Blogs

NATURAL LANGUAGE PROCESSING OF UNSTRUCTURED LEGAL TEXTS: Stopwords and the Case of Republic v Yebbi & Avalifo [1999–2000] 2 GLR 50.

First draft: 24/12/24

So, what is a stopword?

Stopwords refer to a collection of prepositions, positional conjunctions, and other commonly used words. These words appear in almost every sentence because they are indispensable for conveying coherent thoughts and speech.

However, stopwords can produce noise or distort the accuracy of several NLP tasks, such as topic modelling.

Stopword elimination is a critical feature of any natural language processing (NLP) task. Natural Language Toolkit, NLTK and SpaCy provide convenient, off-the-shelf access to comprehensive stopword collections for the English language—at least to the best of my knowledge.

These indispensable Python packages make NLP tasks, especially the elimination of stopwords, significantly less tedious. However, there's a caveat: always use domain-specific stopword collections in specialized fields.

The Ghanaian case of Republic v. Yebbi & Avalifo [1999–2000] 2 GLR 50 is particularly instructive. While the case raises and addresses numerous issues, we will focus on one central question: what constitutes 'the public interest'? Here, the Supreme Court of Ghana attempted to interpret Article 143(1) of the constitution of Ghana which deals with the jurisdiction of the Regional Tribunals. It states that:

(1) A Regional Tribunal shall have jurisdiction to try such offences against the State and the public interest as Parliament may, by law, prescribe.

Kindly direct your attention to the presence of the word 'and' it has been bolded to make it easy to identify it.

Now the court had to determine whether or not 'the word 'and' coming in between 'state' and 'public interest' in the provision, is to be read as disjunctive or conjunctive? In other words, does it mean that any such offence should be against both the state and the public interest;- or is it enough if the offence is either against the state or against public interest?'

This might seem like a trivial issue because why would the Supreme Court concern itself with the meaning of the word 'and' in a sentence? Everyone knows what the word 'and' means. Well, Yebbi and Avolifo's freedom hinges on the interpretation the Supreme Court will give to the word 'and'. So in this particular instance the meaning of 'and' is a big deal. I am not going to bore you with the entire saga of the Republic v. Yebbi & Avalifo.

Let's revisit the subject of NLP. Suppose you are a data engineer and your product manager comes to you that they need data to train a text classification product. You reach out for an existing stopwords collection to clean the texts quickly. Suppose we consider that any sentence containing the term 'and' is marked as irrelevant in both the training and evaluation datasets. Your guess is as good as mine the text classification might decide that the Supreme Court's interpretation of 'public interest' in the case of the Republic v. Yebbi & Avalifo is irrelevant. Just so you know, your product will generate inaccurate results.

This issue is salient in every domain, not just law.

[1] https://www.ibm.com/docs/en/db2/11.1?topic=configuration-stop-words

[2] https://guides.library.upenn.edu/penntdm/methods/topic_modeling

[3] https://www.studocu.com/row/document/central-university-ghana/criminal-law/the-republic-vs-yebbi-avalifo/56077076

[4] https://www.dennislawgh.com/case-preview?dl_citation_no=[2000]DLSC471&srb=

ExpressJs, Hubtel Online Checkout Integration and Security Matters

First draft: 23/04/25

Understanding Hubtel's Online Checkout

A thorough review of Hubtel's online checkout documentation reveals that the responsibility of securing the webhook falls entirely on the developer. Unlike Stripe or Paystack, which provide robust webhook security mechanisms with signature verification, I believe Hubtel's system requires developers to implement their own security measures.

It's worth noting that Hubtel's redirect checkout doesn't provide a sandbox or test environment, so caution should be exercised when implementing this in development.

Basic Implementation

Let's start with the basic implementation for creating a redirect checkout to receive payments:

// Environment configuration const HUBTEL_CLIENT_ID = process.env.HUBTEL_CLIENT_ID; const HUBTEL_CLIENT_SECRET = process.env.HUBTEL_CLIENT_SECRET; // Helper function for authentication export const getHubtelAuthHeader = () => { const auth = Buffer.from( `${HUBTEL_CLIENT_ID}:${HUBTEL_CLIENT_SECRET}` ).toString('base64'); return `Basic ${auth}`; }; // Express route for creating payment checkout app.post("/create-payment-checkout", async function(req, res) { try { const result = await createPaymentCheckout(req.body); return res.status(StatusCodes.CREATED).json({ status: 'success', statusCode: StatusCodes.CREATED, message: 'Created payment checkout successfully', data: result, }); } catch (err) { console.error('Payment checkout error:', err); return res.status(StatusCodes.INTERNAL_SERVER_ERROR).json({ status: 'error', message: 'An error occurred while making payment for the order', details: process.env.NODE_ENV === 'development' ? err.message : undefined }); } });

// Function to create payment checkout const createPaymentCheckout = async (payee: CreatePaymentCheckoutData) => { try { const { name, email, phone, amount, description, order_id, title } = payee; const payload = { merchantAccountNumber: process.env.HUBTEL_MERCHANT_ACCOUNT_NUMBER, totalAmount: amount, title: title, description: description || 'Payment for services', callbackUrl: `${process.env.BACKEND_WEBHOOK_URL}/hubtel-webhook`, returnUrl: `${process.env.FRONTEND_URL}/payment/payment-success`, cancellationUrl: `${process.env.FRONTEND_URL}/payment/payment-failed`, payeeName: name, payeeEmail: email || '', payeeMobileNumber: phone, clientReference: order_id, }; const response = await axios.post( `${process.env.HUBTEL_ONLINE_CHECKOUT_URL}`, payload, { headers: { Authorization: getHubtelAuthHeader(), 'Content-Type': 'application/json', }, } ); if (response.data && response.data.responseCode === '0000') { return response.data.data.checkoutUrl; } throw new Error(`Failed to create payment checkout: ${JSON.stringify(response.data)}`); } catch (error) { console.error('Payment checkout creation error:', error); throw new Error( error.response?.data?.message || 'Failed to create payment checkout' ); } };

The Security Challenge

In the implementation above, notice the callbackUrl parameter. This is where you specify your webhook URL, which Hubtel will use to send payment status updates.

If you've worked with payment processors like Stripe or Paystack before, you might be wondering about webhook security. These providers implement signature verification to ensure that:

- The webhook is called by the expected source (the payment processor)
- The webhook payload hasn't been tampered with

Without these security mechanisms, your system becomes vulnerable to replay attacks, where an attacker could send fake webhook events to your endpoint, potentially triggering unwanted actions.

Implementing Webhook Security

Since Hubtel doesn't provide built-in webhook security for their redirect checkout system, we need to implement our own. Here's a robust approach using Redis to create one-time verification codes:

import crypto from 'crypto'; // Function to secure webhook by generating a verification code const secure_webhook = async (order_id: string) => { try { // Generate a random verification code const verification_code = generateVerificationCode(10); const webhook_secret = `webhook_secret_${verification_code}`; // Clear any existing keys with the same name await redisService.delFromRedis(webhook_secret); // Store the verification code and order ID in Redis with expiration await redisService.addToRedis({ key: webhook_secret, value: { key: webhook_secret, order_id: order_id }, expiresIn: 3600, // expires after 1 hour }); return verification_code; } catch (error) { console.error('Error securing webhook:', error); throw error; } };

// Function to verify webhook using the verification code const verify_webhook = async ( reference: string ): Promise<{ success: boolean; order_id: string }> => { try { const key = `webhook_secret_${reference}`; const verify_key = await redisService.getFromRedis(key); if (!verify_key) { console.warn(`Webhook verification failed: No key found for reference ${reference}`); return { success: false, order_id: '' }; } const verify_key_obj = typeof verify_key === 'string' ? JSON.parse(verify_key) : verify_key; const order_id = verify_key_obj.order_id; // Delete the key after verification to prevent reuse await redisService.delFromRedis(key); return { success: true, order_id }; } catch (error) { console.error('Error verifying webhook:', error); throw error; } };

// Helper function to validate amount const amountValidator = (amount: string | number) => { try { const stringify_amount = amount.toString(); const parsedAmount = parseFloat(stringify_amount); if (isNaN(parsedAmount) || parsedAmount <= 0) { throw new Error('Invalid payment amount: must be a positive number'); } return parsedAmount; } catch (error) { console.error('Amount validation error:', error); throw new Error('Invalid payment amount'); } }; // Function to generate random verification code function generateVerificationCode(length: number): string { return crypto.randomBytes(length).toString('hex'); }

Here's the updated createPaymentCheckout function with security implementation:

// Updated createPaymentCheckout function with security implementation const createPaymentCheckout = async (payee: CreatePaymentCheckoutData) => { try { const { name, email, phone, amount, description, order_id, title } = payee; // Generate and store verification code const transaction_reference = await secure_webhook(order_id); // Validate payment amount const validated_amount = amountValidator(amount); const payload = { merchantAccountNumber: process.env.HUBTEL_MERCHANT_ACCOUNT_NUMBER, totalAmount: validated_amount, title: title, description: description || 'Payment for services', callbackUrl: `${process.env.BACKEND_URL}/hubtel-webhook`, returnUrl: `${process.env.FRONTEND_URL}/payment/payment-success`, cancellationUrl: `${process.env.FRONTEND_URL}/payment/payment-failed`, payeeName: name, payeeEmail: email || '', payeeMobileNumber: phone, clientReference: transaction_reference, // Use verification code as reference }; console.log(`Creating payment checkout for order ${order_id} with reference ${transaction_reference}`); const response = await axios.post( `${process.env.HUBTEL_ONLINE_CHECKOUT_URL}`, payload, { headers: { Authorization: getHubtelAuthHeader(), 'Content-Type': 'application/json', }, } ); if (response.data && response.data.responseCode === '0000') { return response.data.data.checkoutUrl; } throw new Error(`Failed to create payment checkout: ${JSON.stringify(response.data)}`); } catch (error) { console.error('Payment checkout creation error:', error); throw new Error( error.response?.data?.message || 'Failed to create payment checkout' ); } };

Implementing the Webhook Endpoint

Now, let's implement the webhook endpoint that will receive callbacks from Hubtel:

app.post('/hubtel-webhook', async (req, res) => { try { const { ClientReference, Status, Amount, Description } = req.body; // Verify the webhook using our security mechanism const verification = await verify_webhook(ClientReference); if (!verification.success) { return res.status(StatusCodes.UNAUTHORIZED).json({ status: 'error', message: 'Invalid webhook reference', }); } // Additional business logic here return res.status(StatusCodes.OK).json({ status: 'success', message: 'Webhook processed successfully', }); } catch (error) { console.error('Webhook processing error:', error); return res.status(StatusCodes.INTERNAL_SERVER_ERROR).json({ status: 'error', message: 'An error occurred while processing the webhook', }); } });

How the Security Mechanism Works

Our webhook security implementation works as follows:

- One-Time Verification Codes: When creating a payment checkout, we generate a random verification code and store it in Redis along with the order ID.

- Prevention of Replay Attacks: The verification code is used as the clientReference sent to Hubtel, and when Hubtel sends a webhook callback, this reference is included. We verify the reference against our Redis store and delete it after verification, ensuring it can be used only once.

- Time-Limited Exposure: We set an expiration time (1 hour) for the verification code in Redis, limiting the window of vulnerability.

- Input Validation: We validate and sanitize payment amounts to prevent injection attacks.

Additional Security Recommendations

Beyond the implementation above, consider these additional security measures:

- Rate Limiting: Implement rate limiting on your webhook endpoint to prevent brute force attacks.

- TLS Configuration: Ensure your server uses TLS (HTTPS) with proper configuration.

- Comprehensive Logging: Implement detailed logging for all webhook interactions to aid in debugging and security auditing.

- Idempotency: Ensure your webhook processing is idempotent to prevent issues if a webhook is somehow processed multiple times.

Conclusion

Implementing Hubtel's redirect checkout with Express.js and TypeScript requires careful attention to security, particularly for webhooks. The approach outlined in this guide addresses the security gaps in Hubtel's system by implementing one-time verification codes with Redis.

This implementation attempts to provide a robust defense against replay attacks.

Note: This implementation assumes you have a Redis service configured. If you're using a different data store, you'll need to adapt the code accordingly.

[1] https://developers.hubtel.com/docs/online-checkout

[2] https://expressjs.com/en/guide/routing.html

[3] https://redis.io/docs/manual/security/