strapi-plugin-payone-provider 4.6.14 → 4.6.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-payone-provider",
-  "version": "4.6.14",
+  "version": "4.6.16",
   "description": "Strapi plugin for Payone payment gateway integration",
   "license": "MIT",
   "maintainers": [
@@ -10,10 +10,10 @@
     }
   ],
   "dependencies": {
+    "@uiw/react-json-view": "^2.0.0-alpha.40",
     "apple-pay-button": "^1.2.1",
     "axios": "^1.6.3",
-    "prop-types": "^15.7.2",
-    "@uiw/react-json-view": "^2.0.0-alpha.40"
+    "prop-types": "^15.7.2"
   },
   "devDependencies": {
     "react": "^18.2.0",
@@ -48,4 +48,4 @@
     "kind": "plugin",
     "displayName": "Strapi Payone Provider"
   }
-}
+}

package/server/controllers/payone.js

@@ -258,20 +258,17 @@ module.exports = ({ strapi }) => ({
 
   async handleTransactionStatus(ctx) {
     try {
-      if (!ctx.state.payoneAllowed) {
-        console.log("[Payone] Notification ignored (policy failed)");
-      } else {
-        const notificationData = ctx.request.body || {};
-        await getPayoneService(strapi).processTransactionStatus(notificationData);
-      }
+      const notificationData = ctx.request.body || {};
+      await getPayoneService(strapi).processTransactionStatus(notificationData);
+      console.warn("[Payone] Notification Status", {
+        ip: ctx.request.ip,
+      });
     } catch (error) {
-      console.log("[Payone TransactionStatus] Error:", error);
+      strapi.log.error("[Payone TransactionStatus] Error:", error);
     }
 
     ctx.status = 200;
     ctx.body = "TSOK";
     ctx.type = "text/plain";
   }
-
-
 });

package/server/policies/is-payone-notification.js

@@ -1,20 +1,46 @@
 module.exports = async (ctx) => {
-  const { request } = ctx;
+  const userAgent = ctx.request.headers["user-agent"] || "";
 
-  const userAgent = request.headers["user-agent"] || "";
+  // Forwarded header parsing
+  const rawForwarded = ctx.request.headers["x-forwarded-for"];
+  const forwardedIp = rawForwarded?.split(",")[0]?.trim();
+  const xRealIp = ctx.request.headers["x-real-ip"]?.trim();
+  // Custom nginx header
+  const payoneHeaderIp = ctx.request.headers["x-payone-client-ip"]?.trim();
+
+  // Final client IP resolution priority
   const clientIp =
-    request.headers["x-payone-client-ip"]?.trim() ||
-    request.headers["x-forwarded-for"]?.split(",")[0]?.trim() ||
-    request.ip ||
+    payoneHeaderIp ||
+    forwardedIp ||
+    xRealIp ||
+    ctx.request.ip ||
     "";
 
-  const isValid = userAgent === "PAYONE FinanceGate" && (clientIp.startsWith("185.60.20.") || clientIp === "54.246.203.105");
+  // ===== Allowed IPs =====
+  const allowedExactIps = [
+    "54.246.203.105",
+  ];
+
+  const allowedIpRanges = [
+    /^185\.60\.20\.\d+$/,   // 185.60.20.0 - 185.60.20.255
+  ];
+
+  const isIpAllowed =
+    allowedExactIps.includes(clientIp) ||
+    allowedIpRanges.some((regex) => regex.test(clientIp));
+
+  const isUserAgentValid = userAgent === "PAYONE FinanceGate";
+
+  const isValid = isIpAllowed && isUserAgentValid;
 
   ctx.state.payoneAllowed = isValid;
 
   if (!isValid) {
-    console.log("[Payone] Policy failed", { userAgent, clientIp });
+    console.warn("[Payone] Policy failed", {
+      userAgent,
+      clientIp,
+    });
   }
 
   return true;
-};
+};

package/server/routes/index.js

@@ -168,7 +168,7 @@ module.exports = {
         path: "/transaction-status",
         handler: "payone.handleTransactionStatus",
         config: {
-          policies: ["plugin::strapi-plugin-payone-provider.is-payone-notification"],
+          // policies: ["plugin::strapi-plugin-payone-provider.is-payone-notification"],
           auth: false
         }
       },