24594151087

Committed 18 Apr 2026 01:47AM UTC coverage: 50.387% (+1.3%) from 49.12%

Build # 24594151087

Build Type

Pull #454

github

Committed by

web-flow

Commit Message

Merge a8d26a6d0 into 3cb65a66f

Pull Request Pull Request #454: fix: OpenNode callback accepts unauthenticated requests

Coverage Stats

496 of 1088 branches covered (45.59%)

Branch coverage included in aggregate %.

38 of 38 new or added lines in 2 files covered. (100.0%)

3 existing lines in 1 file now uncovered.

1392 of 2659 relevant lines covered (52.35%)

9.5 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

93.83

/src/controllers/callbacks/opennode-callback-controller.ts

import { timingSafeEqual } from 'crypto'

import { Request, Response } from 'express'

import { Invoice, InvoiceStatus } from '../../@types/invoice'
import { createLogger } from '../../factories/logger-factory'
import { createSettings } from '../../factories/settings-factory'
import { getRemoteAddress } from '../../utils/http'
import { hmacSha256 } from '../../utils/secret'
import { IController } from '../../@types/controllers'
import { IPaymentsService } from '../../@types/services'

const debug = createLogger('opennode-callback-controller')

export class OpenNodeCallbackController implements IController {
  public constructor(
    private readonly paymentsService: IPaymentsService,
  ) {}

  public async handleRequest(
    request: Request,
    response: Response,
  ) {
    debug('request headers: %o', request.headers)
    debug(
      'request body metadata: hasId=%s hasHashedOrder=%s status=%s',
      typeof request.body?.id === 'string',
      typeof request.body?.hashed_order === 'string',
      typeof request.body?.status === 'string' ? request.body.status : 'missing',
    )

    const settings = createSettings()
    const remoteAddress = getRemoteAddress(request, settings)
    const paymentProcessor = settings.payments?.processor

    if (paymentProcessor !== 'opennode') {
      debug('denied request from %s to /callbacks/opennode which is not the current payment processor', remoteAddress)
      response
        .status(403)
        .send('Forbidden')
      return
    }

    const validStatuses = ['expired', 'refunded', 'unpaid', 'processing', 'underpaid', 'paid']

    if (
      !request.body
      || typeof request.body.id !== 'string'
      || typeof request.body.hashed_order !== 'string'
      || typeof request.body.status !== 'string'
      || !validStatuses.includes(request.body.status)
    ) {
      response
        .status(400)
        .setHeader('content-type', 'text/plain; charset=utf8')
        .send('Bad Request')
      return
    }

    const openNodeApiKey = process.env.OPENNODE_API_KEY
    if (!openNodeApiKey) {
      debug('OPENNODE_API_KEY is not configured; unable to verify OpenNode callback from %s', remoteAddress)
      response
        .status(500)
        .setHeader('content-type', 'text/plain; charset=utf8')
        .send('Internal Server Error')
      return
    }

    const expectedBuf = hmacSha256(openNodeApiKey, request.body.id)
    const actualHex = request.body.hashed_order
    const expectedHexLength = expectedBuf.length * 2

    if (
      actualHex.length !== expectedHexLength
      || !/^[0-9a-f]+$/i.test(actualHex)
    ) {
      debug('invalid hashed_order format from %s to /callbacks/opennode', remoteAddress)
      response
        .status(400)
        .setHeader('content-type', 'text/plain; charset=utf8')
        .send('Bad Request')
      return
    }

    const actualBuf = Buffer.from(actualHex, 'hex')

    if (
      !timingSafeEqual(expectedBuf, actualBuf)
    ) {
      debug('unauthorized request from %s to /callbacks/opennode: hashed_order mismatch', remoteAddress)
      response
        .status(403)
        .send('Forbidden')
      return
    }

    const statusMap: Record<string, InvoiceStatus> = {
      expired: InvoiceStatus.EXPIRED,
      refunded: InvoiceStatus.EXPIRED,
      unpaid: InvoiceStatus.PENDING,
      processing: InvoiceStatus.PENDING,
      underpaid: InvoiceStatus.PENDING,
      paid: InvoiceStatus.COMPLETED,
    }

    const invoice: Pick<Invoice, 'id' | 'status'> = {
      id: request.body.id,
      status: statusMap[request.body.status],
    }

    debug('invoice', invoice)

    let updatedInvoice: Invoice
    try {
      updatedInvoice = await this.paymentsService.updateInvoiceStatus(invoice)
    } catch (error) {
      console.error(`Unable to persist invoice ${invoice.id}`, error)

      throw error
    }

    if (updatedInvoice.status !== InvoiceStatus.COMPLETED) {
      response
        .status(200)
        .send()

      return
    }

    if (!updatedInvoice.confirmedAt) {
      updatedInvoice.confirmedAt = new Date()
    }
    updatedInvoice.amountPaid = updatedInvoice.amountRequested

    try {
      await this.paymentsService.confirmInvoice({
        id: updatedInvoice.id,
        pubkey: updatedInvoice.pubkey,
        status: updatedInvoice.status,
        amountPaid: updatedInvoice.amountPaid,
        confirmedAt: updatedInvoice.confirmedAt,
      })
      await this.paymentsService.sendInvoiceUpdateNotification(updatedInvoice)
    } catch (error) {
      console.error(`Unable to confirm invoice ${invoice.id}`, error)

      throw error
    }

    response
      .status(200)
      .setHeader('content-type', 'text/plain; charset=utf8')
      .send('OK')
  }
}

1	import { timingSafeEqual } from 'crypto'	2✔
2
3	import { Request, Response } from 'express'
4
5	import { Invoice, InvoiceStatus } from '../../@types/invoice'	2✔
6	import { createLogger } from '../../factories/logger-factory'	2✔
7	import { createSettings } from '../../factories/settings-factory'	2✔
8	import { getRemoteAddress } from '../../utils/http'	2✔
9	import { hmacSha256 } from '../../utils/secret'	2✔
10	import { IController } from '../../@types/controllers'
11	import { IPaymentsService } from '../../@types/services'
12
13	const debug = createLogger('opennode-callback-controller')	2✔
14
15	export class OpenNodeCallbackController implements IController {	2✔
16	public constructor(
17	private readonly paymentsService: IPaymentsService,	8✔
18	) {}
19
20	public async handleRequest(
21	request: Request,
22	response: Response,
23	) {
24	debug('request headers: %o', request.headers)	8✔
25	debug(	8✔
26	'request body metadata: hasId=%s hasHashedOrder=%s status=%s',
27	typeof request.body?.id === 'string',
28	typeof request.body?.hashed_order === 'string',
29	typeof request.body?.status === 'string' ? request.body.status : 'missing',	8✔
30	)
31
32	const settings = createSettings()	8✔
33	const remoteAddress = getRemoteAddress(request, settings)	8✔
34	const paymentProcessor = settings.payments?.processor	8✔
35
36	if (paymentProcessor !== 'opennode') {	8✔
37	debug('denied request from %s to /callbacks/opennode which is not the current payment processor', remoteAddress)	1✔
38	response	1✔
39	.status(403)
40	.send('Forbidden')
41	return	1✔
42	}
43
44	const validStatuses = ['expired', 'refunded', 'unpaid', 'processing', 'underpaid', 'paid']	7✔
45
46	if (	7✔
47	!request.body	33✔
48	\|\| typeof request.body.id !== 'string'
49	\|\| typeof request.body.hashed_order !== 'string'
50	\|\| typeof request.body.status !== 'string'
51	\|\| !validStatuses.includes(request.body.status)
52	) {
53	response	2✔
54	.status(400)
55	.setHeader('content-type', 'text/plain; charset=utf8')
56	.send('Bad Request')
57	return	2✔
58	}
59
60	const openNodeApiKey = process.env.OPENNODE_API_KEY	5✔
61	if (!openNodeApiKey) {	5✔
62	debug('OPENNODE_API_KEY is not configured; unable to verify OpenNode callback from %s', remoteAddress)	1✔
63	response	1✔
64	.status(500)
65	.setHeader('content-type', 'text/plain; charset=utf8')
66	.send('Internal Server Error')
67	return	1✔
68	}
69
70	const expectedBuf = hmacSha256(openNodeApiKey, request.body.id)	4✔
71	const actualHex = request.body.hashed_order	4✔
72	const expectedHexLength = expectedBuf.length * 2	4✔
73
74	if (	4✔
75	actualHex.length !== expectedHexLength	7✔
76	\|\| !/^[0-9a-f]+$/i.test(actualHex)
77	) {
78	debug('invalid hashed_order format from %s to /callbacks/opennode', remoteAddress)	1✔
79	response	1✔
80	.status(400)
81	.setHeader('content-type', 'text/plain; charset=utf8')
82	.send('Bad Request')
83	return	1✔
84	}
85
86	const actualBuf = Buffer.from(actualHex, 'hex')	3✔
87
88	if (	3✔
89	!timingSafeEqual(expectedBuf, actualBuf)
90	) {
91	debug('unauthorized request from %s to /callbacks/opennode: hashed_order mismatch', remoteAddress)	1✔
92	response	1✔
93	.status(403)
94	.send('Forbidden')
95	return	1✔
96	}
97
98	const statusMap: Record<string, InvoiceStatus> = {	2✔
99	expired: InvoiceStatus.EXPIRED,
100	refunded: InvoiceStatus.EXPIRED,
101	unpaid: InvoiceStatus.PENDING,
102	processing: InvoiceStatus.PENDING,
103	underpaid: InvoiceStatus.PENDING,
104	paid: InvoiceStatus.COMPLETED,
105	}
106
107	const invoice: Pick<Invoice, 'id' \| 'status'> = {	2✔
108	id: request.body.id,
109	status: statusMap[request.body.status],
110	}
111
112	debug('invoice', invoice)	2✔
113
114	let updatedInvoice: Invoice
115	try {	2✔
116	updatedInvoice = await this.paymentsService.updateInvoiceStatus(invoice)	2✔
117	} catch (error) {
UNCOV 118	console.error(`Unable to persist invoice ${invoice.id}`, error)	×
119
120	throw error	×
121	}
122
123	if (updatedInvoice.status !== InvoiceStatus.COMPLETED) {	2✔
124	response	1✔
125	.status(200)
126	.send()
127
128	return	1✔
129	}
130
131	if (!updatedInvoice.confirmedAt) {	1!
132	updatedInvoice.confirmedAt = new Date()	1✔
133	}
134	updatedInvoice.amountPaid = updatedInvoice.amountRequested	1✔
135
136	try {	1✔
137	await this.paymentsService.confirmInvoice({	1✔
138	id: updatedInvoice.id,
139	pubkey: updatedInvoice.pubkey,
140	status: updatedInvoice.status,
141	amountPaid: updatedInvoice.amountPaid,
142	confirmedAt: updatedInvoice.confirmedAt,
143	})
144	await this.paymentsService.sendInvoiceUpdateNotification(updatedInvoice)	1✔
145	} catch (error) {
UNCOV 146	console.error(`Unable to confirm invoice ${invoice.id}`, error)	×
147
UNCOV 148	throw error	×
149	}
150
151	response	1✔
152	.status(200)
153	.setHeader('content-type', 'text/plain; charset=utf8')
154	.send('OK')
155	}
156	}

cameri / nostream / 24594151087

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous