chore(point-of-sale, card-service): update webhook handling (#3725)

* chore(card-service): rename `/payment-event` route to `/webhook`

* chore(point-of-sale): make webhook signature signing optional

* chore(testenv): update CARD_WEBHOOK_SERVICE_URL

* test(point-of-sale): allow optional webhook signature

Author: mkurapov

localenv/cloud-nine-wallet/docker-compose.yml

@@ -117,7 +117,7 @@ services:
       KEY_ID: 7097F83B-CB84-469E-96C6-2141C72E22C0
       OPERATOR_TENANT_ID: 438fa74a-fa7d-4317-9ced-dde32ece1787
       CARD_SERVICE_URL: 'http://cloud-nine-wallet-card-service:3007'
-      CARD_WEBHOOK_SERVICE_URL: 'http://cloud-nine-wallet-card-service:3007/payment-event'
+      CARD_WEBHOOK_SERVICE_URL: 'http://cloud-nine-wallet-card-service:3007/webhook'
     depends_on:
       - shared-database
       - shared-redis

packages/card-service/src/app.ts

@@ -63,9 +63,9 @@ export class App {
     )
 
     router.post<DefaultState, PaymentEventContext>(
-      '/payment-event',
+      '/webhook',
       createValidatorMiddleware<PaymentEventContext>(openApi.cardServerSpec, {
-        path: '/payment-event',
+        path: '/webhook',
         method: HttpMethod.POST
       }),
       paymentRoutes.handlePaymentEvent

packages/card-service/src/openapi/specs/card-server.yaml

@@ -105,7 +105,7 @@ paths:
       description: 'POS service calls this endpoint to initiate a payment request.'
       tags:
         - payment
-  /payment-event:
+  /webhook:
     post:
       summary: Handle payment event result from backend
       operationId: handlePaymentEvent

packages/point-of-sale/src/webhook-handlers/middleware.test.ts

@@ -58,18 +58,17 @@ describe('Webhook Signature Middleware', (): void => {
     expect(next).toHaveBeenCalled()
   })
 
-  test('Does not verify invalid signature header', async (): Promise<void> => {
+  test('Allows empty signature header', async (): Promise<void> => {
     const ctx = createWebhookSignatureContext(
       webhookBody,
       Config,
       appContainer.container
     )
     ctx.headers['rafiki-signature'] = undefined
-    await expect(webhookHttpSigMiddleware(ctx, next)).rejects.toMatchObject({
-      status: 401,
-      message: 'invalid webhook signature header'
-    })
-    expect(next).not.toHaveBeenCalled()
+
+    await webhookHttpSigMiddleware(ctx, next)
+    expect(ctx.response.status).toEqual(200)
+    expect(next).toHaveBeenCalled()
   })
 
   test('Does not verify invalid signature digest', async (): Promise<void> => {

packages/point-of-sale/src/webhook-handlers/middleware.ts

@@ -42,12 +42,10 @@ export async function webhookHttpSigMiddleware(
   // eslint-disable-next-line  @typescript-eslint/no-explicit-any
   next: () => Promise<any>
 ): Promise<void> {
-  if (!ctx.request.headers['rafiki-signature'])
-    ctx.throw(401, 'invalid webhook signature header')
-
   const config = await ctx.container.use('config')
 
   if (
+    ctx.request.headers['rafiki-signature'] &&
     !verifyWebhookSignatureDigest(
       ctx.request.headers['rafiki-signature'] as string,
       ctx.request,

test/testenv/cloud-nine-wallet/docker-compose.yml

@@ -43,7 +43,7 @@ services:
       OPERATOR_TENANT_ID: 438fa74a-fa7d-4317-9ced-dde32ece1787
       ADMIN_API_SECRET: iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964=
       ADMIN_API_SIGNATURE_VERSION: 1
-      CARD_WEBHOOK_SERVICE_URL: http://cloud-nine-wallet-test-card-service:3104/payment-event
+      CARD_WEBHOOK_SERVICE_URL: http://cloud-nine-wallet-test-card-service:3104/webhook
       SIGNATURE_SECRET: iyIgCprjb9uL8wFckR+pLEkJWMB7FJhgkvqhTQR/964= # webhook signature
       SIGNATURE_VERSION: 1
     volumes: