feat(sdk): validate E2B API key format client-side#1356
Conversation
Both SDKs now check that the configured API key matches `e2b_` followed by 40 hex characters and throw an AuthenticationError / AuthenticationException with an example token when it doesn't. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
PR SummaryLow Risk Overview Validation runs in Reviewed by Cursor Bugbot for commit 5e02401. Bugbot is set up for automated code reviews on this repo. Configure here. |
🦋 Changeset detectedLatest commit: 5e02401 The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Package ArtifactsBuilt from 257b3ad. Download artifacts from this workflow run. JS SDK ( npm install ./e2b-2.26.1-mishushakov-sdk-api-key-validation.0.tgzCLI ( npm install ./e2b-cli-2.10.3-mishushakov-sdk-api-key-validation.0.tgzPython SDK ( pip install ./e2b-2.24.0+mishushakov.sdk.api.key.validation-py3-none-any.whl |
Real keys vary in length; mirror the server-side `VerifyKey` which only enforces the `e2b_` prefix and valid hex content. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 043f723. Configure here.
Python's `$` matches before a trailing newline, so `e2b_abc\n` would have passed validation. `\Z` matches only the absolute end of string, mirroring the JS regex behavior. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The mock_volume_api fixtures set E2B_API_KEY to 'test-api-key', which no longer passes the client-side validation added in this branch. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
matthewlouisbrockman
left a comment
matthewlouisbrockman
left a comment
There was a problem hiding this comment.
looks fine; it looks like we have the base api key though, can we use that const everywhere if possible instead of hardcoding it in places?
JS tests import TEST_API_KEY from tests/setup.ts; Python tests consume the new test_api_key fixture from tests/conftest.py instead of duplicating "e2b_" + "0" * 40 inline. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2 participants
Summary
e2b_followed by 40 hex characters (mirroring the server-side check ininfra/.../keys/key.go) and throwAuthenticationError/AuthenticationExceptionwith an example token (e2b_0000…) and a link to the API Keys dashboard tab.ApiClient/ApiClient.__init__whenever an API key is present, so callers get immediate, actionable feedback instead of a generic 401 from the server.validateApiKey.test.ts,test_validate_api_key.py) and updated existing fixtures that used placeholder keys like'test-key'/'base-api-key'to use the valid format.Test plan
pnpm run format,pnpm run lint,pnpm run typecheckpnpm exec vitest run tests/api/validateApiKey.test.ts tests/api/handleApiError.test.ts tests/sandbox/abortSignal.test.ts tests/template/abortSignal.test.ts tests/sandbox/configPropagation.test.ts tests/connectionConfig.test.tspoetry run pytest tests/test_validate_api_key.py tests/test_api_client_transport.py tests/sync/sandbox_sync/test_config_propagation.py tests/async/sandbox_async/test_config_propagation.py tests/test_connection_config.py🤖 Generated with Claude Code