2nd review changes

app/controllers/webhooks_controller.rb

@@ -81,7 +81,7 @@ def moneyhash
       webhook_source: :moneyhash,
       code: params[:code].presence,
       payload: JSON.parse(request.body.read),
-      # signature: request.headers["Moneyhash-Signature"], # TODO: Implement moneyhash signature
+      signature: request.headers["MoneyHash-Signature"],
       event_type: params[:type]
     )
 

app/models/payment_providers/moneyhash_provider.rb

@@ -22,7 +22,7 @@ class MoneyhashProvider < BaseProvider
     validates :api_key, presence: true
     validates :flow_id, presence: true, length: {maximum: 20}
 
-    secrets_accessors :api_key
+    secrets_accessors :api_key, :signature_key
     settings_accessors :flow_id
 
     def self.api_base_url

app/services/dunning_campaigns/update_service.rb

@@ -37,8 +37,6 @@ def permitted_attributes
     end
 
     def handle_thresholds
-      thresholds_updated = false
-
       input_threshold_ids = params[:thresholds].map { |t| t[:id] }.compact
 
       # Delete thresholds not included in the payload

app/services/payment_providers/moneyhash/validate_incoming_webhook_service.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "openssl"
+require "base64"
+
 module PaymentProviders
   module Moneyhash
     class ValidateIncomingWebhookService < BaseService
@@ -12,21 +15,33 @@ def initialize(payload:, signature:, payment_provider:)
       end
 
       def call
-        # TODO: Implement moneyhash validation
+        # extract timestamp and v3_signature from signature
+        timestamp, v3_signature = signature.split(",").each_with_object({}) do |part, hash|
+          key, value = part.split("=")
+          hash[key] = value if %w[t v3].include?(key)
+        end.values_at("t", "v3")
 
-        result
+        # validate signature
+        secret = webhook_secret
+        decoded_body = Base64.strict_encode64(payload.to_json)
+
+        to_sign = "#{decoded_body}#{timestamp}"
 
-        # TODO:
-        # rescue Moneyhash::SignatureVerificationError
-        #   result.service_failure!(code: "webhook_error", message: "Invalid signature")
+        calculated_signature = OpenSSL::HMAC.hexdigest("SHA256", secret, to_sign)
+
+        if calculated_signature != v3_signature
+          result.service_failure!(code: "webhook_error", message: "Invalid signature")
+        end
+
+        result
       end
 
       private
 
       attr_reader :payload, :signature, :provider
 
       def webhook_secret
-        # TODO:
+        provider.signature_key
       end
     end
   end

app/services/payment_providers/moneyhash_service.rb

@@ -20,7 +20,7 @@ def create_or_update(**args)
         payment_provider_type: "moneyhash"
       )
 
-      moneyhash_provider = if payment_provider_result.success?
+      @moneyhash_provider = if payment_provider_result.success?
         payment_provider_result.payment_provider
       else
         PaymentProviders::MoneyhashProvider.new(
@@ -29,13 +29,18 @@ def create_or_update(**args)
         )
       end
 
-      moneyhash_provider.api_key
       old_code = moneyhash_provider.code
       moneyhash_provider.api_key = args[:api_key] if args.key?(:api_key)
       moneyhash_provider.code = args[:code] if args.key?(:code)
       moneyhash_provider.name = args[:name] if args.key?(:name)
       moneyhash_provider.flow_id = args[:flow_id] if args.key?(:flow_id)
 
+      if moneyhash_provider.signature_key.blank?
+        signature_result = get_signature_key
+        return signature_result unless signature_result.success?
+        moneyhash_provider.signature_key = signature_result.signature_key
+      end
+
       moneyhash_provider.save(validate: false)
 
       if payment_provider_code_changed?(moneyhash_provider, old_code, args)
@@ -74,8 +79,24 @@ def event_to_payment_status(event_code)
       end
     end
 
+    attr_reader :moneyhash_provider
+
     private
 
+    def get_signature_key
+      response = LagoHttpClient::Client.new(
+        "#{::PaymentProviders::MoneyhashProvider.api_base_url}/api/v1/organizations/get-webhook-signature-key/"
+      ).get(
+        headers: {
+          "X-Api-Key" => moneyhash_provider.api_key
+        }
+      )
+      result.signature_key = response["data"]["webhook_signature_secret"]
+      result
+    rescue LagoHttpClient::HttpError => e
+      result.service_failure!(code: "moneyhash_error", message: "#{e.error_code}: #{e.error_body}")
+    end
+
     def event_handlers
       {
         "intent.processed" => method(:handle_intent_event),

spec/fixtures/moneyhash/webhook_signature_response.json

@@ -0,0 +1,13 @@
+{
+  "status": {
+    "code": 200,
+    "message": "success",
+    "errors": []
+  },
+  "data": {
+    "webhook_signature_secret": "oVZo2bro-a7UBN3k9QFlsSz6cN_Zrdt9KCWk4_5q2lo="
+  },
+  "count": 1,
+  "next": null,
+  "previous": null
+}

spec/requests/webhooks_controller_spec.rb

@@ -287,7 +287,7 @@
           webhook_source: :moneyhash,
           code:,
           payload: body,
-          # signature:, # TODO:
+          signature: "t=1743090080,v1=placeholder,v2=placeholder,v3=placeholder",
           event_type: body["type"]
         )
         .and_return(result)
@@ -298,7 +298,8 @@
         "/webhooks/moneyhash/#{organization_id}?code=#{code}",
         params: body.to_json,
         headers: {
-          "Content-Type" => "application/json"
+          "Content-Type" => "application/json",
+          "Moneyhash-Signature" => "t=1743090080,v1=placeholder,v2=placeholder,v3=placeholder"
         }
       )
 
@@ -317,7 +318,8 @@
           "/webhooks/moneyhash/#{organization_id}?code=#{code}",
           params: body.to_json,
           headers: {
-            "Content-Type" => "application/json"
+            "Content-Type" => "application/json",
+            "Moneyhash-Signature" => "t=1743090080,v1=placeholder,v2=placeholder,v3=placeholder"
           }
         )
 

spec/services/payment_providers/moneyhash/validate_incoming_webhook_service_spec.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe PaymentProviders::Moneyhash::ValidateIncomingWebhookService, type: :service do
+  subject(:result) do
+    described_class.call(payload:, signature:, payment_provider:)
+  end
+
+  let(:payload) { "webhook_payload" }
+  let(:signature) { "t=1743090080,v1=placeholder,v2=placeholder,v3=ca13480c8142f2f2b44822c764909027974e84b3e8c94457a314f129d8d60148" }
+  let(:payment_provider) { create(:moneyhash_provider, signature_key: "test_signature_key") }
+
+  it "return success when signature is valid" do
+    result = described_class.call(payload:, signature:, payment_provider:)
+    expect(result).to be_success
+  end
+
+  it "returns a service failure when signature is invalid" do
+    signature = "Moneyhash-Signature: t=1743090080,v1=placeholder,v2=placeholder,v3=invalid_signature"
+    result = described_class.call(payload:, signature:, payment_provider:)
+    expect(result).not_to be_success
+    expect(result.error).to be_a(BaseService::ServiceFailure)
+    expect(result.error.message).to eq("webhook_error: Invalid signature")
+  end
+end

spec/services/payment_providers/moneyhash_service_spec.rb

@@ -8,6 +8,35 @@
   let(:customer) { create(:customer, organization:) }
   let(:moneyhash_customer) { create(:moneyhash_customer, customer:) }
 
+  describe "#create_or_update" do
+    let(:webhook_signature_response) { JSON.parse(File.read(Rails.root.join("spec/fixtures/moneyhash/webhook_signature_response.json"))) }
+
+    before do
+      allow_any_instance_of(LagoHttpClient::Client).to receive(:get).and_return(webhook_signature_response) # rubocop:disable RSpec/AnyInstance
+    end
+
+    it "creates a new moneyhash provider with the webhook signature key" do
+      result = described_class.new.create_or_update(organization:, code: "test_code", name: "test_name", flow_id: "test_flow_id")
+      expect(result).to be_success
+      expect(result.moneyhash_provider).to be_a(PaymentProviders::MoneyhashProvider)
+      expect(result.moneyhash_provider.signature_key).to eq(webhook_signature_response.dig("data", "webhook_signature_secret"))
+      expect(result.moneyhash_provider.code).to eq("test_code")
+      expect(result.moneyhash_provider.name).to eq("test_name")
+      expect(result.moneyhash_provider.flow_id).to eq("test_flow_id")
+    end
+
+    it "updates the existing moneyhash provider but leaves the signature key unchanged" do
+      moneyhash_provider.update!(signature_key: "same_signature_key")
+      result = described_class.new.create_or_update(organization:, code: moneyhash_provider.code, name: "updated_name", flow_id: "updated_flow_id")
+      expect(result).to be_success
+      expect(result.moneyhash_provider).to be_a(PaymentProviders::MoneyhashProvider)
+      expect(result.moneyhash_provider.signature_key).to eq("same_signature_key")
+      expect(result.moneyhash_provider.code).to eq(moneyhash_provider.code)
+      expect(result.moneyhash_provider.name).to eq("updated_name")
+      expect(result.moneyhash_provider.flow_id).to eq("updated_flow_id")
+    end
+  end
+
   # Intent
   # handle event - intent.processed <-
   # handle event - intent.time_expired <-