refactor: only register callback routes when their processor is active

Author: Anshumancanrock

.changeset/callback-routes-conditional-registration.md

@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+refactor: only register OpenNode, LNbits, and Zebedee callback routes when their processor is active

src/controllers/callbacks/lnbits-callback-controller.ts

@@ -25,13 +25,6 @@ export class LNbitsCallbackController implements IController {
 
     const settings = createSettings()
     const remoteAddress = getRemoteAddress(request, settings)
-    const paymentProcessor = settings.payments?.processor ?? 'null'
-
-    if (paymentProcessor !== 'lnbits') {
-      logger('denied request from %s to /callbacks/lnbits which is not the current payment processor', remoteAddress)
-      response.status(403).send('Forbidden')
-      return
-    }
 
     const queryValidation = validateSchema(lnbitsCallbackQuerySchema)(request.query)
     if (queryValidation.error) {

src/controllers/callbacks/opennode-callback-controller.ts

@@ -22,15 +22,6 @@ export class OpenNodeCallbackController implements IController {
 
     const settings = createSettings()
     const remoteAddress = getRemoteAddress(request, settings)
-    const paymentProcessor = settings.payments?.processor
-
-    if (paymentProcessor !== 'opennode') {
-      logger('denied request from %s to /callbacks/opennode which is not the current payment processor', remoteAddress)
-      response
-        .status(403)
-        .send('Forbidden')
-      return
-    }
 
     const bodyValidation = validateSchema(opennodeWebhookCallbackBodySchema)(request.body)
     if (bodyValidation.error) {

src/controllers/callbacks/zebedee-callback-controller.ts

@@ -30,20 +30,13 @@ export class ZebedeeCallbackController implements IController {
 
     const { ipWhitelist = [] } = settings.paymentsProcessors?.zebedee ?? {}
     const remoteAddress = getRemoteAddress(request, settings)
-    const paymentProcessor = settings.payments?.processor
 
     if (ipWhitelist.length && !ipWhitelist.includes(remoteAddress)) {
       logger('unauthorized request from %s to /callbacks/zebedee', remoteAddress)
       response.status(403).send('Forbidden')
       return
     }
 
-    if (paymentProcessor !== 'zebedee') {
-      logger('denied request from %s to /callbacks/zebedee which is not the current payment processor', remoteAddress)
-      response.status(403).send('Forbidden')
-      return
-    }
-
     const invoice = fromZebedeeInvoice(request.body)
 
     logger('invoice', invoice)

src/routes/callbacks/index.ts

@@ -12,10 +12,17 @@ const router: Router = Router()
 const settings = createSettings()
 const processor = settings.payments?.processor
 
-router
-  .post('/zebedee', json(), withController(createZebedeeCallbackController))
-  .post('/lnbits', json(), withController(createLNbitsCallbackController))
-  .post('/opennode', urlencoded({ extended: false }), json(), withController(createOpenNodeCallbackController))
+if (processor === 'zebedee') {
+  router.post('/zebedee', json(), withController(createZebedeeCallbackController))
+}
+
+if (processor === 'lnbits') {
+  router.post('/lnbits', json(), withController(createLNbitsCallbackController))
+}
+
+if (processor === 'opennode') {
+  router.post('/opennode', urlencoded({ extended: false }), json(), withController(createOpenNodeCallbackController))
+}
 
 if (processor === 'nodeless') {
   router.post(

test/unit/controllers/callbacks/lnbits-callback-controller.spec.ts

@@ -108,35 +108,6 @@ describe('LNbitsCallbackController', () => {
   })
 
   describe('authorization and validation', () => {
-    it('returns 403 when payment processor settings are missing', async () => {
-      createSettingsStub.returns({
-        network: { remoteIpHeader: 'x-forwarded-for' },
-      })
-      const { controller, paymentsService } = makeController()
-      const res = makeRes()
-
-      await controller.handleRequest(makeReq(), res)
-
-      expect(res.status).to.have.been.calledWith(403)
-      expect(res.send).to.have.been.calledWith('Forbidden')
-      expect(paymentsService.getInvoiceFromPaymentsProcessor).to.not.have.been.called
-    })
-
-    it('returns 403 when lnbits is not the configured processor', async () => {
-      createSettingsStub.returns({
-        ...baseSettings,
-        payments: { processor: 'opennode' },
-      })
-      const { controller, paymentsService } = makeController()
-      const res = makeRes()
-
-      await controller.handleRequest(makeReq(), res)
-
-      expect(res.status).to.have.been.calledWith(403)
-      expect(res.send).to.have.been.calledWith('Forbidden')
-      expect(paymentsService.getInvoiceFromPaymentsProcessor).to.not.have.been.called
-    })
-
     it('returns 403 for invalid query parameters', async () => {
       const { controller } = makeController()
       const res = makeRes()

test/unit/controllers/callbacks/opennode-callback-controller.spec.ts

@@ -99,20 +99,6 @@ describe('OpenNodeCallbackController', () => {
   })
 
   describe('authorization and validation', () => {
-    it('returns 403 when opennode is not the configured processor', async () => {
-      createSettingsStub.returns({
-        payments: { processor: 'lnbits' },
-      })
-      const { controller, paymentsService } = makeController()
-      const res = makeRes()
-
-      await controller.handleRequest(makeReq(), res)
-
-      expect(res.status).to.have.been.calledWith(403)
-      expect(res.send).to.have.been.calledWith('Forbidden')
-      expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
-    })
-
     it('returns 400 for malformed request body', async () => {
       const { controller, paymentsService } = makeController()
       const res = makeRes()

test/unit/controllers/callbacks/zebedee-callback-controller.spec.ts

@@ -136,21 +136,6 @@ describe('ZebedeeCallbackController', () => {
       expect(res.send).to.have.been.calledWith('Forbidden')
       expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
     })
-
-    it('returns 403 when zebedee is not the configured processor', async () => {
-      createSettingsStub.returns({
-        ...baseSettings,
-        payments: { processor: 'lnbits' },
-      })
-      const { controller, paymentsService } = makeController()
-      const res = makeRes()
-
-      await controller.handleRequest(makeReq(), res)
-
-      expect(res.status).to.have.been.calledWith(403)
-      expect(res.send).to.have.been.calledWith('Forbidden')
-      expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
-    })
   })
 
   describe('invoice state handling', () => {

test/unit/routes/callbacks.spec.ts

@@ -4,15 +4,21 @@ import express from 'express'
 import Sinon from 'sinon'
 
 import * as openNodeControllerFactory from '../../../src/factories/controllers/opennode-callback-controller-factory'
+import * as settingsFactory from '../../../src/factories/settings-factory'
 
 describe('callbacks router', () => {
   let createOpenNodeCallbackControllerStub: Sinon.SinonStub
+  let createSettingsStub: Sinon.SinonStub
   let receivedBody: unknown
   let server: any
 
   beforeEach(async () => {
     receivedBody = undefined
 
+    createSettingsStub = Sinon.stub(settingsFactory, 'createSettings').returns({
+      payments: { processor: 'opennode' },
+    } as any)
+
     createOpenNodeCallbackControllerStub = Sinon.stub(openNodeControllerFactory, 'createOpenNodeCallbackController').returns({
       handleRequest: async (request: any, response: any) => {
         receivedBody = request.body
@@ -35,6 +41,7 @@ describe('callbacks router', () => {
 
   afterEach(async () => {
     createOpenNodeCallbackControllerStub.restore()
+    createSettingsStub.restore()
     delete require.cache[require.resolve('../../../src/routes/callbacks')]
 
     if (server) {