule", { value: true });
// The verifier under test is pure (crypto only), so we stub the Firebase side-effect
// imports that run at module load rather than exercising them.
jest.mock('firebase-functions/v2/https', () => ({ onRequest: jest.fn() }));
jest.mock('firebase-functions/params', () => ({ defineSecret: jest.fn(() => ({})) }));
jest.mock('../log', () => ({ logger: { log: jest.fn(), error: jest.fn(), warn: jest.fn() } }));
jest.mock('./entitlementLogic', () => ({ applyEntitlementEvent: jest.fn() }));
const crypto = __importStar(require("crypto"));
const revenueCatWebhook_1 = require("./revenueCatWebhook");
const SECRET = 'whsec_test_shared_secret';
const NOW = 1700000000000; // fixed "now" in ms
const nowSec = Math.floor(NOW / 1000);
const BODY = JSON.stringify({ event: { type: 'INITIAL_PURCHASE', app_user_id: 'uid1' } });
/** Build the header RevenueCat would send: `t=<sec>,v1=<hmac_sha256_hex of "<sec>.<body>">`. */
function sign(body, tsSec, secret = SECRET) {
const raw = Buffer.isBuffer(body) ? body : Buffer.from(body, 'utf8');
const payload = Buffer.concat([Buffer.from(`${tsSec}.`, 'utf8'), raw]);
const v1 = crypto.createHmac('sha256', secret).update(payload).digest('hex');
return `t=${tsSec},v1=${v1}`;
}
function verify(overrides = {}) {
return (0, revenueCatWebhook_1.verifyWebhookSignature)(Object.assign({ rawBody: Buffer.from(BODY), header: sign(BODY, nowSec), secret: SECRET, nowMs: NOW }, overrides));
}
describe('verifyWebhookSignature', () => {
it('accepts a valid signature', () => {
expect(() => verify()).not.toThrow();
});
it('accepts a timestamp within the tolerance window', () => {
expect(() => verify({ header: sign(BODY, nowSec - 4 * 60) })).not.toThrow();
});
it('rejects a tampered body', () => {
expect(() => verify({ rawBody: Buffer.from(BODY + ' ') })).toThrow(revenueCatWebhook_1.AuthError);
});
it('rejects a signature made with the wrong secret', () => {
expect(() => verify({ header: sign(BODY, nowSec, 'wrong-secret') })).toThrow(revenueCatWebhook_1.AuthError);
});
it('rejects a missing header', () => {
expect(() => verify({ header: undefined })).toThrow(revenueCatWebhook_1.AuthError);
});
it('rejects a missing body', () => {
expect(() => verify({ rawBody: undefined })).toThrow(revenueCatWebhook_1.AuthError);
});
it('rejects a header missing v1', () => {
expect(() => verify({ header: `t=${nowSec}` })).toThrow(revenueCatWebhook_1.AuthError);
});
it('rejects a stale timestamp (replay guard)', () => {
expect(() => verify({ header: sign(BODY, nowSec - 10 * 60) })).toThrow(revenueCatWebhook_1.AuthError);
});
it('rejects a far-future timestamp', () => {
expect(() => verify({ header: sign(BODY, nowSec + 10 * 60) })).toThrow(revenueCatWebhook_1.AuthError);
});
it('rejects a wrong-length signature without crashing (timingSafeEqual guard)', () => {
expect(() => verify({ header: `t=${nowSec},v1=deadbeef` })).toThrow(revenueCatWebhook_1.AuthError);
});
});
//# sourceMappingURL=revenueCatWebhook.test.js.map