pinnedSpkiSha256 property

List<String> get pinnedSpkiSha256

Base64-encoded SHA-256 hashes of the SubjectPublicKeyInfo for the backend's TLS certificate(s) — used by the HTTP layer to pin TLS.

Always include at least one backup pin alongside the primary so that emergency cert rotations don't brick deployed apps.

TODO(security): populate before the production cutover. Empty list disables pinning (sandbox/staging are intentionally unpinned for now to keep iteration fast).

Implementation

List<String> get pinnedSpkiSha256 {
  switch (environment) {
    case LokotroPayEnvironment.production:
      // ignore: prefer_const_literals_to_create_immutables
      return const <String>[
        // 'sha256/PRIMARY_PIN_BASE64=',
        // 'sha256/BACKUP_PIN_BASE64=',
      ];
    case LokotroPayEnvironment.staging:
    case LokotroPayEnvironment.sandbox:
      return const <String>[];
  }
}