Skip to content

Commit 564d743

Browse files
committed
feat: validate inbound JWS + update deps and
Node.js 24.15.0 Leverage @mojaloop/sdk-standard-components Jws.validator to verify fspiop-signature headers on inbound transactionRequests/authorizations. Gated by JWS_VALIDATE (default false). Keys loaded from JWS_VERIFICATION_KEYS_DIRECTORY with hot-reload via fs.watch. Added HapiRawPayload plugin and stream payload config for body parsing. Bad signatures return FSPIOP error 3105 / HTTP 400. Update Node.js to 24.15.0 (Docker 24.14.1-alpine3.23). Add sdk-standard-components 19.18.8. Bump deps: hapi 21.4.8, central-services-shared 18.35.7, sinon 21.1.2, ncu 21.0.2. Add protobufjs overrides (7.5.5/8.0.1), convict 6.2.5, lodash 4.18.1, axios 1.15.0, and other transitive vulnerability overrides. 0 vulnerabilities. Add JWS unit tests for coverage. Ref: mojaloop/project#4439
1 parent 4788f8c commit 564d743

9 files changed

Lines changed: 1543 additions & 583 deletions

File tree

.nvmrc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
22.22.1
1+
24.15.0

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# Arguments
2-
ARG NODE_VERSION=22.22.0-alpine3.23
2+
ARG NODE_VERSION=24.14.1-alpine3.23
33

44
# NOTE: Ensure you set NODE_VERSION Build Argument as follows...
55
#

config/default.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,13 @@
2626
}
2727
},
2828
"SWITCH_ENDPOINT": "http://central-ledger.local:3001",
29+
"ENDPOINT_SECURITY": {
30+
"JWS": {
31+
"JWS_VALIDATE": false,
32+
"JWS_VERIFICATION_KEYS_DIRECTORY": "secrets/jwsVerificationKeys",
33+
"JWS_VALIDATE_PUT_PARTIES": false
34+
}
35+
},
2936
"ERROR_HANDLING": {
3037
"includeCauseExtension": true,
3138
"truncateExtensions": true

0 commit comments

Comments
 (0)