fix: security hardening phase 1

- Enforce ENCRYPTION_KEY on mainnet startup (hard-fail if missing)
- Extend invoice expiry by 30 min on payment detection (prevent stuck detected invoices)
- Redact memo and amount from info-level logs (moved to debug)
- Webhook retry: fail closed on secret decrypt error instead of fallback to raw ciphertext
- Remove premature try_detect_fee from mempool path (fix fee ledger consistency)
- Normalize confirmed webhook payload across all code paths (always include price_zec, received_zec, overpaid)
- Admin key comparison: use subtle::ConstantTimeEq for HMAC tag comparison
- Session validation: remove expected memo from error response
- Update roadmap: add payment link server-side resolution, refine rate limiting scope

Author: Kenbak

Cargo.lock

@@ -37,6 +37,7 @@ hmac = "0.12"
 hex = "0.4"
 rand = "0.8"
 base64 = "0.22"
+subtle = "2"
 
 # QR code generation
 qrcode = "0.14"

Cargo.toml

@@ -32,9 +32,9 @@ Privacy-preserving Zcash payment gateway. Non-custodial, shielded-only.
 - [x] `ALLOWED_ORIGINS` config for production deployment
 - [x] Concurrent batch raw tx fetching (futures::join_all, batches of 20)
 - [x] CipherScan raw tx endpoint (`GET /api/tx/{txid}/raw`)
-- [ ] Rate limiting on public endpoints (actix-web-middleware or tower)
-- [ ] Invoice lookup auth (merchant can only see own invoices)
-- [ ] Merchant registration guard (admin key or invite-only in production)
+- [ ] **Payment link server-side resolution** — move invoice creation from public API endpoint (`POST /api/payment-links/{slug}/checkout`) into the Next.js server component. Invoice creation happens server-to-server (authenticated with internal key), removing the unauthenticated public endpoint entirely. Follows Stripe's model: buyers load a web page, not an API. Page-level protection via Vercel/Cloudflare.
+- [ ] Rate limiting on public endpoints — per-API-key for authenticated routes, per-IP for remaining unauthenticated routes (registration). `actix-governor` keyed limiters, `429` with `Retry-After`.
+- [ ] Invoice lookup auth (merchant can only see own invoices via API; checkout page unaffected)
 - [ ] Input validation hardening (UFVK format check, address validation)
 - [x] **Switch from UFVK to UIVK storage** — accept UFVK or UIVK at registration, derive and store only the UIVK (discard FVK). Existing merchants migrated on startup. Reduces data exposure per principle of least privilege.
 - [ ] **Account deletion cooldown** — schedule deletion for 48h instead of immediate hard-delete. Protects against compromised sessions. Merchant can cancel within the window. After 48h, purge all data (viewing keys, invoices, products, sessions).

ROADMAP.md

@@ -2,6 +2,7 @@ use actix_web::web;
 use hmac::{Hmac, Mac};
 use sha2::Sha256;
 use sqlx::SqlitePool;
+use subtle::ConstantTimeEq;
 
 type HmacSha256 = Hmac<Sha256>;
 
@@ -33,7 +34,7 @@ pub fn authenticate_admin(req: &actix_web::HttpRequest) -> bool {
     mac2.update(provided.as_bytes());
     let provided_tag = mac2.finalize().into_bytes();
 
-    expected_tag == provided_tag
+    expected_tag.ct_eq(&provided_tag).into()
 }
 
 fn unauthorized() -> actix_web::HttpResponse {

src/api/admin.rs

@@ -125,7 +125,7 @@ pub async fn open(
 
         if session_outputs.is_empty() {
             return HttpResponse::BadRequest().json(serde_json::json!({
-                "error": format!("No output with session memo found. Expected memo: {}", expected_memo),
+                "error": "No output with matching session memo found in transaction",
             }));
         }
         session_outputs.iter().map(|o| o.amount_zatoshis as i64).sum()

src/api/sessions.rs

@@ -99,4 +99,13 @@ impl Config {
     pub fn fee_enabled(&self) -> bool {
         self.fee_address.is_some() && self.fee_ufvk.is_some() && self.fee_rate > 0.0
     }
+
+    pub fn validate(&self) -> anyhow::Result<()> {
+        if !self.is_testnet() && self.encryption_key.is_empty() {
+            anyhow::bail!(
+                "ENCRYPTION_KEY is required in production (mainnet). Set a 64-char hex key."
+            );
+        }
+        Ok(())
+    }
 }

src/config.rs

@@ -249,12 +249,16 @@ pub async fn create_invoice(
 
     tracing::info!(
         invoice_id = %id,
-        memo = %memo_code,
         currency = %currency,
-        amount = %amount,
         diversifier_index = div_index,
         "Invoice created with unique address"
     );
+    tracing::debug!(
+        invoice_id = %id,
+        memo = %memo_code,
+        amount = %amount,
+        "Invoice details"
+    );
 
     Ok(CreateInvoiceResponse {
         invoice_id: id,
@@ -356,13 +360,17 @@ pub async fn get_pending_invoices(pool: &SqlitePool) -> anyhow::Result<Vec<Invoi
 /// Returns true if the status actually changed (used to gate webhook dispatch).
 pub async fn mark_detected(pool: &SqlitePool, invoice_id: &str, txid: &str, received_zatoshis: i64) -> anyhow::Result<bool> {
     let now = Utc::now().format("%Y-%m-%dT%H:%M:%SZ").to_string();
+    let new_expires = (Utc::now() + Duration::minutes(30))
+        .format("%Y-%m-%dT%H:%M:%SZ")
+        .to_string();
     let result = sqlx::query(
-        "UPDATE invoices SET status = 'detected', detected_txid = ?, detected_at = ?, received_zatoshis = ?
+        "UPDATE invoices SET status = 'detected', detected_txid = ?, detected_at = ?, received_zatoshis = ?, expires_at = ?
          WHERE id = ? AND status IN ('pending', 'underpaid')"
     )
     .bind(txid)
     .bind(&now)
     .bind(received_zatoshis)
+    .bind(&new_expires)
     .bind(invoice_id)
     .execute(pool)
     .await?;

src/invoices/mod.rs

@@ -35,6 +35,7 @@ async fn main() -> anyhow::Result<()> {
         .init();
 
     let config = config::Config::from_env()?;
+    config.validate()?;
     let pool = db::create_pool(&config.database_url).await?;
     db::migrate_encrypt_ufvks(&pool, &config.encryption_key).await?;
     db::migrate_ufvk_to_uivk(&pool, &config.encryption_key).await?;

src/main.rs

@@ -238,7 +238,8 @@ async fn scan_mempool(
                 Ok(outputs) => {
                     for output in &outputs {
                         let recipient_hex = hex::encode(output.recipient_raw);
-                        tracing::info!(txid, memo = %output.memo, amount = output.amount_zec, "Decrypted mempool tx");
+                        tracing::info!(txid, "Decrypted mempool output");
+                        tracing::debug!(txid, memo = %output.memo, amount = output.amount_zec, "Decrypted output details");
 
                         if let Some(invoice) = matching::find_matching_invoice(&pending, &recipient_hex, &output.memo) {
                             let entry = invoice_totals.entry(invoice.id.clone())
@@ -275,7 +276,6 @@ async fn scan_mempool(
                     let overpaid = new_received > invoice.price_zatoshis + 1000;
                     spawn_payment_webhook(pool, http, invoice_id, "detected", txid,
                         invoice.price_zatoshis, new_received, overpaid, &config.encryption_key);
-                    try_detect_fee(pool, config, raw_hex, invoice_id).await;
                 }
             } else if invoice.status == "pending" {
                 invoices::mark_underpaid(pool, invoice_id, new_received, txid).await?;
@@ -311,7 +311,10 @@ async fn scan_blocks(
                     Ok(true) => {
                         let changed = invoices::mark_confirmed(pool, &invoice.id).await?;
                         if changed {
-                            spawn_webhook(pool, http, &invoice.id, "confirmed", txid, &config.encryption_key);
+                            let overpaid = invoice.received_zatoshis > invoice.price_zatoshis + 1000;
+                            spawn_payment_webhook(pool, http, &invoice.id, "confirmed", txid,
+                                invoice.price_zatoshis, invoice.received_zatoshis, overpaid,
+                                &config.encryption_key);
                             on_invoice_confirmed(pool, http, config, invoice).await;
                         }
                     }

src/scanner/mod.rs

@@ -365,8 +365,17 @@ pub async fn retry_failed(pool: &SqlitePool, http: &reqwest::Client, encryption_
     .await?;
 
     for (id, url, payload, raw_secret, attempts) in rows {
-        let secret = crate::crypto::decrypt_webhook_secret(&raw_secret, encryption_key)
-            .unwrap_or(raw_secret);
+        let secret = match crate::crypto::decrypt_webhook_secret(&raw_secret, encryption_key) {
+            Ok(s) => s,
+            Err(e) => {
+                tracing::error!(delivery_id = %id, error = %e, "Failed to decrypt webhook secret, marking delivery failed");
+                sqlx::query("UPDATE webhook_deliveries SET status = 'failed', response_error = 'Webhook secret decryption failed' WHERE id = ?")
+                    .bind(&id)
+                    .execute(pool)
+                    .await?;
+                continue;
+            }
+        };
         if let Err(reason) = crate::validation::resolve_and_check_host(&url) {
             tracing::warn!(delivery_id = %id, %url, %reason, "Webhook retry blocked: SSRF protection");
             sqlx::query("UPDATE webhook_deliveries SET status = 'failed' WHERE id = ?")