fix: validate opennode callback body with zod

Anshumancanrock · Anshumancanrock · commit 695c9c70b5b0 · 2026-04-18T22:22:12.000+05:30
diff --git a/src/controllers/callbacks/opennode-callback-controller.ts b/src/controllers/callbacks/opennode-callback-controller.ts
@@ -9,6 +9,8 @@ import { getRemoteAddress } from '../../utils/http'
 import { hmacSha256 } from '../../utils/secret'
 import { IController } from '../../@types/controllers'
 import { IPaymentsService } from '../../@types/services'
+import { opennodeWebhookCallbackBodySchema } from '../../schemas/opennode-callback-schema'
+import { validateSchema } from '../../utils/validation'
 
 const debug = createLogger('opennode-callback-controller')
 
@@ -22,12 +24,6 @@ export class OpenNodeCallbackController implements IController {
     response: Response,
   ) {
     debug('request headers: %o', request.headers)
-    debug(
-      'request body metadata: hasId=%s hasHashedOrder=%s status=%s',
-      typeof request.body?.id === 'string',
-      typeof request.body?.hashed_order === 'string',
-      typeof request.body?.status === 'string' ? request.body.status : 'missing',
-    )
 
     const settings = createSettings()
     const remoteAddress = getRemoteAddress(request, settings)
@@ -41,22 +37,24 @@ export class OpenNodeCallbackController implements IController {
       return
     }
 
-    const validStatuses = ['expired', 'refunded', 'unpaid', 'processing', 'underpaid', 'paid']
-
-    if (
-      !request.body
-      || typeof request.body.id !== 'string'
-      || typeof request.body.hashed_order !== 'string'
-      || typeof request.body.status !== 'string'
-      || !validStatuses.includes(request.body.status)
-    ) {
+    const bodyValidation = validateSchema(opennodeWebhookCallbackBodySchema)(request.body)
+    if (bodyValidation.error) {
+      debug('opennode callback request rejected: invalid body %o', bodyValidation.error)
       response
         .status(400)
         .setHeader('content-type', 'text/plain; charset=utf8')
-        .send('Bad Request')
+        .send('Malformed body')
       return
     }
 
+    const body = bodyValidation.value
+    debug(
+      'request body metadata: hasId=%s hasHashedOrder=%s status=%s',
+      typeof body.id === 'string',
+      typeof body.hashed_order === 'string',
+      body.status,
+    )
+
     const openNodeApiKey = process.env.OPENNODE_API_KEY
     if (!openNodeApiKey) {
       debug('OPENNODE_API_KEY is not configured; unable to verify OpenNode callback from %s', remoteAddress)
@@ -67,8 +65,8 @@ export class OpenNodeCallbackController implements IController {
       return
     }
 
-    const expectedBuf = hmacSha256(openNodeApiKey, request.body.id)
-    const actualHex = request.body.hashed_order
+    const expectedBuf = hmacSha256(openNodeApiKey, body.id)
+    const actualHex = body.hashed_order
     const expectedHexLength = expectedBuf.length * 2
 
     if (
@@ -105,8 +103,8 @@ export class OpenNodeCallbackController implements IController {
     }
 
     const invoice: Pick<Invoice, 'id' | 'status'> = {
-      id: request.body.id,
-      status: statusMap[request.body.status],
+      id: body.id,
+      status: statusMap[body.status],
     }
 
     debug('invoice', invoice)
diff --git a/src/schemas/opennode-callback-schema.ts b/src/schemas/opennode-callback-schema.ts
@@ -1,6 +1,14 @@
 import { pubkeySchema } from './base-schema'
 import { z } from 'zod'
 
+const openNodeCallbackStatuses = ['expired', 'refunded', 'unpaid', 'processing', 'underpaid', 'paid'] as const
+
+export const opennodeWebhookCallbackBodySchema = z.object({
+  id: z.string(),
+  hashed_order: z.string(),
+  status: z.enum(openNodeCallbackStatuses),
+}).passthrough()
+
 export const opennodeCallbackBodySchema = z.object({
   id: z.string(),
   status: z.string(),
diff --git a/test/unit/controllers/callbacks/opennode-callback-controller.spec.ts b/test/unit/controllers/callbacks/opennode-callback-controller.spec.ts
@@ -87,7 +87,7 @@ describe('OpenNodeCallbackController', () => {
     expect(updateInvoiceStatusStub).not.to.have.been.called
   })
 
-  it('returns bad request for malformed callback bodies', async () => {
+  it('returns malformed body for invalid callback bodies', async () => {
     request.body = {
       id: 'invoice-id',
     }
@@ -96,11 +96,11 @@ describe('OpenNodeCallbackController', () => {
 
     expect(statusStub).to.have.been.calledOnceWithExactly(400)
     expect(setHeaderStub).to.have.been.calledOnceWithExactly('content-type', 'text/plain; charset=utf8')
-    expect(sendStub).to.have.been.calledOnceWithExactly('Bad Request')
+    expect(sendStub).to.have.been.calledOnceWithExactly('Malformed body')
     expect(updateInvoiceStatusStub).not.to.have.been.called
   })
 
-  it('returns bad request for unknown status values', async () => {
+  it('returns malformed body for unknown status values', async () => {
     request.body = {
       hashed_order: 'some-hash',
       id: 'invoice-id',
@@ -110,7 +110,7 @@ describe('OpenNodeCallbackController', () => {
     await controller.handleRequest(request, response)
 
     expect(statusStub).to.have.been.calledOnceWithExactly(400)
-    expect(sendStub).to.have.been.calledOnceWithExactly('Bad Request')
+    expect(sendStub).to.have.been.calledOnceWithExactly('Malformed body')
     expect(updateInvoiceStatusStub).not.to.have.been.called
   })
 
diff --git a/test/unit/schemas/opennode-callback-schema.spec.ts b/test/unit/schemas/opennode-callback-schema.spec.ts
@@ -1,8 +1,39 @@
+import { opennodeCallbackBodySchema, opennodeWebhookCallbackBodySchema } from '../../../src/schemas/opennode-callback-schema'
 import { expect } from 'chai'
-import { opennodeCallbackBodySchema } from '../../../src/schemas/opennode-callback-schema'
 import { validateSchema } from '../../../src/utils/validation'
 
 describe('OpenNode Callback Schema', () => {
+  describe('opennodeWebhookCallbackBodySchema', () => {
+    const validWebhookBody = {
+      hashed_order: 'a'.repeat(64),
+      id: 'some-id',
+      status: 'paid',
+    }
+
+    it('returns no error if webhook body is valid', () => {
+      const result = validateSchema(opennodeWebhookCallbackBodySchema)(validWebhookBody)
+      expect(result.error).to.be.undefined
+    })
+
+    it('returns error if hashed_order is missing', () => {
+      const body = { ...validWebhookBody }
+      delete (body as any).hashed_order
+      const result = validateSchema(opennodeWebhookCallbackBodySchema)(body)
+      expect(result.error).to.exist
+      expect(result.error?.issues[0].path).to.deep.equal(['hashed_order'])
+    })
+
+    it('returns error if status is not in accepted values', () => {
+      const body = {
+        ...validWebhookBody,
+        status: 'not-a-valid-status',
+      }
+      const result = validateSchema(opennodeWebhookCallbackBodySchema)(body)
+      expect(result.error).to.exist
+      expect(result.error?.issues[0].path).to.deep.equal(['status'])
+    })
+  })
+
   describe('opennodeCallbackBodySchema', () => {
     const validBody = {
       id: 'some-id',
