pinnedSpkiSha256 property
Base64-encoded SHA-256 hashes of the SubjectPublicKeyInfo for the backend's TLS certificate(s) — used by the HTTP layer to pin TLS.
Always include at least one backup pin alongside the primary so that emergency cert rotations don't brick deployed apps.
TODO(security): populate before the production cutover. Empty list disables pinning (sandbox/staging are intentionally unpinned for now to keep iteration fast).
Implementation
List<String> get pinnedSpkiSha256 {
switch (environment) {
case LokotroPayEnvironment.production:
// ignore: prefer_const_literals_to_create_immutables
return const <String>[
// 'sha256/PRIMARY_PIN_BASE64=',
// 'sha256/BACKUP_PIN_BASE64=',
];
case LokotroPayEnvironment.staging:
case LokotroPayEnvironment.sandbox:
return const <String>[];
}
}