test: add unit tests for OpenNode callback controller and route

Author: Anshumancanrock

test/unit/controllers/callbacks/opennode-callback-controller.spec.ts

@@ -0,0 +1,159 @@
+import chai, { expect } from 'chai'
+import Sinon from 'sinon'
+import sinonChai from 'sinon-chai'
+
+import * as httpUtils from '../../../../src/utils/http'
+import * as settingsFactory from '../../../../src/factories/settings-factory'
+
+import { hmacSha256 } from '../../../../src/utils/secret'
+import { InvoiceStatus } from '../../../../src/@types/invoice'
+import { OpenNodeCallbackController } from '../../../../src/controllers/callbacks/opennode-callback-controller'
+
+chai.use(sinonChai)
+
+describe('OpenNodeCallbackController', () => {
+  let createSettingsStub: Sinon.SinonStub
+  let getRemoteAddressStub: Sinon.SinonStub
+  let updateInvoiceStatusStub: Sinon.SinonStub
+  let confirmInvoiceStub: Sinon.SinonStub
+  let sendInvoiceUpdateNotificationStub: Sinon.SinonStub
+  let statusStub: Sinon.SinonStub
+  let setHeaderStub: Sinon.SinonStub
+  let sendStub: Sinon.SinonStub
+  let controller: OpenNodeCallbackController
+  let request: any
+  let response: any
+  let previousOpenNodeApiKey: string | undefined
+
+  beforeEach(() => {
+    previousOpenNodeApiKey = process.env.OPENNODE_API_KEY
+    process.env.OPENNODE_API_KEY = 'test-api-key'
+
+    createSettingsStub = Sinon.stub(settingsFactory, 'createSettings').returns({
+      payments: { processor: 'opennode' },
+    } as any)
+    getRemoteAddressStub = Sinon.stub(httpUtils, 'getRemoteAddress').returns('127.0.0.1')
+
+    updateInvoiceStatusStub = Sinon.stub()
+    confirmInvoiceStub = Sinon.stub()
+    sendInvoiceUpdateNotificationStub = Sinon.stub()
+
+    controller = new OpenNodeCallbackController({
+      updateInvoiceStatus: updateInvoiceStatusStub,
+      confirmInvoice: confirmInvoiceStub,
+      sendInvoiceUpdateNotification: sendInvoiceUpdateNotificationStub,
+    } as any)
+
+    statusStub = Sinon.stub()
+    setHeaderStub = Sinon.stub()
+    sendStub = Sinon.stub()
+
+    response = {
+      send: sendStub,
+      setHeader: setHeaderStub,
+      status: statusStub,
+    }
+
+    statusStub.returns(response)
+    setHeaderStub.returns(response)
+    sendStub.returns(response)
+
+    request = {
+      body: {},
+      headers: {},
+    }
+  })
+
+  afterEach(() => {
+    getRemoteAddressStub.restore()
+    createSettingsStub.restore()
+
+    if (typeof previousOpenNodeApiKey === 'undefined') {
+      delete process.env.OPENNODE_API_KEY
+    } else {
+      process.env.OPENNODE_API_KEY = previousOpenNodeApiKey
+    }
+  })
+
+  it('rejects requests when OpenNode is not the configured payment processor', async () => {
+    createSettingsStub.returns({
+      payments: { processor: 'lnbits' },
+    } as any)
+
+    await controller.handleRequest(request, response)
+
+    expect(statusStub).to.have.been.calledOnceWithExactly(403)
+    expect(sendStub).to.have.been.calledOnceWithExactly('Forbidden')
+    expect(updateInvoiceStatusStub).not.to.have.been.called
+  })
+
+  it('returns bad request for malformed callback bodies', async () => {
+    request.body = {
+      id: 'invoice-id',
+    }
+
+    await controller.handleRequest(request, response)
+
+    expect(statusStub).to.have.been.calledOnceWithExactly(400)
+    expect(setHeaderStub).to.have.been.calledOnceWithExactly('content-type', 'text/plain; charset=utf8')
+    expect(sendStub).to.have.been.calledOnceWithExactly('Bad Request')
+    expect(updateInvoiceStatusStub).not.to.have.been.called
+  })
+
+  it('returns bad request for unknown status values', async () => {
+    request.body = {
+      hashed_order: 'some-hash',
+      id: 'invoice-id',
+      status: 'totally_made_up',
+    }
+
+    await controller.handleRequest(request, response)
+
+    expect(statusStub).to.have.been.calledOnceWithExactly(400)
+    expect(sendStub).to.have.been.calledOnceWithExactly('Bad Request')
+    expect(updateInvoiceStatusStub).not.to.have.been.called
+  })
+
+  it('rejects callbacks with mismatched hashed_order', async () => {
+    request.body = {
+      hashed_order: 'invalid',
+      id: 'invoice-id',
+      status: 'paid',
+    }
+
+    await controller.handleRequest(request, response)
+
+    expect(statusStub).to.have.been.calledOnceWithExactly(403)
+    expect(sendStub).to.have.been.calledOnceWithExactly('Forbidden')
+    expect(updateInvoiceStatusStub).not.to.have.been.called
+  })
+
+  it('accepts valid signed callbacks and processes the invoice update', async () => {
+    request.body = {
+      amount: 21,
+      created_at: '2026-04-11T00:00:00.000Z',
+      description: 'Admission fee',
+      hashed_order: hmacSha256('test-api-key', 'invoice-id').toString('hex'),
+      id: 'invoice-id',
+      lightning: {
+        expires_at: '2026-04-11T01:00:00.000Z',
+        payreq: 'lnbc1test',
+      },
+      order_id: 'pubkey',
+      status: 'unpaid',
+    }
+
+    updateInvoiceStatusStub.resolves({
+      confirmedAt: null,
+      status: InvoiceStatus.PENDING,
+    })
+
+    await controller.handleRequest(request, response)
+
+    expect(updateInvoiceStatusStub).to.have.been.calledOnce
+    expect(confirmInvoiceStub).not.to.have.been.called
+    expect(sendInvoiceUpdateNotificationStub).not.to.have.been.called
+    expect(statusStub).to.have.been.calledOnceWithExactly(200)
+    expect(sendStub).to.have.been.calledOnceWithExactly()
+  })
+})

test/unit/routes/callbacks.spec.ts

@@ -0,0 +1,80 @@
+import axios from 'axios'
+import { expect } from 'chai'
+import express from 'express'
+import Sinon from 'sinon'
+
+import * as openNodeControllerFactory from '../../../src/factories/controllers/opennode-callback-controller-factory'
+
+describe('callbacks router', () => {
+  let createOpenNodeCallbackControllerStub: Sinon.SinonStub
+  let receivedBody: unknown
+  let server: any
+
+  beforeEach(async () => {
+    receivedBody = undefined
+
+    createOpenNodeCallbackControllerStub = Sinon.stub(openNodeControllerFactory, 'createOpenNodeCallbackController').returns({
+      handleRequest: async (request: any, response: any) => {
+        receivedBody = request.body
+        response.status(200).send('OK')
+      },
+    } as any)
+
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    delete require.cache[require.resolve('../../../src/routes/callbacks')]
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const router = require('../../../src/routes/callbacks').default
+
+    const app = express()
+    app.use(router)
+
+    server = await new Promise((resolve) => {
+      const listeningServer = app.listen(0, () => resolve(listeningServer))
+    })
+  })
+
+  afterEach(async () => {
+    createOpenNodeCallbackControllerStub.restore()
+    delete require.cache[require.resolve('../../../src/routes/callbacks')]
+
+    if (server) {
+      await new Promise<void>((resolve, reject) => {
+        server.close((error: Error | undefined) => {
+          if (error) {
+            reject(error)
+            return
+          }
+
+          resolve()
+        })
+      })
+    }
+  })
+
+  it('parses form-urlencoded OpenNode callbacks', async () => {
+    const { port } = server.address()
+    const response = await axios.post(
+      `http://127.0.0.1:${port}/opennode`,
+      new URLSearchParams({
+        hashed_order: 'signature',
+        id: 'invoice-id',
+        order_id: 'pubkey',
+        status: 'paid',
+      }).toString(),
+      {
+        headers: {
+          'content-type': 'application/x-www-form-urlencoded',
+        },
+        validateStatus: () => true,
+      },
+    )
+
+    expect(response.status).to.equal(200)
+    expect(receivedBody).to.deep.equal({
+      hashed_order: 'signature',
+      id: 'invoice-id',
+      order_id: 'pubkey',
+      status: 'paid',
+    })
+  })
+})