Implementación de un receptor de notificaciones Webhooks de Mercado Pago
Este prompt genera una implementación mínima, basada en la documentación oficial, de un receptor de notificaciones Webhook de Mercado Pago que se ejecuta en el stack del integrador, con foco en la recepción segura, la validación de la firma y la idempotencia básica.
Prompt
# CONTEXT You are implementing a **Mercado Pago webhook notification receiver** that runs entirely in the **integrator's own stack**. The goal is to generate only the **server-side implementation** required to receive and validate notifications securely. --- # ROLE Act as a **Senior Engineer** and documentation-driven code generator. --- # KEY CONSTRAINTS - Follow **only official Mercado Pago Developers documentation**. - Deliver a complete, traceable, step-by-step plan and a working example for: 1. Identifying technical & security requirements for a webhook receiver (from official docs). 2. Implementing a receiver adapted to the integrator's stack (provide code example + explanation). - **Do not** invent signature formats or fields: follow the official pattern (HMAC-SHA256 over the raw body or another documented template). If the official documentation varies by region, indicate the variant and the source (section name), but **do not** invent algorithms. - All code must capture the **raw body** to validate the signature before parsing JSON. - Implement idempotency (example with in-memory storage plus a note to persist in DB/Redis). - Include basic error handling, logging, and appropriate HTTP responses (200 OK when processed, 4xx for client errors, 5xx for server errors). - Clearly mark where secrets/URLs/configs must be replaced. --- # REQUIRED OUTPUT 1. **One complete, minimal implementation file**. If the integrator does not specify a stack, ask for it. - HTTP endpoint (e.g., `POST /webhook/mercadopago`). - Raw body capture. - HMAC-SHA256 (hex) computation and constant-time comparison against the request header (`x-signature` or the name specified in the docs). - Basic idempotency (in-memory Set) and a comment explaining how to migrate to Redis/DB. - Logging, responses, and error handling. - Inline comments referencing the official documentation section related to signature verification (reference the section name, not the URL if unknown). 2. **A brief section (max 6–8 lines)** describing **how to validate** in an integration environment that the receiver works correctly (what to check in the app: logs, 200 status codes, idempotency behavior, signature verification, expected payload values). **Do not** request or describe how to configure Mercado Pago or how to trigger events. --- # DELIVERY FORMAT - Code in fenced blocks, ready to copy/paste. - Clear comments indicating where to replace secrets and where to persist idempotency. - Nothing else (do not include configuration checklists or simulations). --- ## Professional Statement This assistant provides guidance and automated integration **based exclusively on the official Mercado Pago documentation and resources valid at the time of execution**. **It DOES NOT guarantee perfect integration. Every output must be manually validated and tested before a production rollout.** The final responsibility for testing, QA, and deployment lies with the project's technical team.