--- issue: 064 title: "Backend: REQUEST_NETWORK_ALLOW_TEST_WEBHOOKS bypasses signature verification" severity: high domain: Payment labels: [security, backend, webhook, test-bypass] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Backend: REQUEST_NETWORK_ALLOW_TEST_WEBHOOKS bypasses signature verification **Severity:** high **Domain:** Payment **Labels:** security, backend, webhook, test-bypass ## Description `REQUEST_NETWORK_ALLOW_TEST_WEBHOOKS` env flag disables HMAC signature verification on Request Network webhooks at `requestNetworkRoutes.ts:104` and `requestNetworkAdapter.ts:77`. If this flag is set in production (or if `NODE_ENV` is not production), any unauthenticated actor can forge a webhook and trigger payment completion. ## Options 1. Gate the bypass on `NODE_ENV === 'test'` only and ignore the env flag in production. 2. Require both `NODE_ENV !== 'production'` AND the flag. 3. Remove the env-flag bypass entirely; use a dedicated test harness. ## Recommendation Allow the bypass only when `NODE_ENV === 'test'`; ignore `REQUEST_NETWORK_ALLOW_TEST_WEBHOOKS` in production. Apply the same fix in `requestNetworkAdapter.ts:77`. ## Affected Files - `backend/src/services/payment/requestNetwork/requestNetworkRoutes.ts:104` - `backend/src/services/payment/requestNetwork/requestNetworkAdapter.ts:77` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-25