Skip to content

fix: OpenNode callback accepts unauthenticated requests#454

Open
Anshumancanrock wants to merge 6 commits intocameri:mainfrom
Anshumancanrock:fix/opennode-webhook-validation
Open

fix: OpenNode callback accepts unauthenticated requests#454
Anshumancanrock wants to merge 6 commits intocameri:mainfrom
Anshumancanrock:fix/opennode-webhook-validation

Conversation

@Anshumancanrock
Copy link
Copy Markdown
Contributor

@Anshumancanrock Anshumancanrock commented Apr 11, 2026

Description

Two bugs in the OpenNode callback handler

  1. No signature verification. The controller accepted any request unconditionally. An attacker could POST to /callbacks/opennode and flip an invoice's status to COMPLETED in the database.

  2. Body was never parsed. OpenNode sends application/x-www-form-urlencoded payloads, but the route only registered json() middleware. So request.body was always {} , the handler was running on empty input every time.

This PR fixes both.

Closes #453

Testing

Added unit tests covering:

  • wrong processor will throw 403
  • missing/malformed body fields will thow 400
  • invalid signature will thow 403
  • valid signed request = invoice processed

And a route-level test confirming the form-encoded body is actually parsed before hitting the controller.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • My code follows the code style of this project.
  • I have added tests to cover my code changes.
  • All new and existing tests passed.

@Anshumancanrock Anshumancanrock force-pushed the fix/opennode-webhook-validation branch from f1cf70a to f92d818 Compare April 11, 2026 06:44
@cameri cameri requested a review from Copilot April 11, 2026 09:27
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes the OpenNode webhook callback so it correctly parses OpenNode’s form-encoded payloads and rejects unauthenticated/forged requests.

Changes:

  • Adds urlencoded() middleware to /callbacks/opennode so application/x-www-form-urlencoded bodies are parsed.
  • Implements OpenNode webhook authentication by verifying hashed_order against an HMAC of the invoice/charge id.
  • Adds unit tests for OpenNode callback controller authorization/validation, plus a parsing-focused route test.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
test/unit/routes/callbacks.spec.ts Adds a test intended to verify form-urlencoded bodies are parsed.
test/unit/controllers/callbacks/opennode-callback-controller.spec.ts Adds unit coverage for OpenNode callback validation and processing.
src/routes/callbacks/index.ts Updates the OpenNode callback route to include urlencoded() parsing.
src/controllers/callbacks/opennode-callback-controller.ts Adds payment-processor gating and HMAC signature verification for OpenNode callbacks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Anshumancanrock Anshumancanrock force-pushed the fix/opennode-webhook-validation branch from f92d818 to 3dc52d8 Compare April 11, 2026 10:04
@Anshumancanrock Anshumancanrock requested a review from Copilot April 11, 2026 10:08
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Anshumancanrock Anshumancanrock force-pushed the fix/opennode-webhook-validation branch from 3dc52d8 to 4dafd0e Compare April 11, 2026 10:33
@Anshumancanrock Anshumancanrock requested a review from Copilot April 11, 2026 10:38
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Anshumancanrock Anshumancanrock force-pushed the fix/opennode-webhook-validation branch from 4dafd0e to 5cc207c Compare April 11, 2026 10:49
@Anshumancanrock Anshumancanrock requested a review from Copilot April 11, 2026 10:59
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Anshumancanrock Anshumancanrock requested a review from Copilot April 11, 2026 11:05
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Anshumancanrock Anshumancanrock requested a review from Copilot April 11, 2026 11:58
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Anshumancanrock Anshumancanrock requested a review from Copilot April 11, 2026 12:41
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Anshumancanrock Anshumancanrock requested a review from Copilot April 11, 2026 15:37
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Anshumancanrock
Copy link
Copy Markdown
Contributor Author

Anshumancanrock commented Apr 11, 2026

hi @cameri , could you please review this PR? Thank you !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] OpenNode callback accepts unauthenticated requests and never parses the webhook body

2 participants

@Anshumancanrock