"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || (function () { var ownKeys = function(o) { ownKeys = Object.getOwnPropertyNames || function (o) { var ar = []; for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k; return ar; }; return ownKeys(o); }; return function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]); __setModuleDefault(result, mod); return result; }; })(); Object.defineProperty(exports, "__esModule", { value: true }); // The verifier under test is pure (crypto only), so we stub the Firebase side-effect // imports that run at module load rather than exercising them. jest.mock('firebase-functions/v2/https', () => ({ onRequest: jest.fn() })); jest.mock('firebase-functions/params', () => ({ defineSecret: jest.fn(() => ({})) })); jest.mock('../log', () => ({ logger: { log: jest.fn(), error: jest.fn(), warn: jest.fn() } })); jest.mock('./entitlementLogic', () => ({ applyEntitlementEvent: jest.fn() })); const crypto = __importStar(require("crypto")); const revenueCatWebhook_1 = require("./revenueCatWebhook"); const SECRET = 'whsec_test_shared_secret'; const NOW = 1700000000000; // fixed "now" in ms const nowSec = Math.floor(NOW / 1000); const BODY = JSON.stringify({ event: { type: 'INITIAL_PURCHASE', app_user_id: 'uid1' } }); /** Build the header RevenueCat would send: `t=,v1=.">`. */ function sign(body, tsSec, secret = SECRET) { const raw = Buffer.isBuffer(body) ? body : Buffer.from(body, 'utf8'); const payload = Buffer.concat([Buffer.from(`${tsSec}.`, 'utf8'), raw]); const v1 = crypto.createHmac('sha256', secret).update(payload).digest('hex'); return `t=${tsSec},v1=${v1}`; } function verify(overrides = {}) { return (0, revenueCatWebhook_1.verifyWebhookSignature)(Object.assign({ rawBody: Buffer.from(BODY), header: sign(BODY, nowSec), secret: SECRET, nowMs: NOW }, overrides)); } describe('verifyWebhookSignature', () => { it('accepts a valid signature', () => { expect(() => verify()).not.toThrow(); }); it('accepts a timestamp within the tolerance window', () => { expect(() => verify({ header: sign(BODY, nowSec - 4 * 60) })).not.toThrow(); }); it('rejects a tampered body', () => { expect(() => verify({ rawBody: Buffer.from(BODY + ' ') })).toThrow(revenueCatWebhook_1.AuthError); }); it('rejects a signature made with the wrong secret', () => { expect(() => verify({ header: sign(BODY, nowSec, 'wrong-secret') })).toThrow(revenueCatWebhook_1.AuthError); }); it('rejects a missing header', () => { expect(() => verify({ header: undefined })).toThrow(revenueCatWebhook_1.AuthError); }); it('rejects a missing body', () => { expect(() => verify({ rawBody: undefined })).toThrow(revenueCatWebhook_1.AuthError); }); it('rejects a header missing v1', () => { expect(() => verify({ header: `t=${nowSec}` })).toThrow(revenueCatWebhook_1.AuthError); }); it('rejects a stale timestamp (replay guard)', () => { expect(() => verify({ header: sign(BODY, nowSec - 10 * 60) })).toThrow(revenueCatWebhook_1.AuthError); }); it('rejects a far-future timestamp', () => { expect(() => verify({ header: sign(BODY, nowSec + 10 * 60) })).toThrow(revenueCatWebhook_1.AuthError); }); it('rejects a wrong-length signature without crashing (timingSafeEqual guard)', () => { expect(() => verify({ header: `t=${nowSec},v1=deadbeef` })).toThrow(revenueCatWebhook_1.AuthError); }); }); //# sourceMappingURL=revenueCatWebhook.test.js.map