fix(paghiper): Properly separate API key and token usage

- Use PAGHIPER_API_KEY for API requests and transaction creation
- Use PAGHIPER_TOKEN for webhook validation
- Improve webhook credential handling with getAppData helper
- Add proper validation for both credentials

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: leomp12

packages/apps/paghiper/src/functions-lib/handle-webhook.ts

@@ -3,6 +3,7 @@ import type { Request, Response } from 'firebase-functions/v1';
 import api from '@cloudcommerce/api';
 import { Endpoint } from '@cloudcommerce/api/types';
 import config, { logger } from '@cloudcommerce/firebase/lib/config';
+import getAppData from '@cloudcommerce/firebase/lib/helpers/get-app-data';
 import createAxios from './create-axios';
 
 const { apps } = config.get();
@@ -39,26 +40,27 @@ export default async (req: Request, res: Response) => {
   }
 
   logger.info(`> Paghiper notification for ${transactionCode}`);
-  // const docRef = (await collectionSubscription.doc(transactionCode).get()).data();
-  const Apps = (await api.get(
-    `applications?app_id=${apps.pagHiper.appId}&fields=hidden_data`,
-  )).data.result;
-  const configApp = Apps[0].hidden_data;
-  if (!process.env.PAGHIPER_TOKEN) {
-    const pagHiperToken = configApp?.paghiper_api_key;
-    if (typeof pagHiperToken === 'string' && pagHiperToken) {
-      process.env.PAGHIPER_TOKEN = pagHiperToken;
-    } else {
-      logger.warn('Missing PagHiper API token');
+  if (!process.env.PAGHIPER_API_KEY || !process.env.PAGHIPER_TOKEN) {
+    const appData = await getAppData('pagHiper');
+    if (appData.paghiper_api_key) {
+      process.env.PAGHIPER_API_KEY = appData.paghiper_api_key;
     }
+    if (appData.paghiper_token) {
+      process.env.PAGHIPER_TOKEN = appData.paghiper_token;
+    }
+  }
+  const { PAGHIPER_API_KEY, PAGHIPER_TOKEN } = process.env;
+  if (!PAGHIPER_API_KEY || !PAGHIPER_TOKEN) {
+    logger.warn('Missing PagHiper credentials');
+    return res.sendStatus(403);
   }
 
   try {
-    if (process.env.PAGHIPER_TOKEN && process.env.PAGHIPER_TOKEN === body.apiKey) {
+    if (PAGHIPER_API_KEY && PAGHIPER_API_KEY === body.apiKey) {
       // list order IDs for respective transaction code
       const orders = await listOrdersByTransaction(transactionCode);
       const paghiperResponse = await readNotification(
-        { ...body, token: process.env.PAGHIPER_TOKEN },
+        { ...body, token: PAGHIPER_TOKEN },
         isPix,
       );
 

packages/apps/paghiper/src/paghiper-create-transaction.ts

@@ -135,17 +135,17 @@ export default async (appData: AppModuleBody) => {
 
   const pagHiperToken = configApp.paghiper_api_key;
   if (typeof pagHiperToken === 'string' && pagHiperToken) {
-    process.env.PAGHIPER_TOKEN = pagHiperToken;
+    process.env.PAGHIPER_API_KEY = pagHiperToken;
   }
-  if (!process.env.PAGHIPER_TOKEN) {
+  if (!process.env.PAGHIPER_API_KEY) {
     logger.warn('Missing PagHiper API token');
     return {
       error: 'NO_PAGHIPER_KEYS',
       message: 'Chave de API não configurada (lojista deve configurar o aplicativo)',
     };
   }
 
-  paghiperTransaction.apiKey = process.env.PAGHIPER_TOKEN;
+  paghiperTransaction.apiKey = process.env.PAGHIPER_API_KEY;
   // merge configured banking billet options
   const options = configApp.banking_billet_options;
   if (typeof options === 'object' && options !== null) {

packages/apps/paghiper/src/paghiper-list-payments.ts

@@ -34,10 +34,10 @@ export default async (data: AppModuleBody) => {
     payment_gateways: [],
   };
 
-  if (!process.env.PAGHIPER_TOKEN) {
+  if (!process.env.PAGHIPER_API_KEY) {
     const pagHiperToken = configApp.paghiper_api_key;
     if (typeof pagHiperToken === 'string' && pagHiperToken) {
-      process.env.PAGHIPER_TOKEN = pagHiperToken;
+      process.env.PAGHIPER_API_KEY = pagHiperToken;
     } else {
       logger.warn('Missing PagHiper API token');