Merge branch 'main' into update-node-modules

Author: GermanSmoliar

.github/workflows/CI-appsec-blackduck-master.yml

@@ -7,9 +7,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-node@v1
+      - uses: actions/setup-node@v4
         with:
-          node-version: 16.x
+          node-version: 18
       - run: npm ci
       - run: npm run lint
       - run: npm run build

.github/workflows/CI-appsec-blackduck-pr.yml

@@ -1,6 +1,6 @@
 {
   "name": "@unit-finance/unit-node-sdk",
-  "version": "1.3.4",
+  "version": "1.3.5",
   "description": "",
   "main": "dist/unit.js",
   "types": "dist/unit.d.ts",

.github/workflows/CI.yml

@@ -42,9 +42,11 @@ export class Webhooks extends BaseResource {
     }
 
     public verify(signature: string, secret: string, payload: any) {
+        const signatureBuffer = Buffer.from(signature, "base64")
         const hmac = crypto.createHmac("sha1", secret)
         hmac.update(JSON.stringify(payload))
-        return hmac.digest("base64") == signature
+
+        return crypto.timingSafeEqual(hmac.digest(), signatureBuffer)
     }
 }
 

package-lock.json

@@ -14,7 +14,7 @@ describe("Create API Tokens", () => {
             "attributes": {
                 "description": "test token",
                 "scope": "customers applications",
-                "expiration": "2025-09-01T13:47:17.000Z",
+                "expiration": "2026-09-01T13:47:17.000Z",
                 "resources": [resource]
             }
         }

package.json

@@ -22,4 +22,15 @@ describe("Get Webhook Test", () => {
             expect(res.data.type === "webhook").toBeTruthy()
         })
     })
+})
+
+describe("Verify Webhook test", () => {
+    test("verify webhook signature", () => {
+        const signature = "UUNz8ch1Ovjg+ijXUEwlAlWEktU="
+        const secret = "OB2HL5E3B4HJ7IVXRNL4YQKYIQIVJK36ZZLPZEFWZVSDSC7LLFJQ===="
+        const payload = {"data":[{"id":"46306092","type":"application.approved","attributes":{"createdAt":"2025-08-05T06:48:38.957Z","tags":{"key":"another-tag","test":"webhook-tag","number":"111"}},"relationships":{"application":{"data":{"id":"3895367","type":"individualApplication"}},"customer":{"data":{"id":"3310133","type":"individualCustomer"}}}}]}
+
+        const verifyResult = unit.webhooks.verify(signature, secret, payload)
+        expect(verifyResult).toBeTruthy()
+    })
 })

resources/webhooks.ts

@@ -346,47 +346,47 @@ export interface ApplicationFormSettingsOverride {
     /**
      * URL that is presented to the user when an application has been submitted
      */
-    redirectUrl: string
+    redirectUrl?: string
 
     /**
      * Privacy Policy
      */
-    privacyPolicyUrl: string
+    privacyPolicyUrl?: string
 
     /**
      * Consent to Electronic Disclosures
      */
-    electronicDisclosuresUrl: string
+    electronicDisclosuresUrl?: string
 
     /**
      * Deposit Terms & Conditions
      */
-    depositTermsUrl: string
+    depositTermsUrl?: string
 
     /**
      * Client Terms of Service
      */
-    clientTermsUrl: string
+    clientTermsUrl?: string
 
     /**
      * Cardholder Terms and Conditions
      */
-    cardholderTermsUrl: string
+    cardholderTermsUrl?: string
 
     /**
      * Cash Advance Terms and Conditions
      */
-    cashAdvancedTermsUrl: string
+    cashAdvancedTermsUrl?: string
 
     /**
      * Debit Card Disclosure
      */
-    debitCardDisclosureUrl: string
+    debitCardDisclosureUrl?: string
 
     /**
      * Array of additional disclosures that were not covered by the above links
      */
-    additionalDisclosures: Record<string, string>[]
+    additionalDisclosures?: Record<string, string>[]
 
     /**
      * Optional. If true, the applicant will be required to complete the selfie verification process when an ID document is required.