fix: route forward client to dedicated base URL#172
Open
armando-rodriguez-cko wants to merge 5 commits into
Open
fix: route forward client to dedicated base URL#172armando-rodriguez-cko wants to merge 5 commits into
armando-rodriguez-cko wants to merge 5 commits into
Conversation
RuboCop Style/FileOpen flagged ApiClient#upload because File.open without a block could leak the file descriptor if build_multipart_request raises before the ensure block is entered. Wrap the file lifecycle in a block so closure is guaranteed even if the multipart builder fails.
Per the AWS PrivateLink docs (https://www.checkout.com/docs/developer-resources/api/private-connections/aws-privatelink), the valid subdomain is the first eight characters of the client_id (alphanumeric only), optionally with the literal pl- prefix when calling through PrivateLink. Tighten the regex from RFC-1123-style hyphenated to /^(?:pl-)?[a-z0-9]+$/ and update the test corpus: test-123 moves to the rejected list, pl-vkuhvk4v (the docs example) joins the accepted list, and pl-, foo-bar are added as rejected.
david-ruiz-cko
requested changes
May 12, 2026
…tants Per the swagger spec, /forward/secrets endpoints require the forward:secrets scope in addition to forward, and all identity endpoints (applicants, identity-verifications, aml-verifications, face-authentications, id-document-verifications) require the identity-verification scope. Expose both as typed constants so OAuth clients can request them without hardcoding the strings.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The forward service lives on its own host (
forward.{sandbox.,}checkout.com) in the swagger spec, not underapi.checkout.com. This PR adds a dedicatedforward_uritoEnvironmentand routes theForwardClientthrough it. It also tightens the subdomain validation regex to match the AWS PrivateLink prefix format documented at https://www.checkout.com/docs/developer-resources/api/private-connections/aws-privatelink —^(?:pl-)?[a-z0-9]+$(alphanumeric, optionally prefixed by the literalpl-). As a follow-up to a fresh RuboCop warning surfaced by the lint job, also wraps the file upload inFile.open's block form to guarantee descriptor closure. Finally, exposes the missingforward:secretsandidentity-verificationOAuth scope constants.The identity-verification services (applicants, identity-verifications, AML, face-authentications, ID document verifications) are also hosted on their own dedicated subdomain in swagger, but those endpoints are not yet implemented in this SDK — scope deferred to a follow-up.
Changes
lib/checkout_sdk/environment.rb— addsforward_uriaccessor/parameter, sandbox/production valueslib/checkout_sdk/checkout_api.rb— addsforward_clienthelper; routes@forwardto forward URIlib/checkout_sdk/environment_subdomain.rb— tightens regex to/^(?:pl-)?[a-z0-9]+$/lib/checkout_sdk/oauth_scopes.rb— addsFORWARD_SECRETS = 'forward:secrets'andIDENTITY_VERIFICATION = 'identity-verification'lib/checkout_sdk/api_client.rb—ApiClient#uploadswitches fromfile = File.open(...)+ensure file.closeto the block formFile.open(...) do |file| ... end, fixing RuboCopStyle/FileOpenand guaranteeing the descriptor is closed even ifbuild_multipart_requestraises before the innerbegin/ensureblockspec/checkout_sdk/configuration/configuration_spec.rb— adds sandbox forward URL assertion; adds production forward URL test; updates subdomain corpus: removestest-123from accepted, addspl-vkuhvk4v(docs example), addstest-123/foo-bar/pl-to rejectedAPI Reference
https://forward.checkout.com/https://forward.sandbox.checkout.com— forward service (POST /forward(beta),GET /forward/{id}(beta),POST /forward/secrets,GET|POST|DELETE /forward/secrets/{name}). Scopes:forward(plusforward:secretsfor secrets endpoints).https://pl-{prefix}.api.{sandbox.,}checkout.com— AWS PrivateLink subdomain formatBreaking changes
Environment#initializenow requiresforward_urias a positional parameter. Anyone constructingEnvironmentdirectly (rather than viaEnvironment.sandbox/Environment.production) must update.test-123orfoo-bar-bazare rejected. Only plain alphanumeric or the literal PrivateLink form (pl-{prefix}) are accepted.README
Not affected.