Improve idempotency handling with deterministic key generation

elnafateh · elnafateh · commit 401d7ddb9855 · 2026-03-23T14:34:13.000+01:00
Introduce deterministic idempotency key generation when a client-provided key is absent.
The key is derived from canonical request payload with a time window to support safe retries.

Enhancements:
- deterministic retry behavior without client-provided keys
- proper JSON canonicalization (ordering, nested objects, null handling)

This change extends the existing idempotency mechanism without replacing it.
diff --git a/fineract-core/src/main/java/org/apache/fineract/commands/service/DeterministicIdempotencyKeyGenerator.java b/fineract-core/src/main/java/org/apache/fineract/commands/service/DeterministicIdempotencyKeyGenerator.java
@@ -0,0 +1,83 @@
+package org.apache.fineract.commands.service;
+
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import lombok.RequiredArgsConstructor;
+import org.apache.fineract.commands.domain.CommandWrapper;
+import org.springframework.stereotype.Component;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+
+@Component
+@RequiredArgsConstructor
+public class DeterministicIdempotencyKeyGenerator {
+
+    private final ObjectMapper objectMapper;
+
+    public String generate(String json) {
+        String canonical = toCanonicalString(json);
+        String window = currentTimeWindow();
+        return hash(canonical + ":" + window);
+    }
+
+    private String toCanonicalString(String json) {
+        try {
+            JsonNode node = objectMapper.readTree(json);
+            JsonNode canonical = canonicalize(node);
+            return objectMapper.writeValueAsString(canonical);
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to canonicalize JSON", e);
+        }
+    }
+
+    private JsonNode canonicalize(JsonNode node) {
+        if (node.isObject()) {
+            ObjectNode sorted = objectMapper.createObjectNode();
+
+            List<String> fieldNames = new ArrayList<>();
+            node.fieldNames().forEachRemaining(fieldNames::add);
+            Collections.sort(fieldNames);
+
+            for (String field : fieldNames) {
+                sorted.set(field, canonicalize(node.get(field))); // recursion to resolve nested obj
+            }
+
+            return sorted;
+        }
+
+        if (node.isArray()) {
+            ArrayNode arrayNode = objectMapper.createArrayNode();
+            for (JsonNode element : node) {
+                arrayNode.add(canonicalize(element)); // recursion inside array
+            }
+            return arrayNode;
+        }
+
+        return node; // primitives + null
+    }
+
+    private String hash(String input) {
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] hashed = digest.digest(input.getBytes(StandardCharsets.UTF_8));
+            return Base64.getEncoder().encodeToString(hashed);
+        } catch (Exception e) {
+            throw new RuntimeException("Hashing failed", e);
+        }
+    }
+
+    private String currentTimeWindow() {
+        Instant now = Instant.now();
+        long window = now.getEpochSecond() / (5 * 60);
+        return String.valueOf(window);
+    }
+}
diff --git a/fineract-core/src/main/java/org/apache/fineract/commands/service/IdempotencyKeyResolver.java b/fineract-core/src/main/java/org/apache/fineract/commands/service/IdempotencyKeyResolver.java
@@ -30,10 +30,23 @@ public class IdempotencyKeyResolver {
 
     private final FineractRequestContextHolder fineractRequestContextHolder;
 
-    private final IdempotencyKeyGenerator idempotencyKeyGenerator;
+    private  final DeterministicIdempotencyKeyGenerator deterministicGenerator;
 
     public String resolve(CommandWrapper wrapper) {
-        return Optional.ofNullable(wrapper.getIdempotencyKey()).orElseGet(() -> getAttribute().orElseGet(idempotencyKeyGenerator::create));
+
+        // If wrapper already has key → use it
+        if (wrapper.getIdempotencyKey() != null) {
+            return wrapper.getIdempotencyKey();
+        }
+
+        // If request attribute exists (internal retry)
+        Optional<String> attributeKey = getAttribute();
+        if (attributeKey.isPresent()) {
+            return attributeKey.get();
+        }
+
+        // hybrid logic (external retry)
+        return deterministicGenerator.generate(wrapper.getJson());
     }
 
     private Optional<String> getAttribute() {
