fix(pagarme): Handle optional env.PAGARME_WEBHOOK_SKIP_SIG for temp…

… signature skip May be necessary on API key changes
ecomplus · Aug 1, 2024 · bac8889 · bac8889
1 parent 2e22e5b
commit bac8889
Showing 1 changed file with 27 additions and 25 deletions.
diff --git a/packages/apps/pagarme/src/pagarme-webhook.ts b/packages/apps/pagarme/src/pagarme-webhook.ts
@@ -41,31 +41,33 @@ export const pagarme = {
         const orderId = pagarmeTransaction.metadata.order_id as ResourceId | undefined;
         if (typeof orderId === 'string' && /^[a-f0-9]{24}$/.test(orderId)) {
           logger.info(`Order ${orderId}`);
-          const urlSig = req.query.sig;
-          if (urlSig && typeof urlSig === 'string') {
-            const notificationSig = createHmac('sha256', process.env.PAGARME_TOKEN)
-              .update(orderId).digest('hex');
-            if (notificationSig !== urlSig) {
-              logger.warn('?sig argument is received with invalid hash');
-              res.sendStatus(401);
-              return;
-            }
-          } else {
-            // validate Pagar.me postback
-            // https://github.com/pagarme/pagarme-js/issues/170#issuecomment-503729557
-            const headerSig = req.headers['x-hub-signature'];
-            if (!headerSig || typeof headerSig !== 'string') {
-              res.sendStatus(403);
-              return;
-            }
-            const verifyBody = qs.stringify(req.body);
-            const sigHeader = headerSig.replace('sha1=', '');
-            if (
-              !Pagarme.postback
-                .verifySignature(process.env.PAGARME_TOKEN, verifyBody, sigHeader)
-            ) {
-              res.sendStatus(401);
-              return;
+          if (`${process.env.PAGARME_WEBHOOK_SKIP_SIG}`.toLowerCase() !== 'true') {
+            const urlSig = req.query.sig;
+            if (urlSig && typeof urlSig === 'string') {
+              const notificationSig = createHmac('sha256', process.env.PAGARME_TOKEN)
+                .update(orderId).digest('hex');
+              if (notificationSig !== urlSig) {
+                logger.warn('?sig argument is received with invalid hash');
+                res.sendStatus(401);
+                return;
+              }
+            } else {
+              // validate Pagar.me postback
+              // https://github.com/pagarme/pagarme-js/issues/170#issuecomment-503729557
+              const headerSig = req.headers['x-hub-signature'];
+              if (!headerSig || typeof headerSig !== 'string') {
+                res.sendStatus(403);
+                return;
+              }
+              const verifyBody = qs.stringify(req.body);
+              const sigHeader = headerSig.replace('sha1=', '');
+              if (
+                !Pagarme.postback
+                  .verifySignature(process.env.PAGARME_TOKEN, verifyBody, sigHeader)
+              ) {
+                res.sendStatus(401);
+                return;
+              }
             }
           }
           try {