From eb1ba77d28ae18a3ff5f2a8f4867ae7b0d833b19 Mon Sep 17 00:00:00 2001
From: anshumancanrock <anshu.1239.as@gmail.com>
Date: Sun, 26 Apr 2026 22:20:19 +0530
Subject: [PATCH 1/3] fix: use timingSafeEqual for nodeless webhook HMAC
 verification

---
 .../callbacks/nodeless-callback-controller.ts | 39 ++++++++++++++----
 .../nodeless-callback-controller.spec.ts      | 41 +++++++++++++++++++
 2 files changed, 72 insertions(+), 8 deletions(-)

diff --git a/src/controllers/callbacks/nodeless-callback-controller.ts b/src/controllers/callbacks/nodeless-callback-controller.ts
index 72f01e4c..3d7ff073 100644
--- a/src/controllers/callbacks/nodeless-callback-controller.ts
+++ b/src/controllers/callbacks/nodeless-callback-controller.ts
@@ -1,3 +1,5 @@
+import { timingSafeEqual } from 'crypto'
+
 import { always, applySpec, ifElse, is, path, prop, propEq, propSatisfies } from 'ramda'
 import { Request, Response } from 'express'
 
@@ -20,6 +22,15 @@ export class NodelessCallbackController implements IController {
     logger('callback request headers: %o', request.headers)
     logger('callback request body: %O', request.body)
 
+    const settings = createSettings()
+    const paymentProcessor = settings.payments?.processor
+
+    if (paymentProcessor !== 'nodeless') {
+      logger('denied request to /callbacks/nodeless which is not the current payment processor')
+      response.status(403).send('Forbidden')
+      return
+    }
+
     const bodyValidation = validateSchema(nodelessCallbackBodySchema)(request.body)
     if (bodyValidation.error) {
       logger('nodeless callback request rejected: invalid body %o', bodyValidation.error)
@@ -30,20 +41,32 @@ export class NodelessCallbackController implements IController {
       return
     }
 
-    const settings = createSettings()
-    const paymentProcessor = settings.payments?.processor
+    const webhookSecret = process.env.NODELESS_WEBHOOK_SECRET
+    if (!webhookSecret) {
+      logger.error('NODELESS_WEBHOOK_SECRET is not configured; unable to verify Nodeless callback')
+      response
+        .status(500)
+        .setHeader('content-type', 'application/json; charset=utf8')
+        .send('{"status":"error","message":"Internal Server Error"}')
+      return
+    }
 
-    const expected = hmacSha256(process.env.NODELESS_WEBHOOK_SECRET, (request as any).rawBody).toString('hex')
-    const actual = request.headers['nodeless-signature']
+    const expectedBuf = hmacSha256(webhookSecret, (request as any).rawBody)
+    const actualHex = request.headers['nodeless-signature']
+    const expectedHexLength = expectedBuf.length * 2
 
-    if (expected !== actual) {
-      logger.error('nodeless callback request rejected: signature mismatch:', { expected, actual })
+    if (
+      typeof actualHex !== 'string' ||
+      actualHex.length !== expectedHexLength ||
+      !/^[0-9a-f]+$/i.test(actualHex)
+    ) {
+      logger('nodeless callback request rejected: invalid signature format')
       response.status(403).send('Forbidden')
       return
     }
 
-    if (paymentProcessor !== 'nodeless') {
-      logger('denied request from %s to /callbacks/nodeless which is not the current payment processor')
+    if (!timingSafeEqual(expectedBuf, Buffer.from(actualHex, 'hex'))) {
+      logger('nodeless callback request rejected: signature mismatch')
       response.status(403).send('Forbidden')
       return
     }
diff --git a/test/unit/controllers/callbacks/nodeless-callback-controller.spec.ts b/test/unit/controllers/callbacks/nodeless-callback-controller.spec.ts
index b0c91d3f..baca4fde 100644
--- a/test/unit/controllers/callbacks/nodeless-callback-controller.spec.ts
+++ b/test/unit/controllers/callbacks/nodeless-callback-controller.spec.ts
@@ -130,6 +130,47 @@ describe('NodelessCallbackController', () => {
       expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
     })
 
+    it('returns 403 when callback signature has wrong length', async () => {
+      const { controller, paymentsService } = makeController()
+      const res = makeRes()
+
+      await controller.handleRequest(makeReq({ signature: '0'.repeat(63) }), res)
+
+      expect(res.status).to.have.been.calledWith(403)
+      expect(res.send).to.have.been.calledWith('Forbidden')
+      expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
+    })
+
+    it('returns 403 when callback signature is a valid-length hex string but does not match', async () => {
+      const { controller, paymentsService } = makeController()
+      const res = makeRes()
+
+      await controller.handleRequest(makeReq({ signature: '0'.repeat(64) }), res)
+
+      expect(res.status).to.have.been.calledWith(403)
+      expect(res.send).to.have.been.calledWith('Forbidden')
+      expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
+    })
+
+    it('returns 500 when NODELESS_WEBHOOK_SECRET is not configured', async () => {
+      delete process.env.NODELESS_WEBHOOK_SECRET
+      const { controller, paymentsService } = makeController()
+      const res = makeRes()
+      const rawBody = Buffer.from(JSON.stringify(validBody))
+      const req = {
+        headers: { 'nodeless-signature': 'does-not-matter' },
+        body: validBody,
+        rawBody,
+      }
+
+      await controller.handleRequest(req as any, res)
+
+      expect(res.status).to.have.been.calledWith(500)
+      expect(res.setHeader).to.have.been.calledWith('content-type', 'application/json; charset=utf8')
+      expect(res.send).to.have.been.calledWith('{"status":"error","message":"Internal Server Error"}')
+      expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
+    })
+
     it('returns 403 when nodeless is not the configured processor', async () => {
       createSettingsStub.returns({ payments: { processor: 'zebedee' } })
       const { controller, paymentsService } = makeController()

From c738a286a2e12020247fa530d3c7a32e3c64a672 Mon Sep 17 00:00:00 2001
From: anshumancanrock <anshu.1239.as@gmail.com>
Date: Sun, 26 Apr 2026 22:34:33 +0530
Subject: [PATCH 2/3] chore: add changeset for nodeless hmac fix

---
 .changeset/fix-nodeless-hmac-timing.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/fix-nodeless-hmac-timing.md

diff --git a/.changeset/fix-nodeless-hmac-timing.md b/.changeset/fix-nodeless-hmac-timing.md
new file mode 100644
index 00000000..d595bed5
--- /dev/null
+++ b/.changeset/fix-nodeless-hmac-timing.md
@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+Use timingSafeEqual for Nodeless webhook HMAC verification and guard against missing NODELESS_WEBHOOK_SECRET.

From a6c104adce7cc3c201b7b2942da7a989d237f627 Mon Sep 17 00:00:00 2001
From: anshumancanrock <anshu.1239.as@gmail.com>
Date: Sun, 26 Apr 2026 22:36:52 +0530
Subject: [PATCH 3/3] docs(changeset): Use timingSafeEqual for Nodeless webhook
 HMAC verification and guard against missing NODELESS_WEBHOOK_SECRET

---
 .changeset/{fix-nodeless-hmac-timing.md => huge-trains-nail.md} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename .changeset/{fix-nodeless-hmac-timing.md => huge-trains-nail.md} (66%)

diff --git a/.changeset/fix-nodeless-hmac-timing.md b/.changeset/huge-trains-nail.md
similarity index 66%
rename from .changeset/fix-nodeless-hmac-timing.md
rename to .changeset/huge-trains-nail.md
index d595bed5..9b093e72 100644
--- a/.changeset/fix-nodeless-hmac-timing.md
+++ b/.changeset/huge-trains-nail.md
@@ -2,4 +2,4 @@
 "nostream": patch
 ---
 
-Use timingSafeEqual for Nodeless webhook HMAC verification and guard against missing NODELESS_WEBHOOK_SECRET.
+Use timingSafeEqual for Nodeless webhook HMAC verification and guard against missing NODELESS_WEBHOOK_SECRET