fix: OpenNode callback accepts unauthenticated requests#454
fix: OpenNode callback accepts unauthenticated requests#454cameri merged 14 commits intocameri:mainfrom
Conversation
Anshumancanrock
force-pushed
the
fix/opennode-webhook-validation
branch
from
f1cf70a to
f92d818
Compare
There was a problem hiding this comment.
Pull request overview
Fixes the OpenNode webhook callback so it correctly parses OpenNode’s form-encoded payloads and rejects unauthenticated/forged requests.
Changes:
- Adds
urlencoded()middleware to/callbacks/opennodesoapplication/x-www-form-urlencodedbodies are parsed. - Implements OpenNode webhook authentication by verifying
hashed_orderagainst an HMAC of the invoice/charge id. - Adds unit tests for OpenNode callback controller authorization/validation, plus a parsing-focused route test.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| test/unit/routes/callbacks.spec.ts | Adds a test intended to verify form-urlencoded bodies are parsed. |
| test/unit/controllers/callbacks/opennode-callback-controller.spec.ts | Adds unit coverage for OpenNode callback validation and processing. |
| src/routes/callbacks/index.ts | Updates the OpenNode callback route to include urlencoded() parsing. |
| src/controllers/callbacks/opennode-callback-controller.ts | Adds payment-processor gating and HMAC signature verification for OpenNode callbacks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Anshumancanrock
force-pushed
the
fix/opennode-webhook-validation
branch
from
f92d818 to
3dc52d8
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Anshumancanrock
force-pushed
the
fix/opennode-webhook-validation
branch
from
3dc52d8 to
4dafd0e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Anshumancanrock
force-pushed
the
fix/opennode-webhook-validation
branch
from
4dafd0e to
5cc207c
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
hi @cameri , could you please review this PR? Thank you ! |
|
@copilot resolve the merge conflicts in this pull request |
…ennode-webhook-validation # Conflicts: # src/controllers/callbacks/opennode-callback-controller.ts
|
hii @cameri , I’ve resolved the merge conflicts. Please take another look when you get a chance. |
|
@Anshumancanrock some conflicts maybe with the other PR |
|
Coverage is 65.929% — Anshumancanrock:fix/opennode-webhook-validation into cameri:main. No base build found for |
…ennode-webhook-validation # Conflicts: # test/unit/controllers/callbacks/opennode-callback-controller.spec.ts
Description
Two bugs in the OpenNode callback handler
No signature verification. The controller accepted any request unconditionally. An attacker could POST to
/callbacks/opennodeand flip an invoice's status toCOMPLETEDin the database.Body was never parsed. OpenNode sends
application/x-www-form-urlencodedpayloads, but the route only registeredjson()middleware. Sorequest.bodywas always{}, the handler was running on empty input every time.This PR fixes both.
Closes #453
Testing
Added unit tests covering:
And a route-level test confirming the form-encoded body is actually parsed before hitting the controller.
Types of changes
Checklist