Merge pull request #71 from FacturAPI/FAC-1299/update/validate-signatures-locally

javorosas · web-flow · commit 7295fb69319e · 2025-05-20T10:45:55.000+02:00
Prefer validating webhook events locally
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [4.8.3] 2025-05-19
+
+### Fixed
+
+- Webhook validation. Now the signature is validated locally in Node and web environments (but not in React Native, where the API is still used).
+- Type fixes for signature validation.
+
 ## [4.8.2] 2025-04-23
 
 ### Fixed
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "facturapi",
-  "version": "4.8.2",
+  "version": "4.8.3",
   "description": "Librería oficial de Facturapi. Crea CFDIs timbrados y enviados al SAT, XML y PDF",
   "main": "dist/index.cjs.js",
   "module": "dist/index.es.js",
diff --git a/src/tools/webhooks.ts b/src/tools/webhooks.ts
@@ -1,3 +1,4 @@
+import { isNode, isReactNative } from '../constants';
 import { SearchResult, Webhook, ApiEvent, ApiEventType } from '../types';
 import { WrapperClient } from '../wrapper';
 
@@ -65,11 +66,73 @@ export default class Webhooks {
    * @param payload - Received event object to validate
    * @returns When the signature is valid, it returns the event object
    */
-  async validateSignature<T extends ApiEventType | '' = ''>(data: {
+  async validateSignature<T extends ApiEventType = any>(data: {
     secret: string;
     signature: string;
-    payload: ApiEvent<T>;
+    payload: string | Buffer | ApiEvent<T>;
   }): Promise<ApiEvent<T>> {
-    return this.client.post('/webhooks/validate-signature', { body: data });
+    // Validated locally
+    const { secret, signature, payload } = data;
+    let payloadString: string;
+    if (typeof payload === 'string') {
+      payloadString = payload;
+    } else if (Buffer.isBuffer(payload)) {
+      payloadString = payload.toString('utf8');
+    } else if (typeof payload === 'object') {
+      payloadString = JSON.stringify(payload);
+    } else {
+      throw new Error('Invalid payload type');
+    }
+
+    if (isReactNative) {
+      // Call the API to validate signature in React Native
+      return this.client.post('/webhooks/validate-signature', {
+        body: {
+          secret,
+          signature,
+          payload: payloadString,
+        },
+      });
+    } else if (isNode) {
+      const crypto = await import('crypto');
+      const hmac = crypto.createHmac('sha256', secret);
+      const digestBuffer = hmac
+        .update(payloadString)
+        .digest();
+      // Compare the digest with the signature and prevent timing attacks
+      // by using a constant-time comparison
+      const signatureBuffer = Buffer.from(signature, 'hex');
+      if (digestBuffer.length !== signatureBuffer.length) {
+        throw new Error('Invalid signature');
+      }
+      const isValid = crypto.timingSafeEqual(digestBuffer, signatureBuffer);
+      if (!isValid) {
+        throw new Error('Invalid signature');
+      }
+      return JSON.parse(payloadString) as ApiEvent<T>;
+    } else { // Web browsers
+      const encoder = new TextEncoder();
+      const encodedData = encoder.encode(payloadString);
+      const encodedSecret = encoder.encode(secret);
+      const digest = await crypto.subtle.sign(
+        'HMAC',
+        await crypto.subtle.importKey(
+          'raw',
+          encodedSecret,
+          { name: 'HMAC', hash: 'SHA-256' },
+          false,
+          ['sign'],
+        ),
+        encodedData,
+      );
+      const hexDigest = Array.from(new Uint8Array(digest))
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('')
+        .toLowerCase();
+      if (signature !== hexDigest) {
+        throw new Error('Invalid signature');
+      }
+    }
+    return JSON.parse(payloadString) as ApiEvent<T>;
   }
 }
diff --git a/vite.config.ts b/vite.config.ts
@@ -8,7 +8,7 @@ export default defineConfig({
       fileName: (format) => `index.${format}.js`,
     },
     rollupOptions: {
-      external: ['stream'],
+      external: ['stream', 'crypto'],
       output: {
         exports: 'named', // Use named exports to avoid the warning
       },

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "facturapi",`
`3`		`- "version": "4.8.2",`
	`3`	`+ "version": "4.8.3",`
`4`	`4`	`"description": "Librería oficial de Facturapi. Crea CFDIs timbrados y enviados al SAT, XML y PDF",`
`5`	`5`	`"main": "dist/index.cjs.js",`
`6`	`6`	`"module": "dist/index.es.js",`