feat: implement mobile money callback signature verification#150
Open
elijah4196 wants to merge 1 commit into
Open
feat: implement mobile money callback signature verification#150elijah4196 wants to merge 1 commit into
elijah4196 wants to merge 1 commit into
Conversation
…57#105) - Fix MTN callback: unverified callbacks now return 403 (was 401) - Add Airtel callback Bearer token verification middleware - Add Airtel callback route at /api/airtel with rate limiting - Add AIRTEL_CALLBACK_SECRET config entry in appConfig - Mount Airtel callback router in index.ts - Add unit tests for Airtel signature middleware (5 tests) - Add integration tests for Airtel callback route (4 tests) - Update MTN tests to expect 403 closes Pidoko257#105
|
@elijah4196 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat: implement mobile money callback signature verification (#105)
Summary
Adds provider-specific callback signature verification for MTN MoMo and Airtel Money inbound webhook callbacks. Unverified callbacks are rejected with HTTP 403 and logged as security anomaly events.
Changes
MTN MoMo (
src/middleware/mtnCallbackSignature.ts)MTN_CALLBACK_SECRET(subscription key) on theX-Callback-Signatureheadersha256=prefixed hex and plain base64 signature formatstimingSafeEqualsecurity.anomalyevent with reason codeAirtel Money — new
src/middleware/airtelCallbackSignature.tsAuthorization: Bearer {token}againstAIRTEL_CALLBACK_SECRETusingtimingSafeEqual. Missing = 403. Invalid = 403. Unconfigured = 500. All failures logged as security anomalies.src/routes/airtelCallbacks.tsingestRateLimiter→verifyAirtelCallbackSignature→POST /callback→{ status: "accepted" }src/config/appConfig.tsproviders.airtel.callbackSecretconfig entry (env:AIRTEL_CALLBACK_SECRET)src/index.tsapp.use("/api/airtel", airtelCallbacksRouter)Tests
src/middleware/__tests__/airtelCallbackSignature.test.tssrc/routes/__tests__/airtelCallbacks.test.tssrc/middleware/__tests__/mtnCallbackSignature.test.tssrc/routes/__tests__/mtnCallbacks.test.tsEnvironment Variables Required
Acceptance Criteria
X-Callback-Signatureheader using HMAC-SHA256 with subscription keyAuthorization: Bearertoken against expected shared secretcloses #105