Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@bebapps/rapyd-sdk
Advanced tools
An un-official Rapyd SDK for Node.js.
To install the SDK you'll need to have the npm CLI installed - then run the following command in your project's root directory.
npm install --save @bebapps/rapid-sdk
The core of the SDK is made up from the RapidClient
class. It handles authorization, parameter encoding, signing and making requests, error handling, webhook verification, and more.
The RapidClient
class takes in your Rapid secret key and access key, as well as an optional base URL (defaults to: "sandboxapi.rapyd.net").
import { RapidClient } from '@bebapps/rapid-sdk';
const rapid = new RapidClient(
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'xxxxxxxxxxxxxxxxxxxx',
);
// ...
If you like calling the Rapid API directly (using hard coded URL paths and parameters) you can make use of the convenience methods exposed on the RapidClient
class.
import { Wallet } from '@bebapps/rapid-sdk/dist/generated/wallet/types/Wallet';
// ...
const response = await rapid.get('/v1/user/{}', 'ewallet_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
const wallet = await response.data<Wallet>();
console.log(wallet); // { id: 'ewallet_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', type: 'person', status: 'ACT', [...] }
You may notice the use of {}
in the path. These are auto-encoded placeholders. When you use a placeholder in the path, you must also provide the same number of arguments following the path containing the placeholder values. These values will automatically be URL encoded, so if these parameter values are coming from unsanitized user-input - you can sleep easy.
This SDK can also be used to validate incoming webhooks from Rapid. If you'd like a real-world example, checkout the Beb Pay store service verify webhook function.
Part of the magic this SDK provides is auto-generated APIs. These APIs are fully typed from the official Rapid documentation, so it can updated with a simple re-publish of the package.
Because the APIs are auto-generated, the source for them cannot be found in the repository. Instead, you can use a tool like UNPKG to navigate through the contents of the published npm package.
Here's an example of creating a wallet using the auto-generated Wallet API.
import { createWallet } from '@bebapps/rapyd-sdk/dist/generated/wallet/apis/Wallet';
const wallet = await createWallet(rapid, {
contact: {
contact_type: 'personal',
},
ewallet_reference_id: userId,
});
console.log(wallet); // { id: 'ewallet_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', type: 'person', status: 'ACT', [...] }
The advantage to these auto-generated APIs is that you use them all exactly the same way: you provide your RapidClient
instance, and an object containing all the parameters the API takes. It combines the path, query, and body parameters into one object. This means you can make the most of Intellisense functionality in your IDE to provide you with helpful suggestions and display documentation as you type.
By default, calling the response.data()
function will automatically throw an error if the response contained an error code. The JavaScript Error message
contains the message from the server (which usually contains super useful human-readable explanations) but also exposes the Rapid Error code on the code
field on errors generated by the SDK.
import { WalletError } from '@bebapps/rapyd-sdk/dist/generated/wallet/enums/WalletError';
// ...
try {
const wallet = await createWallet(rapid, {
contact: {
contact_type: 'personal',
},
ewallet_reference_id: userId,
});
} catch (err) {
switch (err.code) {
case WalletError.ERROR_CREATE_USER_EWALLET_REFERENCE_ID_ALREADY_EXISTS: {
console.log('Oh no, this user already has a wallet! Derp!');
break;
}
default: {
console.log('All other errors end up here!');
break;
}
}
}
The code that generates all the auto-generated APIs for this SDK helpfully publishes the "references" it pulls from the Rapid API documentation website. This file is included in the npm package, so you can helpfully download the references.json file from UNPKG.
FAQs
An un-official [Rapyd](https://rapyd.net) SDK for Node.js.
We found that @bebapps/rapyd-sdk demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.