cameri · Anshumancanrock · May 2, 2026 · May 3, 2026 · May 3, 2026 · May 3, 2026
diff --git a/.changeset/callback-routes-conditional-registration.md b/.changeset/callback-routes-conditional-registration.md
@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+refactor: only register OpenNode, LNbits, and Zebedee callback routes when their processor is active
diff --git a/src/controllers/callbacks/lnbits-callback-controller.ts b/src/controllers/callbacks/lnbits-callback-controller.ts
@@ -25,13 +25,6 @@ export class LNbitsCallbackController implements IController {
 
     const settings = createSettings()
     const remoteAddress = getRemoteAddress(request, settings)
-    const paymentProcessor = settings.payments?.processor ?? 'null'
-
-    if (paymentProcessor !== 'lnbits') {
-      logger('denied request from %s to /callbacks/lnbits which is not the current payment processor', remoteAddress)
-      response.status(403).send('Forbidden')
-      return
-    }
 
     const queryValidation = validateSchema(lnbitsCallbackQuerySchema)(request.query)
     if (queryValidation.error) {

diff --git a/src/controllers/callbacks/opennode-callback-controller.ts b/src/controllers/callbacks/opennode-callback-controller.ts
@@ -22,15 +22,6 @@ export class OpenNodeCallbackController implements IController {
 
     const settings = createSettings()
     const remoteAddress = getRemoteAddress(request, settings)
-    const paymentProcessor = settings.payments?.processor
-
-    if (paymentProcessor !== 'opennode') {
-      logger('denied request from %s to /callbacks/opennode which is not the current payment processor', remoteAddress)
-      response
-        .status(403)
-        .send('Forbidden')
-      return
-    }
 
     const bodyValidation = validateSchema(opennodeWebhookCallbackBodySchema)(request.body)
     if (bodyValidation.error) {

diff --git a/src/controllers/callbacks/zebedee-callback-controller.ts b/src/controllers/callbacks/zebedee-callback-controller.ts
@@ -30,20 +30,13 @@ export class ZebedeeCallbackController implements IController {
 
     const { ipWhitelist = [] } = settings.paymentsProcessors?.zebedee ?? {}
     const remoteAddress = getRemoteAddress(request, settings)
-    const paymentProcessor = settings.payments?.processor
 
     if (ipWhitelist.length && !ipWhitelist.includes(remoteAddress)) {
       logger('unauthorized request from %s to /callbacks/zebedee', remoteAddress)
       response.status(403).send('Forbidden')
       return
     }
 
-    if (paymentProcessor !== 'zebedee') {
-      logger('denied request from %s to /callbacks/zebedee which is not the current payment processor', remoteAddress)
-      response.status(403).send('Forbidden')
-      return
-    }
-
     const invoice = fromZebedeeInvoice(request.body)
 
     logger('invoice', invoice)

diff --git a/src/routes/callbacks/index.ts b/src/routes/callbacks/index.ts
@@ -1,4 +1,4 @@
-import { json, Router, urlencoded } from 'express'
+import { json, NextFunction, Request, Response, Router, urlencoded } from 'express'
 
 import { createLNbitsCallbackController } from '../../factories/controllers/lnbits-callback-controller-factory'
 import { createNodelessCallbackController } from '../../factories/controllers/nodeless-callback-controller-factory'
@@ -9,24 +9,30 @@ import { withController } from '../../handlers/request-handlers/with-controller-
 
 const router: Router = Router()
 
-const settings = createSettings()
-const processor = settings.payments?.processor
+const requireProcessor = (name: string) =>
+  (_req: Request, res: Response, next: NextFunction) => {
+    const settings = createSettings()
+    if (settings.payments?.processor !== name) {
+      res.status(403).send('Forbidden')
+      return
+    }
+    next()
+  }
 
 router
-  .post('/zebedee', json(), withController(createZebedeeCallbackController))
-  .post('/lnbits', json(), withController(createLNbitsCallbackController))
-  .post('/opennode', urlencoded({ extended: false }), json(), withController(createOpenNodeCallbackController))
-
-if (processor === 'nodeless') {
-  router.post(
+  .post('/zebedee', requireProcessor('zebedee'), json(), withController(createZebedeeCallbackController))
+  .post('/lnbits', requireProcessor('lnbits'), json(), withController(createLNbitsCallbackController))
+  .post('/opennode', requireProcessor('opennode'), urlencoded({ extended: false }), json(), withController(createOpenNodeCallbackController))
+  .post(
     '/nodeless',
+    requireProcessor('nodeless'),
     json({
       verify(req, _res, buf) {
         ;(req as any).rawBody = buf
       },
     }),
     withController(createNodelessCallbackController),
   )
-}
 
 export default router
+
diff --git a/test/unit/controllers/callbacks/lnbits-callback-controller.spec.ts b/test/unit/controllers/callbacks/lnbits-callback-controller.spec.ts
@@ -108,35 +108,6 @@ describe('LNbitsCallbackController', () => {
   })
 
   describe('authorization and validation', () => {
-    it('returns 403 when payment processor settings are missing', async () => {
-      createSettingsStub.returns({
-        network: { remoteIpHeader: 'x-forwarded-for' },
-      })
-      const { controller, paymentsService } = makeController()
-      const res = makeRes()
-
-      await controller.handleRequest(makeReq(), res)
-
-      expect(res.status).to.have.been.calledWith(403)
-      expect(res.send).to.have.been.calledWith('Forbidden')
-      expect(paymentsService.getInvoiceFromPaymentsProcessor).to.not.have.been.called
-    })
-
-    it('returns 403 when lnbits is not the configured processor', async () => {
-      createSettingsStub.returns({
-        ...baseSettings,
-        payments: { processor: 'opennode' },
-      })
-      const { controller, paymentsService } = makeController()
-      const res = makeRes()
-
-      await controller.handleRequest(makeReq(), res)
-
-      expect(res.status).to.have.been.calledWith(403)
-      expect(res.send).to.have.been.calledWith('Forbidden')
-      expect(paymentsService.getInvoiceFromPaymentsProcessor).to.not.have.been.called
-    })
-
     it('returns 403 for invalid query parameters', async () => {
       const { controller } = makeController()
       const res = makeRes()

diff --git a/test/unit/controllers/callbacks/opennode-callback-controller.spec.ts b/test/unit/controllers/callbacks/opennode-callback-controller.spec.ts
@@ -99,20 +99,6 @@ describe('OpenNodeCallbackController', () => {
   })
 
   describe('authorization and validation', () => {
-    it('returns 403 when opennode is not the configured processor', async () => {
-      createSettingsStub.returns({
-        payments: { processor: 'lnbits' },
-      })
-      const { controller, paymentsService } = makeController()
-      const res = makeRes()
-
-      await controller.handleRequest(makeReq(), res)
-
-      expect(res.status).to.have.been.calledWith(403)
-      expect(res.send).to.have.been.calledWith('Forbidden')
-      expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
-    })
-
     it('returns 400 for malformed request body', async () => {
       const { controller, paymentsService } = makeController()
       const res = makeRes()

diff --git a/test/unit/controllers/callbacks/zebedee-callback-controller.spec.ts b/test/unit/controllers/callbacks/zebedee-callback-controller.spec.ts
@@ -136,21 +136,6 @@ describe('ZebedeeCallbackController', () => {
       expect(res.send).to.have.been.calledWith('Forbidden')
       expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
     })
-
-    it('returns 403 when zebedee is not the configured processor', async () => {
-      createSettingsStub.returns({
-        ...baseSettings,
-        payments: { processor: 'lnbits' },
-      })
-      const { controller, paymentsService } = makeController()
-      const res = makeRes()
-
-      await controller.handleRequest(makeReq(), res)
-
-      expect(res.status).to.have.been.calledWith(403)
-      expect(res.send).to.have.been.calledWith('Forbidden')
-      expect(paymentsService.updateInvoiceStatus).to.not.have.been.called
-    })
   })
 
   describe('invoice state handling', () => {

diff --git a/test/unit/routes/callbacks.spec.ts b/test/unit/routes/callbacks.spec.ts
@@ -4,15 +4,21 @@ import express from 'express'
 import Sinon from 'sinon'
 
 import * as openNodeControllerFactory from '../../../src/factories/controllers/opennode-callback-controller-factory'
+import * as settingsFactory from '../../../src/factories/settings-factory'
 
 describe('callbacks router', () => {
   let createOpenNodeCallbackControllerStub: Sinon.SinonStub
+  let createSettingsStub: Sinon.SinonStub
   let receivedBody: unknown
   let server: any
 
   beforeEach(async () => {
     receivedBody = undefined
 
+    createSettingsStub = Sinon.stub(settingsFactory, 'createSettings').returns({
+      payments: { processor: 'opennode' },
+    } as any)
+
     createOpenNodeCallbackControllerStub = Sinon.stub(openNodeControllerFactory, 'createOpenNodeCallbackController').returns({
       handleRequest: async (request: any, response: any) => {
         receivedBody = request.body
@@ -35,6 +41,7 @@ describe('callbacks router', () => {
 
   afterEach(async () => {
     createOpenNodeCallbackControllerStub.restore()
+    createSettingsStub.restore()
     delete require.cache[require.resolve('../../../src/routes/callbacks')]
 
     if (server) {