fix: use timing-safe HMAC comparison in Nodeless callback controller

[Anshumancanrock]

Description

The Nodeless callback controller was using a plain !== string comparison to verify webhook HMAC signatures. This PR fixes it to use crypto.timingSafeEqual with proper Buffer comparison, matching how the OpenNode callback already handles it.

Also adds a guard for when NODELESS_WEBHOOK_SECRET is not set (previously this would throw a TypeError from createHmac)

Related Issue

Fixes #581

Motivation and Context

The OpenNode callback controller uses timingSafeEqual for its HMAC check, but the Nodeless controller was using !==. This is inconsistent and goes against the standard practice of using constant-time comparison for secret values.

Also, if NODELESS_WEBHOOK_SECRET was unset (e.g. on a relay using a different payment processor), any POST to /callbacks/nodeless would crash with a TypeError instead of returning a clean error response and removes the valid HMAC value from the signature mismatch log (the old code logged { expected, actual }, leaking the correct signature).

How Has This Been Tested?

• All 1051 existing unit tests pass
• Added 3 new test cases:
  • returns 403 when callback signature has wrong length
  • returns 403 when callback signature is a valid-length hex string but does not match
  • returns 500 when NODELESS_WEBHOOK_SECRET is not configured
• Biome lint passes (227 files, no issues)
• TypeScript build check passes (tsc --noEmit)

Screenshots (if appropriate):

N/A

Types of changes

• Non-functional change (docs, style, minor refactor)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my code changes.
• I added a changeset, or this is docs-only and I added an empty changeset.
• All new and existing tests passed.

[changeset-bot]

🦋 Changeset detected

Latest commit: d4fd38d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
nostream	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coveralls]

coverage: 64.077% (+0.06%) from 64.015% — Anshumancanrock:fix/nodeless-hmac-timing-safe-comparison into cameri:main