Merge pull request #3 from eBay/1.0.1

v1.0.1

README.md

@@ -5,29 +5,33 @@ With notifications, business moments are communicated to all interested listener
 This NodeJS SDK is designed to simplify processing eBay notifications. The application receives subscribed messages, validates the integrity of the message using the X-EBAY-SIGNATURE header and delegates to a custom configurable MessageProcessor for plugging in usecase specific processing logic.
 
 # Table of contents
-* [What Notifications are covered?](#notifications)
-* [Motivation](#motivation)
-* [Usage](#usage)
-* [Logging](#logging)
-* [License](#license)
+  * [What Notifications are covered?](#notifications)
+  * [Features](#features)
+  * [Usage](#usage)
+  * [Logging](#logging)
+  * [License](#license)
 
 # Notifications
 
 This SDK is intended for the latest eBay notifications that use ECC signatures and JSON payloads.
 While this SDK is generic for any topic, it currently includes the schema definition for MARKETPLACE_ACCOUNT_DELETION notifications.
 
-# Motivation
+# Features
 
 This SDK is intended to bootstrap subscriptions to eBay Notifications and provides a ready NodeJS example.
 
+This SDK now also incorporates support for endpoint validation.
+
 This SDK incorporates
 
 - A deployable example NodeJS application that is generic across topics and can process incoming https notifications
 - Allows registration of custom Message Processors.
-- Verify the integrity of the incoming messages
+- [Verify the integrity](https://github.com/eBay/event-notification-nodejs-sdk/blob/main/lib/validator.js#L65) of the incoming messages
   - Use key id from the decoded signature header to fetch public key required by the verification algorithm. An LRU cache is used to prevent refetches for same 'key'.
   - On verification success, delegate processing to the registered custom message processor and respond with a 204 HTTP status code.
   - On verification failure, respond back with a 412 HTTP status code
+  - With release 1.1.0 - includes support for generating the challenge response required for validating this endpoint.
+More details on endpoint validation is documented [here](https://developer.ebay.com/marketplace-account-deletion).
 
 # Usage
 
@@ -39,6 +43,9 @@ NPM: v7.5.6 or higher
 ```
 
 **Install**
+
+<a href="https://npmjs.org/package/event-notification-nodejs-sdk"><img src="https://img.shields.io/npm/v/event-notification-nodejs-sdk.svg" alt="NPM Version"/></a>
+
 Using npm:
 
 ```shell
@@ -53,12 +60,37 @@ yarn add event-notification-nodejs-sdk
 
 **Configure**
 
+* Update config.json with the client credentials (required to fetch Public Key from /commerce/notification/v1/public_key/{public_key_id}).
+* Specify environment (PRODUCTION or SANDBOX) in [example.js](./examples/example.js). Default: PRODUCTION
+
+* For Endpoint Validation
+  * **verificationToken** associated with your endpoint. A random sample is included for your endpoint, this needs to be the same as that provided to eBay.
+  * **Endpoint** specific to this deployment. A random url is included as an example.
+
+**Note**: it is recommended that the _verificationToken_ be stored in a secure location.
+
+```json
+{
+   "SANDBOX": {
+       "clientId": "<appid-from-developer-portal>",
+       "clientSecret": "<certid-from-developer-portal>",
+       "devid": "<devid-from-developer-portal>",
+       "redirectUri": "<redirect_uri-from-developer-portal>",
+       "baseUrl": "api.sandbox.ebay.com"
+   },
+   "PRODUCTION": {
+       "clientId": "<appid-from-developer-portal>",
+       "clientSecret": "<certid-from-developer-portal>",
+       "devid": "<devid-from-developer-portal>",
+       "redirectUri": "<redirect_uri-from-developer-portal>",
+       "baseUrl": "api.ebay.com"
+   },
+   "endpoint": "<endpoint_url>",
+   "verificationToken": "<verification_token>"
+}
 ```
-* Update config.js with path to client credentials (required to fetch Public Key from /commerce/notification/v1/public_key/{public_key_id}).
-* Specify environment (PRODUCTION or SANDBOX).
 
-For MARKETPLACE_ACCOUNT_DELETION use case simply implement custom logic in accountDeletionMessageProcessor.processInternal()
-```
+For MARKETPLACE_ACCOUNT_DELETION use case simply implement custom logic in [accountDeletionMessageProcessor.processInternal()](./lib/processor/accountDeletionMessageProcessor.js)
 
 **Onboard any new topic in 3 simple steps! :**
 

examples/config.json

@@ -0,0 +1,18 @@
+{
+    "SANDBOX": {
+        "clientId": "<appid-from-developer-portal>",
+        "clientSecret": "<certid-from-developer-portal>",
+        "devid": "<devid-from-developer-portal>",
+        "redirectUri": "<redirect_uri-from-developer-portal>",
+        "baseUrl": "api.sandbox.ebay.com"
+    },
+    "PRODUCTION": {
+        "clientId": "<appid-from-developer-portal>",
+        "clientSecret": "<certid-from-developer-portal>",
+        "devid": "<devid-from-developer-portal>",
+        "redirectUri": "<redirect_uri-from-developer-portal>",
+        "baseUrl": "api.ebay.com"
+    },
+    "endpoint": "http://www.testendpoint.com/webhook",
+    "verificationToken": "71745723-d031-455c-bfa5-f90d11b4f20a"
+}

examples/example.js

@@ -24,10 +24,11 @@
 const express = require('express');
 const app = express();
 
-const config = require('./config');
+const config = require('./config.json');
 const constants = require('../lib/constants');
 const EventNotificationSDK = require('../lib/index');
 
+const environment = 'PRODUCTION';
 const PORT = process.env.PORT || 8080;
 
 app.use(express.json());
@@ -36,7 +37,8 @@ app.post('/webhook', (req, res) => {
     EventNotificationSDK.process(
         req.body,
         req.headers[constants.X_EBAY_SIGNATURE],
-        config
+        config,
+        environment
     ).then((responseCode) => {
         if (responseCode === constants.HTTP_STATUS_CODE.NO_CONTENT) {
             console.log(`Message processed successfully for: \n- Topic: ${req.body.metadata.topic} \n- NotificationId: ${req.body.notification.notificationId}\n`);
@@ -50,6 +52,25 @@ app.post('/webhook', (req, res) => {
     });
 });
 
+app.get('/webhook', (req, res) => {
+    if (req.query.challenge_code) {
+        try {
+            const challengeResponse = EventNotificationSDK.validateEndpoint(
+                req.query.challenge_code,
+                config);
+            res.status(200).send({
+                challengeResponse: challengeResponse
+            });
+        } catch (e) {
+            // eslint-disable-next-line no-console
+            console.error(`Endpoint validation failure: ${e}`);
+            res.status(constants.HTTP_STATUS_CODE.INTERNAL_SERVER_ERROR).send();
+        }
+    } else {
+        res.status(constants.HTTP_STATUS_CODE.INTERNAL_SERVER_ERROR).send();
+    }
+});
+
 app.listen(PORT, () => {
     // eslint-disable-next-line no-console
     console.log(`Listening at http://localhost:${PORT}`);

lib/constants.js

@@ -30,6 +30,7 @@ module.exports = {
     HEADERS: {
         APPLICATION_JSON: 'application/json'
     },
+    HEX: 'hex',
     HTTP_STATUS_CODE: {
         NO_CONTENT: 204,
         OK: 200,
@@ -42,6 +43,7 @@ module.exports = {
     KEY_START: '-----BEGIN PUBLIC KEY-----',
     NOTIFICATION_API_ENDPOINT_PRODUCTION: 'https://api.ebay.com/commerce/notification/v1/public_key/',
     NOTIFICATION_API_ENDPOINT_SANDBOX: 'https://api.sandbox.ebay.com/commerce/notification/v1/public_key/',
+    SHA256: 'sha256',
     TOPICS: {
         MARKETPLACE_ACCOUNT_DELETION: 'MARKETPLACE_ACCOUNT_DELETION'
     },

lib/index.js

@@ -28,22 +28,37 @@ const processor = require('./processor/processor');
  * @param {JSON} message
  * @param {String} signature
  * @param {JSON} config
+ * @param {String} environment
  */
-module.exports.process = async (message, signature, config) => {
+const process = async (message, signature, config, environment) => {
     try {
         // Validate the input
         if (!message || !message.metadata || !message.notification) throw new Error('Please provide the message.');
         if (!signature) throw new Error('Please provide the signature.');
         if (!config) throw new Error('Please provide the config.');
-        if (!config.clientId) throw new Error('Please provide the Client ID.');
-        if (!config.clientSecret) throw new Error('Please provide the Client secret.');
-        if (!config.environment
-            || (config.environment !== constants.ENVIRONMENT.PRODUCTION
-                && config.environment !== constants.ENVIRONMENT.SANDBOX)) {
+        if (!config.PRODUCTION.clientId && !config.SANDBOX.clientId) {
+            throw new Error('Please provide the Client ID.');
+        }
+        if (!config.PRODUCTION.clientSecret && !config.SANDBOX.clientSecret) {
+            throw new Error('Please provide the Client secret.');
+        }
+        if (!environment
+            || (environment !== constants.ENVIRONMENT.PRODUCTION
+                && environment !== constants.ENVIRONMENT.SANDBOX)) {
             throw new Error('Please provide the Environment.');
         }
 
-        const response = await validator.validateSignature(message, signature, config);
+        // Build the config
+        let envConfig = {};
+        if (environment === constants.ENVIRONMENT.SANDBOX) {
+            envConfig = config.SANDBOX;
+            envConfig.environment = constants.ENVIRONMENT.SANDBOX;
+        } else {
+            envConfig = config.PRODUCTION;
+            envConfig.environment = constants.ENVIRONMENT.PRODUCTION;
+        }
+
+        const response = await validator.validateSignature(message, signature, envConfig);
         if (response) {
             // Get the appropriate processor to process the message
             processor
@@ -58,3 +73,29 @@ module.exports.process = async (message, signature, config) => {
         return constants.HTTP_STATUS_CODE.INTERNAL_SERVER_ERROR;
     }
 };
+
+/**
+ * Generates challenge response
+ *
+ * @param {String} challengeCode
+ * @param {JSON} config
+ * @returns {String} challengeResponse
+ */
+const validateEndpoint = (challengeCode, config) => {
+    if (!challengeCode) throw new Error('The "challengeCode" is required.');
+    if (!config) throw new Error('Please provide the config.');
+    if (!config.endpoint) throw new Error('The "endpoint" is required.');
+    if (!config.verificationToken) throw new Error('The "verificationToken" is required.');
+
+    try {
+        return validator.generateChallengeResponse(challengeCode, config);
+    } catch (e) {
+        // eslint-disable-next-line no-console
+        console.error(e);
+    }
+};
+
+module.exports = {
+    process,
+    validateEndpoint
+};

lib/validator.js

@@ -82,4 +82,31 @@ const validateSignature = async (message, signatureHeader, config) => {
     }
 };
 
-module.exports = { validateSignature };
+/**
+ * Generates challenge response
+ * 1. Hash the challengeCode, verificationToken and endpoint
+ * 2. Convert to hex
+ *
+ * @param {String} challengeCode
+ * @param {JSON} config
+ * @returns {String} challengeResponse
+ */
+const generateChallengeResponse = (challengeCode, config) => {
+    try {
+        const hash = crypto.createHash(constants.SHA256);
+
+        hash.update(challengeCode);
+        hash.update(config.verificationToken);
+        hash.update(config.endpoint);
+
+        const responseHash = hash.digest(constants.HEX);
+        return Buffer.from(responseHash).toString();
+    } catch (exception) {
+        throw exception;
+    }
+};
+
+module.exports = {
+    generateChallengeResponse,
+    validateSignature
+};

package.json

@@ -1,6 +1,6 @@
 {
   "name": "event-notification-nodejs-sdk",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "A NodeJS SDK for processing eBay event notifications",
   "main": "lib/index.js",
   "repository": {
@@ -18,7 +18,8 @@
   "keywords": [
     "eBay",
     "Event Notification",
-    "SDK"
+    "SDK",
+    "Endpoint Validation"
   ],
   "author": "Lokesh Rishi",
   "license": "ISC",