Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@invertase/node-paddle-sdk
Advanced tools
A NodeJS library for integrating with Paddle.
The library provides full TypeScript definitions for the Paddle API & Webhook events.
npm install @invertase/node-paddle-sdk --save
import { PaddleSDK } from '@invertase/node-paddle-sdk';
const paddle = new PaddleSDK(
12345, // Required: Vendor ID
'xxxx', // Required: Vendor Auth Code
'xxxx', // Optional: Public Key
);
The Public Key is optional, but required if using the
verifyWebhook
method.
The library provides integration with the Paddle API endpoints.
The vendor_id
and vendor_auth_code
parameters are not required and are automatically provided by the library.
Example usage:
try {
const coupons = await paddle.listCoupons({
product_id: 123,
});
} catch (e) {
console.error(e.code, e.message);
}
Coupons
Products
Licenses
Pay Links
Transactions
Payments
Plans
Users
Modifiers
Payments
One-off Charges
Webhooks
The library provides useful helpers for handling Webhooks, along with type definitions for events for TypeScript users.
To verify a webhook, you must have provided a public key whilst creating a PaddleSDK
instance
otherwise an error will be thrown. If the provided body does not conform to a Paddle Webhook
request (JSON response containing both a alert_name
and p_signature
), an error will also be thrown.
Pass the request body to the verifyWebhook
method to verify the signature:
// Express example
// Ensure you accept a JSON request body.
app.use(express.json());
app.post('/your-webhook-endpoint', (req, res) => {
const verified = paddle.verifyWebhook(req.body);
if (!verified) {
return res.status(403).send('Invalid webhook request.');
}
...
});
The library provides type definitions for the various Paddle Webhook events. Using the alert_name
, you can discover the type of the event:
import { PaddleWebhook } from '@invertase/node-paddle-sdk';
app.post('/your-webhook-endpoint', (req, res) => {
const verified = paddle.verifyWebhook(req.body);
if (!verified) {
return res.status(403).send('Invalid webhook request.');
}
const event = req.body as PaddleWebhook;
if (event.alert_name === 'subscription_created') {
// `event` is now cast as a `SubscriptionCreatedWebhook`
console.log(event.subscription_id);
}
});
If using the Paddle Sandbox Environment, you can set the library to use a custom server endpoint:
import { PaddleSDK } from '@invertase/node-paddle-sdk';
const paddle = new PaddleSDK(
12345, // Required: Vendor ID
'xxxx', // Required: Vendor Auth Code
'xxxx', // Optional: Public Key
'https://sandbox-vendors.paddle.com/api/2.0', // Optional: Custom Server Endpoint
);
Built and maintained by Invertase.
FAQs
A fully typed NodeJS library for integration with Paddle.
We found that @invertase/node-paddle-sdk demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.