⚗️ server: add panda webhook signing key

nfmelendez · nfmelendez · commit d08819e12a4c · 2026-04-13T15:47:58.000-03:00
diff --git a/server/script/openapi.ts b/server/script/openapi.ts
@@ -18,6 +18,7 @@ process.env.MANTECA_API_URL = "https://manteca.test";
 process.env.MANTECA_WEBHOOKS_KEY = "manteca";
 process.env.PANDA_API_KEY = "panda";
 process.env.PANDA_API_URL = "https://panda.test";
+process.env.PANDA_SIGNING_KEY = "panda";
 process.env.PAX_API_KEY = "pax";
 process.env.PAX_API_URL = "https://pax.test";
 process.env.PAX_ASSOCIATE_ID_KEY = "pax";
diff --git a/server/utils/panda.ts b/server/utils/panda.ts
@@ -59,6 +59,9 @@ const baseURL = process.env.PANDA_API_URL;
 if (!process.env.PANDA_API_KEY) throw new Error("missing panda api key");
 const key = process.env.PANDA_API_KEY;
 
+if (!process.env.PANDA_SIGNING_KEY) throw new Error("missing panda signing key");
+const signingKey = process.env.PANDA_SIGNING_KEY;
+
 export async function createCard(userId: string, productId: typeof PLATINUM_PRODUCT_ID | typeof SIGNATURE_PRODUCT_ID) {
   return await request(
     CardResponse,
@@ -339,7 +342,7 @@ export function headerValidator() {
   return vValidator("header", object({ signature: string() }), async (r, c) => {
     if (!r.success) return c.text("bad request", 400);
     const payload = await c.req.arrayBuffer();
-    if (verifySignature({ signature: r.output.signature, signingKey: key, payload })) return;
+    if (verifySignature({ signature: r.output.signature, signingKey, payload })) return;
     return c.text("unauthorized", 401);
   });
 }
diff --git a/server/vitest.config.mts b/server/vitest.config.mts
@@ -47,6 +47,7 @@ NbrLH2v1stvRNgyr6ABzN78BmveLAkEAqMVzA7ZEOghYYB3hLgEASTRmdChN/P2Y
 OEW5okJDZmmfTeh96WBhKGaOczZuuYn88I3A6cKj1p8Yc7UZ1X8vvztY5P7N0YbL
 VuNOZKwaXFtqgA==
 -----END PRIVATE KEY-----`,
+      PANDA_SIGNING_KEY: "panda",
       PAX_API_KEY: "pax",
       PAX_API_URL: "https://pax.test",
       PAX_ASSOCIATE_ID_KEY: "pax",
