Releases: castle/castle-node
Releases · castle/castle-node
Release list
v3.1.0
Housekeeping:
- Slim down the default request context to
headers,ip, andlibrary. The client id is carried byheaders(thex-castle-client-idheader /__cidcookie) and resolved by Castle server-side, so the SDK no longer derives it separately. - Remove the internal client-id extraction service and the now-unused cookie helper (
HeadersGetCookieService) along with thecookiesplumbing inContextGetDefaultService/ContextPrepareService.
v3.0.0
BREAKING CHANGES:
- Remove the legacy endpoints and their
Castlemethods:authenticate,
track, and the device endpoints (getDevice,getDevicesForUser,
approveDevice,reportDevice). Userisk/filter/loginstead. The
related public types (Payload,DevicePayload,UserDevicePayload,
AuthenticateResult) are removed as well. - Require Node.js
>= 20. The SDK now uses the runtime's built-in global
fetchandAbortSignalinstead ofnode-fetchandabort-controller,
which are no longer dependencies. - Ship a proper dual ESM + CommonJS build via
tsupwith anexportsmap
(separateimport/requireentry points and type definitions). Importing
from internaldist/paths is unsupported; import from the package root.
Features:
- Add webhook signature verification:
Castle#verifyWebhookSignature(rawBody, signature)
(andWebhookVerifyService) validate theX-Castle-Signatureheader — a
base64 HMAC-SHA256 of the raw request body, compared in constant time — and
raiseWebhookVerificationErroron mismatch. - Add secure-mode signing:
Castle#secureModeSignature(userId)(and
SecureModeService) return a hex HMAC-SHA256 of the user id, for signing user
IDs sent from the browser.
Enhancements:
- Rename the Events API methods to
queryEvents,eventsSchema, and
groupEvents.searchEventsandgetEventsSchemaremain available as
aliases ofqueryEventsandeventsSchema, so existing code keeps working. - Drop the
lodash.get/lodash.isempty/lodash.merge/lodash.pickby/
lodash.reducemicro-dependencies in favor of native JavaScript helpers
(src/utils/object.ts). - Modernize
tsconfig.json: targetES2022, move thestrictflag under
compilerOptions(it was previously a top-level key and silently ignored, so
strict type-checking was effectively off), and drop unused decorator options.
strictNullChecksis now enforced. - Bump
pinoto v9 andpino-prettyto v13. - Migrate CI from CircleCI to GitHub Actions with a Node 20/22/24/26 matrix.
- Switch the package manager from Yarn (classic) to npm (
package-lock.json,
npm ciin CI). - Add
.tool-versions/.nvmrcpinning Node26.2.0. - Add
engines.node >= 20and atypecheckscript. - Remove the dead
ImpersonationFailederror (impersonation endpoints no longer
exist in the SDK). - Restructure the README to match the other Castle SDKs: capabilities list,
quick start, a full Usage section (Risk/Filter/Log/Lists/Privacy/Events/
Webhooks/Secure mode), advanced header/IP configuration, and an errors table.
Bug fixes:
- Add a fully-typed
transactionfield toRiskPayload, modelled on the public
OpenAPI schema:base_amountis
a string,amountis a$fiat/$cryptoobject, pluspayment_method,
shipping_addressandmerchant. Exported asTransactionPayload— addresses
#188. - Extend
FilterPayloadandLogPayloadwith the sametransactionfield, since
both endpoints accept it. - Add the missing
region_codetoAddressPayloadand type
RiskPayload.user.addressasAddressPayload. riskno longer throws aTypeErrorindoNotTrackmode when the payload
has nouserobject.
Release v2.3.3
Release v2.3.1
- Introduce APIs:
- events/query, events/schema, events/group
- POST privacy/users, DELETE privacy/users
- lists/:id/items/batch, lists/:id/items/count
- make request_token and context optional based on skip parameters
Release v2.2.2
Release v2.2.1
- #157 - exposed more data types publicly