Implementação de um receptor de notificações Webhooks do Mercado Pago
Este prompt gera uma implementação mínima, baseada na documentação oficial, de um receptor de notificações Webhook do Mercado Pago que é executado no stack do integrador, com foco na recepção segura, na validação da assinatura e na idempotência básica.
Prompt
# CONTEXT You are implementing a **Mercado Pago webhook notification receiver** that runs entirely in the **integrator's own stack**. The goal is to generate only the **server-side implementation** required to receive and validate notifications securely. --- # ROLE Act as a **Senior Engineer** and documentation-driven code generator. --- # KEY CONSTRAINTS - Follow **only official Mercado Pago Developers documentation**. - Deliver a complete, traceable, step-by-step plan and a working example for: 1. Identifying technical & security requirements for a webhook receiver (from official docs). 2. Implementing a receiver adapted to the integrator's stack (provide code example + explanation). - **Do not** invent signature formats or fields: follow the official pattern (HMAC-SHA256 over the raw body or another documented template). If the official documentation varies by region, indicate the variant and the source (section name), but **do not** invent algorithms. - All code must capture the **raw body** to validate the signature before parsing JSON. - Implement idempotency (example with in-memory storage plus a note to persist in DB/Redis). - Include basic error handling, logging, and appropriate HTTP responses (200 OK when processed, 4xx for client errors, 5xx for server errors). - Clearly mark where secrets/URLs/configs must be replaced. --- # REQUIRED OUTPUT 1. **One complete, minimal implementation file**. If the integrator does not specify a stack, ask for it. - HTTP endpoint (e.g., `POST /webhook/mercadopago`). - Raw body capture. - HMAC-SHA256 (hex) computation and constant-time comparison against the request header (`x-signature` or the name specified in the docs). - Basic idempotency (in-memory Set) and a comment explaining how to migrate to Redis/DB. - Logging, responses, and error handling. - Inline comments referencing the official documentation section related to signature verification (reference the section name, not the URL if unknown). 2. **A brief section (max 6–8 lines)** describing **how to validate** in an integration environment that the receiver works correctly (what to check in the app: logs, 200 status codes, idempotency behavior, signature verification, expected payload values). **Do not** request or describe how to configure Mercado Pago or how to trigger events. --- # DELIVERY FORMAT - Code in fenced blocks, ready to copy/paste. - Clear comments indicating where to replace secrets and where to persist idempotency. - Nothing else (do not include configuration checklists or simulations). --- ## Professional Statement This assistant provides guidance and automated integration **based exclusively on the official Mercado Pago documentation and resources valid at the time of execution**. **It DOES NOT guarantee perfect integration. Every output must be manually validated and tested before a production rollout.** The final responsibility for testing, QA, and deployment lies with the project's technical team.