fix: use timing-safe HMAC comparison in Nodeless callback controller

[Anshumancanrock]

Description

The Nodeless callback controller was using a plain !== string comparison to verify webhook HMAC signatures. This PR fixes it to use crypto.timingSafeEqual with proper Buffer comparison, matching how the OpenNode callback already handles it.

Also adds a guard for when NODELESS_WEBHOOK_SECRET is not set (previously this would throw a TypeError from createHmac)

Related Issue

Fixes #581

Motivation and Context

The OpenNode callback controller uses timingSafeEqual for its HMAC check, but the Nodeless controller was using !==. This is inconsistent and goes against the standard practice of using constant-time comparison for secret values.

Also, if NODELESS_WEBHOOK_SECRET was unset (e.g. on a relay using a different payment processor), any POST to /callbacks/nodeless would crash with a TypeError instead of returning a clean error response and removes the valid HMAC value from the signature mismatch log (the old code logged { expected, actual }, leaking the correct signature).

How Has This Been Tested?

• All 1051 existing unit tests pass
• Added 3 new test cases:
  • returns 403 when callback signature has wrong length
  • returns 403 when callback signature is a valid-length hex string but does not match
  • returns 500 when NODELESS_WEBHOOK_SECRET is not configured
• Biome lint passes (227 files, no issues)
• TypeScript build check passes (tsc --noEmit)

Screenshots (if appropriate):

N/A

Types of changes

• Non-functional change (docs, style, minor refactor)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my code changes.
• I added a changeset, or this is docs-only and I added an empty changeset.
• All new and existing tests passed.

[changeset-bot]

🦋 Changeset detected

Latest commit: c48661a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
nostream	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coveralls]

coverage: 64.19% (+0.08%) from 64.107% — Anshumancanrock:fix/nodeless-hmac-timing-safe-comparison into cameri:main

[Anshumancanrock]

hii @cameri , could you please review this PR? Thanks !

[Anshumancanrock]

@copilot please review !

[Copilot]

Pull request overview

Improves security and robustness of the Nodeless webhook callback handler by switching to constant-time HMAC comparison and handling missing configuration without crashing.

Changes:

• Replace plain string comparison with crypto.timingSafeEqual using Buffer comparisons and signature format/length validation.
• Add a 500 response path when NODELESS_WEBHOOK_SECRET is unset to avoid runtime exceptions.
• Add unit tests covering signature length mismatch, signature mismatch, and missing secret configuration; include a patch changeset.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
src/controllers/callbacks/nodeless-callback-controller.ts	Implements timing-safe HMAC verification, validates signature format/length, and guards missing webhook secret.
test/unit/controllers/callbacks/nodeless-callback-controller.spec.ts	Adds unit tests for new verification/error paths (wrong length, mismatch, missing secret).
.changeset/huge-trains-nail.md	Records the patch-level change for release notes/versioning.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Anshumancanrock]

hii @cameri , Should I apply the same conditional route registration to the other payment processors (OpenNode, LNbits, Zebedee) ? They still have the in-controller check.

[cameri]

@Anshumancanrock yes but in a separate ticket