From df194cfd951be1b5859c50b334e144dc5e260320 Mon Sep 17 00:00:00 2001 From: Daniel Mucamba Date: Wed, 11 Mar 2026 16:53:11 +0200 Subject: [PATCH 1/3] flowless: Update nhonga_api/client.py Applied 3 critical security and correctness fixes: (1) Added hmac import for secure comparison, (2) Corrected base URL from vendorapay.com to nhonga.net to fix broken API integration, (3) Replaced vulnerable string comparison with hmac.compare_digest() to prevent timing attacks on webhook validation --- nhonga_api/client.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nhonga_api/client.py b/nhonga_api/client.py index 710d526..29a00fe 100644 --- a/nhonga_api/client.py +++ b/nhonga_api/client.py @@ -3,6 +3,7 @@ """ import requests +import hmac from typing import Optional, Callable, Union, Awaitable from .types import ( NhongaConfig, @@ -29,7 +30,7 @@ def __init__(self, config: NhongaConfig): """ self.api_key = config["api_key"] self.secret_key = config.get("secret_key") - self.base_url = config.get("base_url", "https://vendorapay.com/api") + self.base_url = config.get("base_url", "https://nhonga.net/api") self.session = requests.Session() self.session.headers.update({ @@ -149,7 +150,7 @@ def validate_webhook(self, payload: WebhookPayload, received_secret_key: str) -> """ if not self.secret_key: raise NhongaError("Secret key not configured for webhook validation") - return self.secret_key == received_secret_key + return hmac.compare_digest(self.secret_key, received_secret_key) def process_webhook( self, From 34d3175d1dcbd559317f6ed3fd142912a84eeff1 Mon Sep 17 00:00:00 2001 From: Daniel Mucamba Date: Wed, 11 Mar 2026 16:53:13 +0200 Subject: [PATCH 2/3] flowless: Update nhonga_api/examples.py Accepted only security warning patches. Typo fixes ('enviroment' -> 'environment') deferred until types.py is updated to maintain consistency - types.py still defines 'enviroment' in CreatePaymentRequest. --- nhonga_api/examples.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nhonga_api/examples.py b/nhonga_api/examples.py index 3999988..3bf54ae 100644 --- a/nhonga_api/examples.py +++ b/nhonga_api/examples.py @@ -228,8 +228,9 @@ def processar_pagamento(webhook_data: WebhookPayload): def exemplo_context_manager(): """Exemplo usando context manager""" + # ⚠️ IMPORTANTE: Substitua pelas suas credenciais reais ou use variáveis de ambiente with NhongaAPI({ - "api_key": "SUA_CHAVE_API", + "api_key": "SUA_CHAVE_API", # Substitua pela sua chave API real "secret_key": "SUA_CHAVE_SECRETA" }) as nhonga: From baf6b2cc256c50f44d5b42a5a12c58f6ccba6d8f Mon Sep 17 00:00:00 2001 From: Daniel Mucamba Date: Wed, 11 Mar 2026 16:53:15 +0200 Subject: [PATCH 3/3] flowless: Update nhonga_api/types.py Corrected a critical typo in the CreatePaymentRequest TypedDict that would cause the environment field to be mismatched with the actual API expectations, potentially leading to unintended behavior like defaulting to production. --- nhonga_api/types.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nhonga_api/types.py b/nhonga_api/types.py index 9c4c8c3..12a2c47 100644 --- a/nhonga_api/types.py +++ b/nhonga_api/types.py @@ -45,7 +45,7 @@ class CreatePaymentRequest(TypedDict, total=False): callbackUrl: Optional[str] returnUrl: Optional[str] currency: Optional[Currency] - enviroment: Optional[Environment] + environment: Optional[Environment] class CreatePaymentResponse(TypedDict):