From d9a2f636919896ebaf1d041680785b8b57442e41 Mon Sep 17 00:00:00 2001
From: Juan Pablo Vial <jpvialb@incoviba.cl>
Date: Tue, 3 Jun 2025 22:11:57 -0400
Subject: [PATCH] Use webhook secrets to validate

---
 app/setup/settings/urls.php               |  3 +-
 app/src/Service/Venta/MediosPago/Toku.php | 36 +++++++++++++++++++----
 2 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/app/setup/settings/urls.php b/app/setup/settings/urls.php
index 5b908c0..01b7b7d 100644
--- a/app/setup/settings/urls.php
+++ b/app/setup/settings/urls.php
@@ -44,9 +44,8 @@ return [
             'externalPaths' => [
                 '/api/external' => [
                     '/toku/success' => [
-                        'validator' => Incoviba\Service\Venta\MediosPago\Toku::class,
+                        'validator' => $container->get(Incoviba\Service\Venta\MediosPago\Toku::class),
                         'token' => $container->get('TOKU_TOKEN'),
-                        'secret' => $container->get('TOKU_WEBHOOK_SECRET'),
                     ]
                 ],
             ]
diff --git a/app/src/Service/Venta/MediosPago/Toku.php b/app/src/Service/Venta/MediosPago/Toku.php
index 997619a..7794050 100644
--- a/app/src/Service/Venta/MediosPago/Toku.php
+++ b/app/src/Service/Venta/MediosPago/Toku.php
@@ -1,10 +1,9 @@
 <?php
 namespace Incoviba\Service\Venta\MediosPago;
 
-use Incoviba\Service\HMAC;
 use InvalidArgumentException;
 use Psr\Http\Message\ServerRequestInterface;
-use Incoviba\Service\Venta\MediosPago\Toku\{Customer,Subscription,Invoice};
+use Incoviba\Common\Define\Connection;
 use Incoviba\Common\Ideal;
 use Incoviba\Common\Implement\Exception\EmptyResponse;
 use Incoviba\Exception\InvalidResult;
@@ -12,6 +11,9 @@ use Incoviba\Exception\ServiceAction\Read;
 use Incoviba\Model;
 use Incoviba\Model\Persona;
 use Incoviba\Model\Venta\Propietario;
+use Incoviba\Service\HMAC;
+use Incoviba\Service\Venta\MediosPago\Toku\{Customer,Subscription,Invoice};
+use Psr\Log\LoggerInterface;
 use Throwable;
 
 class Toku extends Ideal\Service
@@ -23,6 +25,12 @@ class Toku extends Ideal\Service
     protected Customer $customer;
     protected Subscription $subscription;
     protected Invoice $invoice;
+
+    public function __construct(LoggerInterface $logger, protected Connection $connection)
+    {
+        parent::__construct($logger);
+    }
+
     public function register(string $type, EndPoint $endPoint): self
     {
         if (!in_array(strtolower($type), ['customer', 'subscription', 'invoice'])) {
@@ -397,7 +405,7 @@ class Toku extends Ideal\Service
         return $data;
     }
 
-    public static function validateToken(ServerRequestInterface $request, array $tokenConfig): bool
+    public function validateToken(ServerRequestInterface $request, array $tokenConfig): bool
     {
         if (!$request->hasHeader('User-Agent') or !str_starts_with($request->getHeaderLine('User-Agent'), 'Toku-Webhooks')) {
             return false;
@@ -423,9 +431,27 @@ class Toku extends Ideal\Service
                 return false;
             }
             $eventId = $json['id'];
-            return HMAC::validate($timestamp, $signature, $eventId, $tokenConfig['secret']);
+            $eventType = $json['event_type'];
+
+            $query = $this->connection->getQueryBuilder()
+                ->select('secret')
+                ->from('toku_webhooks')
+                ->where('enabled = ? AND event_type LIKE ?');
+            $params = [true, "%\"{$eventType}\"%"];
+            $statement = $this->connection->prepare($query);
+            $statement->execute($params);
+            $results = $statement->fetchColumn();
+            if (count($results) === 0) {
+                return false;
+            }
+
+            if (array_any($results, fn($secret) => HMAC::validate($timestamp, $signature, $eventId, $secret))) {
+                return true;
+            }
+
         } catch (Throwable $throwable) {
-            return false;
+            $this->logger->error($throwable);
         }
+        return false;
     }
 }