FIXES TODO in callbacks: implement strict validation for all payment callbacks

[Mohit-Davar]

Description

This pull request implements strict request validation for all supported payment processor callbacks (LNbits, Nodeless, OpenNode, and Zebedee).

Changes include:

• Centralised Schema Layer: Created callback-request-schemas.ts to isolate and manage third-party webhook structures.
• Joi based verification: Instead of relying on manual verification for every callback (like manually checking hex patterns or string lengths), I've moved everything to use Joi schemas and bringing the callback logic in line with how the rest of the project handles validation.

Related Issue

Resolves internal TODO: Validate markers in src/controllers/callbacks/.

Motivation and Context

The payment callback endpoints were previously processing external data without strict validation. This change ensures that all incoming webhooks from external processors are verified for correct structure and data types before any business logic is executed.

How Has This Been Tested?

I have implemented a unit test suite in callback-request-schemas.spec.ts

Screenshots (if appropriate):

Implemented these TODOs:

Test Cases:

Types of changes

• Non-functional change (docs, style, minor refactor)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my code changes.
• All new and existing tests passed.

[cameri]

@Mohit-Davar Appreciate your work here. Could you please create the issue for this PR?

[Copilot]

Pull request overview

This PR adds Joi-based request validation for incoming payment processor webhook callbacks (LNbits, Nodeless, OpenNode, Zebedee) by introducing centralized callback schemas and enforcing schema validation at the start of each callback controller.

Changes:

• Added src/schemas/callback-request-schemas.ts to define Joi schemas for supported callback payloads/query params.
• Updated each callback controller to validate incoming request bodies (and LNbits query) before running business logic.
• Added a unit test suite covering the new callback schemas.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
test/unit/schemas/callback-request-schemas.spec.ts	Adds unit tests for the new callback request schemas.
src/schemas/callback-request-schemas.ts	Introduces Joi schemas for LNbits, Nodeless, OpenNode, and Zebedee callback payloads.
src/controllers/callbacks/zebedee-callback-controller.ts	Rejects requests with invalid Zebedee callback bodies (400) before processing.
src/controllers/callbacks/opennode-callback-controller.ts	Rejects requests with invalid OpenNode callback bodies (400) before processing.
src/controllers/callbacks/nodeless-callback-controller.ts	Rejects requests with invalid Nodeless callback bodies (400) before signature/processing.
src/controllers/callbacks/lnbits-callback-controller.ts	Validates LNbits callback query/body and replaces manual query/body checks with schema validation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cameri]

@Mohit-Davar kindly create the associated issue for this PR 🙏

[Mohit-Davar]

@cameri Thank you for reviewing my PRs earlier and for the detailed feedback. I’ve addressed all the requested changes and updated the PRs accordingly.
Could you please let me know if anything else is required from my side, or if there are any additional improvements I should make before they can be merged?
I really appreciate your time and guidance. Looking forward to your feedback. 🙂