fix: app-connect pass raw body through to verification#1373
fix: app-connect pass raw body through to verification#1373llessa-godaddy wants to merge 3 commits into
Conversation
… handlers TanStack middleware was calling request.json() which consumed the body stream, preventing downstream handlers from reading it. Now uses request.clone().text() to read raw body for signature verification while preserving the original request stream for downstream use. This also ensures signature verification uses exact raw body bytes instead of re-stringified JSON, preventing signature mismatches from whitespace or key ordering differences. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Extract createInvalidJsonResponse() to eliminate duplication - Add JSON parsing and error handling for invalid JSON bodies - Pass parsed body to next() via context for downstream use Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
There was a problem hiding this comment.
Pull request overview
This PR updates App Connect verification so TanStack middleware can verify against the raw request body while still making a parsed body available downstream.
Changes:
- Uses raw string bodies during canonicalization when available.
- Updates TanStack action/webhook middleware to read raw text from a cloned request and pass parsed JSON via context.
- Adds TanStack middleware tests for raw body preservation, downstream context, and failure responses.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
packages/app-connect/src/utils/verification.ts |
Supports raw string bodies during canonicalization and adjusts an unused catch binding. |
packages/app-connect/src/types/verifiable-request.ts |
Documents framework-specific body expectations. |
packages/app-connect/src/tanstack/index.ts |
Reads raw body from cloned requests, parses JSON for context, and uses raw body for verification. |
packages/app-connect/src/tanstack/index.test.ts |
Adds coverage for TanStack action and webhook middleware behavior. |
Comments suppressed due to low confidence (1)
packages/app-connect/src/tanstack/index.ts:114
- The caught error value is never used. This package runs Biome over
src, and unused variables are reported by the linter, so this should be changed to an omitted catch binding or an underscore-prefixed name.
} catch (error) {
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (rawBody) { | ||
| try { | ||
| parsedBody = JSON.parse(rawBody); | ||
| } catch (error) { |
Summary
This PR fixes 2 related issues.
Pass raw body through to verification
JSON.stringify(req.body)call in the verification module'scanonicalizeRequeststrips any pretty-printing or extraneous spaces in the body. That broke verification, which requires the exact same bytes from the body in the canonical string.Allow later middlewares to use parsed JSON request body
The verifyAction middleware from @godaddy/app-connect calls request.json() for signature verification but does not pass the parsed body forward through the middleware chain. Since a Fetch API Request body can only be consumed once, calling request.json() again throws a TypeError ("disturbed or locked").
See: https://developer.mozilla.org/en-US/docs/Web/API/Request/json#exceptions
Changeset
Test Plan