@mojaloop/central-services-shared 18.35.1-snapshot.0 → 18.35.2

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [18.35.2](https://github.com/mojaloop/central-services-shared/compare/v18.35.1...v18.35.2) (2026-01-28)
+
+
+### Bug Fixes
+
+* **iad-573:** fixed proxy-header validation ([#502](https://github.com/mojaloop/central-services-shared/issues/502)) ([4ac356f](https://github.com/mojaloop/central-services-shared/commit/4ac356f115bbb82a5a1b2ce781c954321958763a))
+
+### [18.35.1](https://github.com/mojaloop/central-services-shared/compare/v18.35.0...v18.35.1) (2026-01-23)
+
+
+### Bug Fixes
+
+* **csi-2030:** added logic to validate fspiop-proxy header ([#501](https://github.com/mojaloop/central-services-shared/issues/501)) ([b22dd5a](https://github.com/mojaloop/central-services-shared/commit/b22dd5a2bbc31ed6fb37b54df6d7b23185274c51))
+
 ## [18.35.0](https://github.com/mojaloop/central-services-shared/compare/v18.34.6...v18.35.0) (2026-01-22)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/central-services-shared",
-  "version": "18.35.1-snapshot.0",
+  "version": "18.35.2",
   "description": "Shared code for mojaloop central services",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -73,7 +73,7 @@
     "@opentelemetry/api": "1.9.0",
     "async-exit-hook": "2.0.1",
     "async-retry": "1.3.3",
-    "axios": "1.13.2",
+    "axios": "1.13.4",
     "clone": "2.1.2",
     "convict": "^6.2.4",
     "dotenv": "17.2.3",
@@ -109,7 +109,7 @@
     "audit-ci": "7.1.0",
     "base64url": "3.0.1",
     "chance": "1.1.13",
-    "npm-check-updates": "19.3.1",
+    "npm-check-updates": "19.3.2",
     "nyc": "17.1.0",
     "portfinder": "1.0.38",
     "pre-commit": "1.2.2",
@@ -125,7 +125,7 @@
     "tapes": "4.1.0"
   },
   "overrides": {
-    "axios": "1.13.2",
+    "axios": "1.13.4",
     "qs": "6.14.1",
     "brace-expansion": "2.0.2",
     "form-data": "4.0.4",

package/src/util/hapi/plugins/headerValidation.js

@@ -159,7 +159,7 @@ const validateProxySourceHeaders = (headers = {}) => {
     return
   }
 
-  if (proxy && proxy !== clientId) {
+  if (proxy && (proxy !== clientId || proxy === source)) {
     const errMessage = errorMessages.INVALID_PROXY_HEADER
     logger.error(errMessage, { clientId, proxy, source })
     throw createFSPIOPError(Enums.FSPIOPErrorCodes.VALIDATION_ERROR, errMessage)

package/test/unit/util/hapi/plugins/headerValidation.test.js

@@ -412,7 +412,21 @@ Test('headerValidation plugin test', async (pluginTest) => {
       t.is(statusCode, 202)
     }))
 
-    vpshTests.test('should not throw error if needSourceValidation is false', tryCatchEndTest(async t => {
+    vpshTests.test('should throw error if proxy-header equals source-header', tryCatchEndTest(async t => {
+      const fspiopCode = ErrorHandling.Enums.FSPIOPErrorCodes.VALIDATION_ERROR
+      const sameId = 'dfspABC'
+
+      const { statusCode, result } = await testServer.inject({
+        method: 'get',
+        url: `/${resource}`,
+        headers: headersDto({ source: sameId, proxy: sameId, xClientId: sameId })
+      })
+      t.is(statusCode, fspiopCode.httpStatusCode)
+      t.is(result?.apiErrorCode?.code, fspiopCode.code)
+      t.is(result?.message, errorMessages.INVALID_PROXY_HEADER)
+    }))
+
+    vpshTests.test('should not throw error if needProxySourceValidation is false', tryCatchEndTest(async t => {
       const testServer = await init(false)
 
       const { statusCode } = await testServer.inject({