matt/Rocky_Mountain_Vending
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Rocky_Mountain_Vending/lib/ebay-notifications.ts

418 lines
10 KiB
TypeScript
Raw Permalink Blame History

import { createHash, createPublicKey, createVerify } from "node:crypto"
import type { NextRequest } from "next/server"
const DEFAULT_EBAY_API_BASE_URL = "https://api.ebay.com"
const DEFAULT_EBAY_NOTIFICATION_SCOPE = "https://api.ebay.com/oauth/api_scope"
const DEFAULT_EBAY_NOTIFICATION_ENDPOINT =
"https://rmv.abundancepartners.app/api/ebay/notifications"
const DEFAULT_EBAY_NOTIFICATION_VERIFICATION_TOKEN =
"rmv_ebay_notifications_2026_04_01_test_7c4f1a9d"
const PUBLIC_KEY_CACHE_TTL = 60 * 60 * 1000
const ACCESS_TOKEN_CACHE_TTL_SKEW = 60 * 1000
type CachedAccessToken = {
token: string
expiresAt: number
}
type CachedPublicKey = {
algorithm: string
digest: string
key: string
expiresAt: number
}
export type EbayNotificationSignature = {
algorithm?: string
digest?: string
keyId: string
signature: string
}
type EbayPublicKeyResponse = {
algorithm?: string
digest?: string
key?: string
}
type VerificationResult =
| {
verified: true
keyId: string
}
| {
verified: false
reason: string
}
const accessTokenCache = new Map<string, CachedAccessToken>()
const publicKeyCache = new Map<string, CachedPublicKey>()
function getOptionalEnv(name: string) {
const value = process.env[name]
return typeof value === "string" && value.trim() ? value.trim() : ""
}
function stripTrailingSlash(value: string) {
return value.replace(/\/+$/, "")
}
function normalizeEndpointFromRequest(requestUrl?: string) {
if (!requestUrl) {
return ""
}
try {
const url = new URL(requestUrl)
return `${url.origin}${url.pathname}`.replace(/\/+$/, "")
} catch {
return requestUrl.split(/[?#]/)[0]?.replace(/\/+$/, "") || ""
}
}
export function getEbayNotificationEndpoint(requestUrl?: string) {
const configuredEndpoint = getOptionalEnv("EBAY_NOTIFICATION_ENDPOINT")
if (configuredEndpoint) {
return stripTrailingSlash(configuredEndpoint)
}
if (DEFAULT_EBAY_NOTIFICATION_ENDPOINT) {
return stripTrailingSlash(DEFAULT_EBAY_NOTIFICATION_ENDPOINT)
}
return normalizeEndpointFromRequest(requestUrl)
}
export function getEbayNotificationVerificationToken() {
return (
getOptionalEnv("EBAY_NOTIFICATION_VERIFICATION_TOKEN") ||
DEFAULT_EBAY_NOTIFICATION_VERIFICATION_TOKEN
)
}
export function computeEbayChallengeResponse(args: {
challengeCode: string
endpoint: string
verificationToken: string
}) {
const hash = createHash("sha256")
hash.update(args.challengeCode)
hash.update(args.verificationToken)
hash.update(args.endpoint)
return hash.digest("hex")
}
function base64DecodeText(rawValue: string) {
const normalized = rawValue.trim().replace(/-/g, "+").replace(/_/g, "/")
const padded = normalized + "=".repeat((4 - (normalized.length % 4)) % 4)
try {
return Buffer.from(padded, "base64").toString("utf8").trim()
} catch {
return ""
}
}
function asRecord(value: unknown): Record<string, unknown> | null {
if (!value || typeof value !== "object" || Array.isArray(value)) {
return null
}
return value as Record<string, unknown>
}
function firstString(...values: unknown[]) {
for (const value of values) {
if (typeof value === "string" && value.trim()) {
return value.trim()
}
}
return ""
}
export function parseEbaySignatureHeader(
rawHeader: string | null
): EbayNotificationSignature | null {
const trimmed = typeof rawHeader === "string" ? rawHeader.trim() : ""
if (!trimmed) {
return null
}
const candidates = [trimmed, base64DecodeText(trimmed)].filter(Boolean)
for (const candidate of candidates) {
const parsed = (() => {
try {
return JSON.parse(candidate) as unknown
} catch {
return null
}
})()
const parsedRecord = asRecord(parsed)
if (parsedRecord) {
const keyId = firstString(
parsedRecord.keyId,
parsedRecord.kid,
parsedRecord.key_id,
parsedRecord.publicKeyId
)
const signature = firstString(
parsedRecord.signature,
parsedRecord.sig,
parsedRecord.value
)
const algorithm = firstString(parsedRecord.algorithm, parsedRecord.alg)
const digest = firstString(parsedRecord.digest, parsedRecord.hash)
if (keyId && signature) {
return {
keyId,
signature,
algorithm: algorithm || undefined,
digest: digest || undefined,
}
}
if (keyId) {
return {
keyId,
signature,
algorithm: algorithm || undefined,
digest: digest || undefined,
}
}
}
}
const decoded = base64DecodeText(trimmed)
if (decoded) {
const keyId = decoded
return { keyId, signature: "" }
}
return null
}
function normalizeDigest(digest?: string) {
switch ((digest || "").trim().toLowerCase()) {
case "sha1":
return "sha1"
case "sha256":
return "sha256"
case "sha384":
return "sha384"
case "sha512":
return "sha512"
default:
return "sha1"
}
}
function normalizePublicKeyPem(value: string) {
const trimmed = value.trim()
if (!trimmed) {
return ""
}
if (trimmed.includes("BEGIN PUBLIC KEY")) {
return trimmed
}
const compact = trimmed.replace(/\s+/g, "")
const chunks = compact.match(/.{1,64}/g) || [compact]
return `-----BEGIN PUBLIC KEY-----\n${chunks.join("\n")}\n-----END PUBLIC KEY-----`
}
async function getEbayAccessToken() {
const clientId = getOptionalEnv("EBAY_NOTIFICATION_APP_ID")
const clientSecret = getOptionalEnv("EBAY_NOTIFICATION_CERT_ID")
const apiBaseUrl = stripTrailingSlash(
getOptionalEnv("EBAY_NOTIFICATION_API_BASE_URL") ||
DEFAULT_EBAY_API_BASE_URL
)
const scope =
getOptionalEnv("EBAY_NOTIFICATION_SCOPE") || DEFAULT_EBAY_NOTIFICATION_SCOPE
if (!clientId || !clientSecret) {
throw new Error(
"eBay notification verification requires EBAY_NOTIFICATION_APP_ID and EBAY_NOTIFICATION_CERT_ID."
)
}
const cacheKey = `${apiBaseUrl}|${clientId}|${clientSecret}|${scope}`
const cached = accessTokenCache.get(cacheKey)
if (cached && cached.expiresAt > Date.now()) {
return cached.token
}
const tokenUrl = `${apiBaseUrl}/identity/v1/oauth2/token`
const body = new URLSearchParams()
body.set("grant_type", "client_credentials")
body.set("scope", scope)
const authValue = Buffer.from(`${clientId}:${clientSecret}`).toString(
"base64"
)
const response = await fetch(tokenUrl, {
method: "POST",
headers: {
Authorization: `Basic ${authValue}`,
"Content-Type": "application/x-www-form-urlencoded",
Accept: "application/json",
},
body,
})
if (!response.ok) {
const details = await response.text().catch(() => "")
throw new Error(
`Failed to fetch eBay access token (${response.status} ${response.statusText})${details ? `: ${details}` : ""}`
)
}
const payload = (await response.json().catch(() => null)) as {
access_token?: string
expires_in?: number
} | null
const token =
typeof payload?.access_token === "string" ? payload.access_token : ""
const expiresIn =
typeof payload?.expires_in === "number" &&
Number.isFinite(payload.expires_in)
? payload.expires_in
: 3600
if (!token) {
throw new Error(
"eBay access token response did not include an access_token value."
)
}
accessTokenCache.set(cacheKey, {
token,
expiresAt:
Date.now() +
Math.max(expiresIn * 1000 - ACCESS_TOKEN_CACHE_TTL_SKEW, 60_000),
})
return token
}
async function getEbayPublicKey(keyId: string) {
const apiBaseUrl = stripTrailingSlash(
getOptionalEnv("EBAY_NOTIFICATION_API_BASE_URL") ||
DEFAULT_EBAY_API_BASE_URL
)
const cacheKey = `${apiBaseUrl}|${keyId}`
const cached = publicKeyCache.get(cacheKey)
if (cached && cached.expiresAt > Date.now()) {
return cached
}
const accessToken = await getEbayAccessToken()
const response = await fetch(
`${apiBaseUrl}/commerce/notification/v1/public_key/${encodeURIComponent(keyId)}`,
{
method: "GET",
headers: {
Authorization: `Bearer ${accessToken}`,
Accept: "application/json",
},
}
)
if (!response.ok) {
const details = await response.text().catch(() => "")
throw new Error(
`Failed to fetch eBay public key (${response.status} ${response.statusText})${details ? `: ${details}` : ""}`
)
}
const payload = (await response
.json()
.catch(() => null)) as EbayPublicKeyResponse | null
const key =
typeof payload?.key === "string" ? normalizePublicKeyPem(payload.key) : ""
const algorithm =
typeof payload?.algorithm === "string" && payload.algorithm.trim()
? payload.algorithm.trim()
: ""
const digest =
typeof payload?.digest === "string" && payload.digest.trim()
? payload.digest.trim()
: ""
if (!key) {
throw new Error("eBay public key response did not include a valid key.")
}
const cachedValue = {
algorithm,
digest,
key,
expiresAt: Date.now() + PUBLIC_KEY_CACHE_TTL,
}
publicKeyCache.set(cacheKey, cachedValue)
return cachedValue
}
export async function verifyEbayNotificationSignature(args: {
body: string
signatureHeader: string | null
}): Promise<VerificationResult> {
const clientId = getOptionalEnv("EBAY_NOTIFICATION_APP_ID")
const clientSecret = getOptionalEnv("EBAY_NOTIFICATION_CERT_ID")
if (!clientId || !clientSecret) {
return {
verified: false,
reason: "Notification verification credentials are not configured.",
}
}
const signature = parseEbaySignatureHeader(args.signatureHeader)
if (!signature) {
return {
verified: false,
reason: "Missing or invalid X-EBAY-SIGNATURE header.",
}
}
if (!signature.keyId) {
return {
verified: false,
reason: "The X-EBAY-SIGNATURE header did not include a key id.",
}
}
if (!signature.signature) {
return {
verified: false,
reason: "The X-EBAY-SIGNATURE header did not include a signature value.",
}
}
const publicKey = await getEbayPublicKey(signature.keyId)
const verifier = createVerify(
normalizeDigest(signature.digest || publicKey.digest)
)
verifier.update(args.body, "utf8")
verifier.end()
const verified = verifier.verify(
createPublicKey(publicKey.key),
signature.signature,
"base64"
)
if (!verified) {
return {
verified: false,
reason: "eBay notification signature verification failed.",
}
}
return { verified: true, keyId: signature.keyId }
}
Reference in a new issue View git blame Copy permalink