feat(api): manual updates

Author: stainless-app[bot]

.stats.yml

@@ -1,4 +1,4 @@
 configured_endpoints: 42
 openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/imagekit-inc%2Fimagekit-3d7da4b8ef2ed30aa32c4fb3e98e498e67402e91aaa5fd4c628fc080bfe82ea1.yml
 openapi_spec_hash: aaa50fcbccec6f2cf1165f34bc6ac886
-config_hash: 84bf9f929b0248a6cdf2d526331ed8eb
+config_hash: 0f760028496146ece9431573b1ab0e46

package.json

@@ -26,7 +26,9 @@
     "lint": "./scripts/lint",
     "fix": "./scripts/format"
   },
-  "dependencies": {},
+  "dependencies": {
+    "standardwebhooks": "^1.0.0"
+  },
   "devDependencies": {
     "@arethetypeswrong/cli": "^0.17.0",
     "@swc/core": "^1.3.102",

src/client.ts

@@ -99,6 +99,15 @@ export interface ClientOptions {
    */
   password?: string | null | undefined;
 
+  /**
+   * Your ImageKit webhook secret. This is used by the SDK to verify webhook signatures. It starts with a `whsec_` prefix.
+   * You can view and manage your webhook secret in the [dashboard](https://imagekit.io/dashboard/developer/webhooks).
+   * Treat the secret like a password, keep it private and do not expose it publicly.
+   * Learn more about [webhook verification](https://imagekit.io/docs/webhooks#verify-webhook-signature).
+   *
+   */
+  webhookSecret?: string | null | undefined;
+
   /**
    * Override the default base URL for the API, e.g., "https://api.example.com/v2/"
    *
@@ -174,6 +183,7 @@ export interface ClientOptions {
 export class ImageKit {
   privateAPIKey: string;
   password: string | null;
+  webhookSecret: string | null;
 
   baseURL: string;
   maxRetries: number;
@@ -192,6 +202,7 @@ export class ImageKit {
    *
    * @param {string | undefined} [opts.privateAPIKey=process.env['IMAGEKIT_PRIVATE_API_KEY'] ?? undefined]
    * @param {string | null | undefined} [opts.password=process.env['OPTIONAL_IMAGEKIT_IGNORES_THIS'] ?? do_not_set]
+   * @param {string | null | undefined} [opts.webhookSecret=process.env['IMAGEKIT_WEBHOOK_SECRET'] ?? null]
    * @param {string} [opts.baseURL=process.env['IMAGE_KIT_BASE_URL'] ?? https://api.imagekit.io] - Override the default base URL for the API.
    * @param {number} [opts.timeout=1 minute] - The maximum amount of time (in milliseconds) the client will wait for a response before timing out.
    * @param {MergedRequestInit} [opts.fetchOptions] - Additional `RequestInit` options to be passed to `fetch` calls.
@@ -204,6 +215,7 @@ export class ImageKit {
     baseURL = readEnv('IMAGE_KIT_BASE_URL'),
     privateAPIKey = readEnv('IMAGEKIT_PRIVATE_API_KEY'),
     password = readEnv('OPTIONAL_IMAGEKIT_IGNORES_THIS') ?? 'do_not_set',
+    webhookSecret = readEnv('IMAGEKIT_WEBHOOK_SECRET') ?? null,
     ...opts
   }: ClientOptions = {}) {
     if (privateAPIKey === undefined) {
@@ -215,6 +227,7 @@ export class ImageKit {
     const options: ClientOptions = {
       privateAPIKey,
       password,
+      webhookSecret,
       ...opts,
       baseURL: baseURL || `https://api.imagekit.io`,
     };
@@ -238,6 +251,7 @@ export class ImageKit {
 
     this.privateAPIKey = privateAPIKey;
     this.password = password;
+    this.webhookSecret = webhookSecret;
   }
 
   /**
@@ -255,6 +269,7 @@ export class ImageKit {
       fetchOptions: this.fetchOptions,
       privateAPIKey: this.privateAPIKey,
       password: this.password,
+      webhookSecret: this.webhookSecret,
       ...options,
     });
     return client;

src/resources/webhooks.ts

@@ -2,13 +2,23 @@
 
 import { APIResource } from '../core/resource';
 import * as FilesAPI from './files/files';
+import { Webhook } from 'standardwebhooks';
 
 export class Webhooks extends APIResource {
   unsafeUnwrap(body: string): UnsafeUnwrapWebhookEvent {
     return JSON.parse(body) as UnsafeUnwrapWebhookEvent;
   }
 
-  unwrap(body: string): UnwrapWebhookEvent {
+  unwrap(
+    body: string,
+    { headers, key }: { headers: Record<string, string>; key?: string },
+  ): UnwrapWebhookEvent {
+    if (headers !== undefined) {
+      const keyStr: string | null = key === undefined ? this._client.webhookSecret : key;
+      if (keyStr === null) throw new Error('Webhook key must not be null in order to unwrap');
+      const wh = new Webhook(keyStr);
+      wh.verify(body, headers);
+    }
     return JSON.parse(body) as UnwrapWebhookEvent;
   }
 }

tests/api-resources/webhooks.test.ts

@@ -0,0 +1,43 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+import { Webhook } from 'standardwebhooks';
+
+import ImageKit from '@imagekit/nodejs';
+
+const client = new ImageKit({
+  privateAPIKey: 'My Private API Key',
+  password: 'My Password',
+  baseURL: process.env['TEST_API_BASE_URL'] ?? 'http://127.0.0.1:4010',
+});
+
+describe('resource webhooks', () => {
+  test.skip('unwrap', async () => {
+    const key = 'whsec_c2VjcmV0Cg==';
+    const payload =
+      '{"id":"id","created_at":"2019-12-27T18:11:19.117Z","data":{"asset":{"url":"https://example.com"},"transformation":{"type":"video-transformation","options":{"audio_codec":"aac","auto_rotate":true,"format":"mp4","quality":0,"stream_protocol":"HLS","variants":["string"],"video_codec":"h264"}}},"request":{"url":"https://example.com","x_request_id":"x_request_id","user_agent":"user_agent"},"type":"video.transformation.accepted"}';
+    const msgID = '1';
+    const timestamp = new Date();
+    const wh = new Webhook(key);
+    const signature = wh.sign(msgID, timestamp, payload);
+    const headers: Record<string, string> = {
+      'webhook-signature': signature,
+      'webhook-id': msgID,
+      'webhook-timestamp': String(Math.floor(timestamp.getTime() / 1000)),
+    };
+    client.webhooks.unwrap(payload, { headers, key });
+    expect(() => {
+      const wrongKey = 'whsec_aaaaaaaaaa==';
+      client.webhooks.unwrap(payload, { headers, key: wrongKey });
+    }).toThrow('No matching signature found');
+    expect(() => {
+      const badSig = wh.sign(msgID, timestamp, 'some other payload');
+      client.webhooks.unwrap(payload, { headers: { ...headers, 'webhook-signature': badSig }, key });
+    }).toThrow('No matching signature found');
+    expect(() => {
+      client.webhooks.unwrap(payload, { headers: { ...headers, 'webhook-timestamp': '5' }, key });
+    }).toThrow('Message timestamp too old');
+    expect(() => {
+      client.webhooks.unwrap(payload, { headers: { ...headers, 'webhook-id': 'wrong' }, key });
+    }).toThrow('No matching signature found');
+  });
+});

yarn.lock

@@ -743,6 +743,11 @@
   dependencies:
     "@sinonjs/commons" "^3.0.0"
 
+"@stablelib/base64@^1.0.0":
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/@stablelib/base64/-/base64-1.0.1.tgz#bdfc1c6d3a62d7a3b7bbc65b6cce1bb4561641be"
+  integrity sha512-1bnPQqSxSuc3Ii6MhBysoWCg58j97aUjuCSZrGSmDxNqtytIi0k8utUenAwTZN4V5mXXYGsVUI9zeBqy+jBOSQ==
+
 "@swc/[email protected]":
   version "1.4.16"
   resolved "https://registry.yarnpkg.com/@swc/core-darwin-arm64/-/core-darwin-arm64-1.4.16.tgz#2cd45d709ce76d448d96bf8d0006849541436611"
@@ -1718,6 +1723,11 @@ fast-levenshtein@^2.0.6:
   resolved "https://registry.yarnpkg.com/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz#3d8a5c66883a16a30ca8643e851f19baa7797917"
   integrity sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==
 
+fast-sha256@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/fast-sha256/-/fast-sha256-1.3.0.tgz#7916ba2054eeb255982608cccd0f6660c79b7ae6"
+  integrity sha512-n11RGP/lrWEFI/bWdygLxhI+pVeo1ZYIVwvvPkW7azl/rOy+F3HYRZ2K5zeE9mmkhQppyv9sQFx0JM9UabnpPQ==
+
 fastq@^1.6.0:
   version "1.17.1"
   resolved "https://registry.yarnpkg.com/fastq/-/fastq-1.17.1.tgz#2a523f07a4e7b1e81a42b91b8bf2254107753b47"
@@ -3101,6 +3111,14 @@ stack-utils@^2.0.3:
   dependencies:
     escape-string-regexp "^2.0.0"
 
+standardwebhooks@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/standardwebhooks/-/standardwebhooks-1.0.0.tgz#5faa23ceacbf9accd344361101d9e3033b64324f"
+  integrity sha512-BbHGOQK9olHPMvQNHWul6MYlrRTAOKn03rOe4A8O3CLWhNf4YHBqq2HJKKC+sfqpxiBY52pNeesD6jIiLDz8jg==
+  dependencies:
+    "@stablelib/base64" "^1.0.0"
+    fast-sha256 "^1.3.0"
+
 string-length@^4.0.1:
   version "4.0.2"
   resolved "https://registry.yarnpkg.com/string-length/-/string-length-4.0.2.tgz#a8a8dc7bd5c1a82b9b3c8b87e125f66871b6e57a"