Skip to content

[Components] paddle #10926 #18510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+224 −15
Open

[Components] paddle #10926 #18510

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions components/paddle/actions/create-customer/create-customer.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
import app from "../../paddle.app.mjs";

export default {
key: "paddle-create-customer",
name: "Create Customer",
description: "Create a new customer in Paddle. [See the documentation](https://developer.paddle.com/api-reference/customers/create-customer)",
version: "0.0.1",
type: "action",
props: {
app,
email: {
propDefinition: [
app,
"email",
],
},
name: {
propDefinition: [
app,
"name",
],
},
customData: {
propDefinition: [
app,
"customData",
],
},
},
async run({ $ }) {
const response = await this.app.createCustomer({
$,
data: {
email: this.email,
name: this.name,
custom_data: this.customData,
},
});
$.export("$summary", "Successfully created a new customer with the ID: " + response.data.id);
return response;
},
};
19 changes: 19 additions & 0 deletions components/paddle/actions/get-customers/get-customers.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
import app from "../../paddle.app.mjs";

export default {
key: "paddle-get-customers",
name: "Get Customers",
description: "Get a list of customers registered in Paddle. [See the documentation](https://developer.paddle.com/api-reference/customers/list-customers)",
version: "0.0.1",
type: "action",
props: {
app,
},
async run({ $ }) {
const response = await this.app.getCustomers({
$,
});
$.export("$summary", "Successfully retrieved " + response.data.length + " customers");
return response;
},
};
56 changes: 56 additions & 0 deletions components/paddle/actions/update-customer/update-customer.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
import app from "../../paddle.app.mjs";

export default {
key: "paddle-update-customer",
name: "Update Customer",
description: "Update the customer with the specified ID. [See the documentation](https://developer.paddle.com/api-reference/customers/update-customer)",
version: "0.0.1",
type: "action",
props: {
app,
customerId: {
propDefinition: [
app,
"customerId",
],
},
email: {
propDefinition: [
app,
"email",
],
},
name: {
propDefinition: [
app,
"name",
],
},
customData: {
propDefinition: [
app,
"customData",
],
},
status: {
propDefinition: [
app,
"status",
],
},
},
async run({ $ }) {
const response = await this.app.updateCustomer({
$,
customerId: this.customerId,
data: {
email: this.email,
name: this.name,
custom_data: this.customData,
status: this.status,
},
});
$.export("$summary", "Successfully updated the customer with ID: " + this.customerId);
return response;
},
};
6 changes: 6 additions & 0 deletions components/paddle/common/constants.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
export default {
STATUS_OPTIONS: [
"active",
"archived",
],
};
5 changes: 4 additions & 1 deletion components/paddle/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@pipedream/paddle",
"version": "0.0.1",
"version": "0.1.0",
"description": "Pipedream Paddle Components",
"main": "paddle.app.mjs",
"keywords": [
Expand All @@ -11,5 +11,8 @@
"author": "Pipedream <[email protected]> (https://pipedream.com/)",
"publishConfig": {
"access": "public"
},
"dependencies": {
"@pipedream/platform": "^3.1.0"
}
}
91 changes: 86 additions & 5 deletions components/paddle/paddle.app.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,92 @@
import { axios } from "@pipedream/platform";
import constants from "./common/constants.mjs";

export default {
type: "app",
app: "paddle",
propDefinitions: {},
propDefinitions: {
email: {
type: "string",
label: "Email",
description: "Customer's email address",
},
name: {
type: "string",
label: "Name",
description: "Customer's full name",
},
customData: {
type: "object",
label: "Custom Data",
description: "Your own structured key-value data",
optional: true,
},
status: {
type: "string",
label: "Status",
description: "Customer's status",
options: constants.STATUS_OPTIONS,
},
customerId: {
type: "string",
label: "Customer ID",
description: "Unique identifier of the customer",
async options() {
const response = await this.getCustomers();
const data = response.data;
return data.map(({
id, name,
}) => ({
value: id,
label: name,
}));
},
},
},
methods: {
// this.$auth contains connected account data
authKeys() {
console.log(Object.keys(this.$auth));
_baseUrl() {
return "https://sandbox-api.paddle.com";
},
Comment on lines +47 to +49
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

CRITICAL: Hardcoded sandbox API URL blocks production usage.

The base URL is hardcoded to Paddle's sandbox environment. This makes the integration unusable in production. The URL should be configurable or determined by the authentication configuration.

Apply this diff to make the environment configurable:

 _baseUrl() {
-  return "https://sandbox-api.paddle.com";
+  // Use production by default; allow sandbox via auth config
+  return this.$auth.environment === "sandbox" 
+    ? "https://sandbox-api.paddle.com"
+    : "https://api.paddle.com";
 },

Alternatively, if the auth configuration doesn't include an environment field, you may need to add a separate prop or configuration option.

🌐 Web query:

What is the production API URL for Paddle API and how do Paddle integrations typically handle sandbox vs production environments?

💡 Result:

How integrations typically handle sandbox vs production

  • Use different base URLs for each environment (sandbox vs live). [1][3]
  • Use separate credentials: sandbox API keys/client tokens are created in the sandbox account and live keys in the live account (they do not cross‑work). Sandbox keys often include an identifiable prefix (e.g. sdbx or test for client tokens). [2][1]
  • Switch environments via environment variables or SDK config (Paddle SDKs/Paddle.js let you set environment to sandbox or production). [1][4]
  • Best practice: keep sandbox credentials and URLs in dev/staging, and swap to live credentials + https://api.paddle.com when going to production; mismatched key+URL returns a 403. [1][2][3]

Sources: Paddle developer docs (sandbox & base URLs, API keys, SDK environment, go‑live checklist). [1][2][3][4]

CRITICAL — hardcoded sandbox API URL; make base URL environment-configurable

File: components/paddle/paddle.app.mjs (lines 47–49) — _baseUrl() currently returns "https://sandbox-api.paddle.com". Production base URL is "https://api.paddle.com" and sandbox/live credentials are not interchangeable (mismatched key+URL returns 403). Replace with environment/config-driven selection (default to production). Example:

 _baseUrl() {
-  return "https://sandbox-api.paddle.com";
+  if (process.env.PADDLE_BASE_URL) return process.env.PADDLE_BASE_URL;
+  const env = (this.$auth && this.$auth.environment) || process.env.PADDLE_ENV || 'production';
+  return env === 'sandbox' ? 'https://sandbox-api.paddle.com' : 'https://api.paddle.com';
 },

Document PADDLE_ENV/PADDLE_BASE_URL and ensure sandbox vs live credentials are switched together.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
_baseUrl() {
return "https://sandbox-api.paddle.com";
},
_baseUrl() {
if (process.env.PADDLE_BASE_URL) {
return process.env.PADDLE_BASE_URL;
}
const env =
(this.$auth && this.$auth.environment) ||
process.env.PADDLE_ENV ||
'production';
return env === 'sandbox'
? 'https://sandbox-api.paddle.com'
: 'https://api.paddle.com';
},
🤖 Prompt for AI Agents 
In components/paddle/paddle.app.mjs around lines 47–49, _baseUrl() currently
returns the hardcoded sandbox URL; change it to read an environment-configurable
value (e.g., process.env.PADDLE_BASE_URL or derive from process.env.PADDLE_ENV
with default "production") so the default is the production URL
"https://api.paddle.com" and sandbox uses "https://sandbox-api.paddle.com" only
when explicitly selected; update code to fallback to production if env not set,
and add/mention documentation to require switching credentials together
(PADDLE_ENV or PADDLE_BASE_URL plus matching API keys) to avoid 403s from
mismatched key+URL.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem right - please check if the base URL is intended to be sandbox-api

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Check for any README or documentation in the paddle component directory
echo "=== Checking for README/docs in paddle directory ==="
fd -t f -e md -e txt . components/paddle/ -x cat {}

echo -e "\n=== Checking paddle auth configuration ==="
fd -t f "\.app\.mjs$" components/paddle/ -x cat {}

echo -e "\n=== Looking for similar app patterns in codebase ==="
# Find other app.mjs files that might have _baseUrl implementations
rg -n -A5 "_baseUrl\(\)" --type=js -g "*.app.mjs" | head -50

echo -e "\n=== Checking for environment or config references in paddle ==="
rg -n "sandbox|production|environment|PADDLE" components/paddle/ --type=js

echo -e "\n=== Checking the PR description/comments for context ==="
gh pr view 18510 --json body,comments --jq '.body, .comments[].body'

Length of output: 24040

@GTFalcao You're absolutely right to flag this! 🎯

After examining the codebase, this is indeed incorrect. The base URL should be the production API (https://api.paddle.com), not the sandbox URL.

Evidence:

  1. All other app integrations in this repository use production URLs by default:

    • big_data_cloud: https://api-bdc.net/data
    • change_photos: https://www.change.photos/api
    • code_climate: https://api.codeclimate.com/v1
    • cutt_ly: https://cutt.ly/api

  2. Paddle's API documentation confirms:

    • Production: https://api.paddle.com
    • Sandbox: https://sandbox-api.paddle.com (for testing only)

  3. Using sandbox by default would make this integration unusable in production without modifying the code.

Recommendation:

_baseUrl() {
  return "https://api.paddle.com";
}

If sandbox support is needed for development/testing, consider making it configurable through an environment variable or auth configuration, but production should always be the default.

async _makeRequest(opts = {}) {
const {
$ = this,
path,
headers,
...otherOpts
} = opts;
return axios($, {
...otherOpts,
url: this._baseUrl() + path,
headers: {
Authorization: `Bearer ${this.$auth.auth_code}`,
...headers,
},
});
},

async getCustomers(args = {}) {
return this._makeRequest({
path: "/customers",
...args,
});
},

async createCustomer(args = {}) {
return this._makeRequest({
path: "/customers",
method: "post",
...args,
});
},

async updateCustomer({
customerId, ...args
}) {
return this._makeRequest({
path: `/customers/${customerId}`,
method: "patch",
...args,
});
},
},
};
};
20 changes: 11 additions & 9 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading