Skip to content

[Component] AfterShip - new source shipment status updated #18768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 16, 2025
Merged

[Component] AfterShip - new source shipment status updated #18768

merged 1 commit into from
Oct 16, 2025

Conversation

@jcortes
Copy link
Collaborator

@jcortes jcortes commented Oct 15, 2025
edited by coderabbitai bot
Loading

WHY

Resolves #18711

Summary by CodeRabbit

  • New Features

    • Introduced an AfterShip “Shipment Status Updated” event source that emits events when a shipment’s tracking status changes.
    • Added webhook support with signature verification and a configurable secret.
    • On setup, automatically backfills recent trackings to start emitting events immediately.

  • Chores

    • Bumped package version to 0.3.0.

@jcortes jcortes self-assigned this Oct 15, 2025
@vercel
Copy link

vercel bot commented Oct 15, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Preview Comments Updated (UTC)
pipedream-docs Ignored Ignored Oct 15, 2025 8:19pm
pipedream-docs-redirect-do-not-edit Ignored Ignored Oct 15, 2025 8:19pm

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 15, 2025
edited
Loading

Walkthrough

Adds AfterShip webhook infrastructure and a concrete “shipment status updated” source. Introduces a common webhook handler with deploy hook, signature validation, and event emission, plus a specific source implementing event naming and metadata. Updates package version and dependencies, adding crypto and upgrading @pipedream/platform.

Changes

Cohort / File(s) Summary
Package updates
components/aftership/package.json		 Bump version 0.2.0 → 0.3.0; update @pipedream/platform ^1.5.1 → ^3.1.0; add dependency crypto@^1.0.1.
Common webhook handler
components/aftership/sources/common/webhook.mjs		 New default export implementing AfterShip webhook handling: props (app, http.customResponse, webhookSecret), deploy hook (validates secret; fetches first 25 trackings; emits via processResource), isSignatureValid (HMAC-SHA256), processResource, run (validates signature, 401/200 responses, emits). Placeholders generateMeta and getEventName throw ConfigurationError.
Shipment status updated source
components/aftership/sources/shipment-status-updated/shipment-status-updated.mjs		 New source extending common webhook: defines key/name/description/version/type/dedupe; implements getEventName()"tracking_update"; generateMeta(resource) building id, summary, ts from payload.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor AfterShip as AfterShip
  participant HTTP as HTTP Endpoint
  participant Source as Webhook Source (common)
  participant App as AfterShip App API
  participant Runtime as Platform Runtime

  note over Source,App: Deploy phase
  Source->>Source: Validate webhookSecret
  alt secret missing
    Source->>Runtime: Throw ConfigurationError
  else secret present
    Source->>App: listTrackings(limit=25, page=1)
    App-->>Source: Trackings[]
    loop reverse iterate trackings
      Source->>Source: processResource(resource)
      Source->>Runtime: $emit(resource, generateMeta)
    end
  end

  rect rgba(230,245,255,0.4)
  note over AfterShip,HTTP: Runtime webhook delivery
  AfterShip->>HTTP: POST /webhook (body, aftership-hmac-sha256)
  HTTP->>Source: run({ body, bodyRaw, headers })
  Source->>Source: isSignatureValid(bodyRaw, headerSig)
  alt invalid signature
    Source-->>HTTP: 401 Unauthorized (customResponse)
  else valid signature
    Source->>Source: processResource(body)
    Source->>Runtime: $emit(body, generateMeta)
    Source-->>HTTP: 200 OK (customResponse)
  end
  end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

A whisk of wires, a hop of code,
I sniff the tracks where updates rode.
Webhooks thump—thump!—on meadow ground,
HMAC-checked, the carrots found. 🥕
From first 25 to fresh-new ping,
I twitch, emit, and logs I bring.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Linked Issues Check ⚠️ Warning Issue #18711 requests two specific triggers for AfterShip: "New Added Shipment" and "Updating Shipment", along with a comprehensive list of data fields to be included (tracking number, customer name, order ID, carrier, service, status, etc.). The PR implements only the shipment-status-updated source, which addresses the "Updating Shipment" requirement, but the "New Added Shipment" trigger is not included in this changeset. Additionally, while the generateMeta() method extracts id, summary, and timestamp, the implementation does not explicitly demonstrate inclusion of all the specified data fields from the issue. To fully resolve issue #18711, the PR should include both requested triggers: implement the "New Added Shipment" source in addition to the "Updating Shipment" source. Additionally, clarify how the comprehensive data fields mentioned in the issue (tracking number, customer name, order ID, order number, carrier, service, status, latest event, origin, destination, transit time, estimated delivery, on-time status, create date, shipment tags) are being surfaced through the webhook payload and metadata generation. A second source file or an updated implementation would be needed to address the complete scope of the issue.
✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The PR title "[Component] AfterShip - new source shipment status updated" clearly and concisely summarizes the main objective of the changeset. It accurately reflects that a new AfterShip source for handling shipment status updates is being introduced, which directly corresponds to the code additions in webhook.mjs and shipment-status-updated.mjs files, along with supporting package updates. The title is specific and descriptive enough for team members to quickly understand the primary change when scanning pull request history.
Out of Scope Changes Check ✅ Passed All code changes in this PR are directly related to implementing the AfterShip webhook source functionality. The package.json updates (version bump to 0.3.0, @pipedream/platform dependency update to ^3.1.0, and addition of "crypto" dependency ^1.0.1) are appropriate supporting changes for the new webhook implementation. The new files webhook.mjs and shipment-status-updated.mjs are both essential to the stated objective of adding the shipment status updated source, and all modifications are within scope of the AfterShip component enhancement.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch aftership-new-sources

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Oct 15, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (4)
components/aftership/sources/common/webhook.mjs (4)

25-42: Minor: redundant slice and inconsistent timestamp units.

  • slice(0, 25) is redundant with limit: 25.
  • ts here uses seconds, while generateMeta returns milliseconds. Prefer consistency (ms in meta is standard; consider removing ts from payload or making both ms).
-      trackings
-        .slice(0, 25)
+      trackings
         .reverse()
         .forEach((tracking) => {
           this.processResource({
             event: this.getEventName(),
             event_id: tracking.id,
             msg: tracking,
-            ts: Date.parse(tracking.updated_at) / 1000,
+            // Consider removing or making ms to match meta.ts
+            ts: Math.floor(Date.parse(tracking.updated_at) / 1000),
           });
         });

20-23: Nit: message says “skipping deployment” but code throws.

Either skip without throwing, or adjust the message to reflect a hard failure.

-        console.log("No webhook secret was provided, skipping deployment");
-        throw new ConfigurationError("No webhook secret was provided, skipping deployment");
+        const msg = "A webhook secret is required to deploy this source";
+        console.log(msg);
+        throw new ConfigurationError(msg);

52-62: Optional: timing-safe compare for HMAC.

Use crypto.timingSafeEqual to avoid subtle timing leaks on signature mismatch.

-      const hash = createHmac("sha256", webhookSecret)
-        .update(bodyRaw)
-        .digest("base64");
-      return hash === signature;
+      const digest = createHmac("sha256", webhookSecret).update(bodyRaw).digest("base64");
+      if (!signature) return false;
+      const a = Buffer.from(digest);
+      const b = Buffer.from(signature);
+      return a.length === b.length && crypto.timingSafeEqual(a, b);

5-17: Consider documenting how to obtain the webhook secret.

Good description; add a short note that deployment will fail without it (align with hook behavior).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 311d74e and aeec079.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • components/aftership/package.json (2 hunks)
  • components/aftership/sources/common/webhook.mjs (1 hunks)
  • components/aftership/sources/shipment-status-updated/shipment-status-updated.mjs (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: pnpm publish
  • GitHub Check: Publish TypeScript components
  • GitHub Check: Lint Code Base
  • GitHub Check: Verify TypeScript components
🔇 Additional comments (3)
components/aftership/sources/shipment-status-updated/shipment-status-updated.mjs (1)

3-10: Confirm second trigger (“New Added Shipment”) is included.

The issue requests both “New Added Shipment” and “Updating Shipment.” This file covers status updates. Please confirm the “New Added Shipment” source exists in this PR or will follow.

components/aftership/package.json (1)

16-16: Manual verification needed: Cannot confirm API usage in components/aftership.

The script search returned no matches for ConfigurationError or customResponse in the codebase. This prevents definitively verifying whether these APIs are actually used by the aftership component or if they're compatible with v3.1.0.

To proceed, verify:

  1. Whether the aftership component actually uses $.interface.http with customResponse: true or throws ConfigurationError
  2. If these APIs are not used, the version constraint ^3.1.0 may still be valid, but compatibility cannot be confirmed without code inspection
#!/bin/bash
# Search specifically within aftership component for $.interface.http and ConfigurationError usage
find components/aftership -type f \( -name "*.js" -o -name "*.ts" -o -name "*.jsx" -o -name "*.tsx" -o -name "*.mjs" \) -exec grep -l "interface\.http\|customResponse\|ConfigurationError" {} \;
components/aftership/sources/common/webhook.mjs (1)

70-77: No change needed for signature header
Tracking webhooks use aftership-hmac-sha256 per official docs, so the existing header key is correct.

michelle0927
michelle0927 approved these changes Oct 15, 2025
View reviewed changes
Copy link
Collaborator

@michelle0927 michelle0927 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Ready for QA!

@vunguyenhung vunguyenhung merged commit 0b7dcf3 into master Oct 16, 2025
10 checks passed
@vunguyenhung vunguyenhung deleted the aftership-new-sources branch October 16, 2025 02:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@michelle0927 michelle0927 michelle0927 approved these changes

Assignees

@jcortes jcortes

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Request to make available any Triggers for AfterShip - Ideally for Shipments "New Added Shipment" & "Updating Shipment"

3 participants

@jcortes @michelle0927 @vunguyenhung