✨ feat(auth): implementasi autentikasi HMAC dan standardisasi format respons API

- Tambah validasi HMAC (X-Signature, X-Timestamp, X-Api-Key) pada setiap request.
- Standarkan format respons sesuai ResponseCode; hapus `response_description` (gabung ke `response_message`).
- `BalanceSummaryRequest`: validasi header + `validateHmac512`, pakai secret dari config, logging detail, bedakan invalid API key vs invalid signature.
- `AccountBalanceController`: sederhanakan pesan error “Rekening tidak ditemukan”.
- Konfigurasi baru: `webstatement.api_key`, `webstatement.secret_key`; pastikan helper `validateHmac512` tersedia.
- Breaking: Bearer token tidak didukung; gunakan HMAC headers.
- Validasi nomor rekening di database sebelum proses bisnis.
- Logging terstruktur untuk setiap percobaan validasi HMAC (header & hasil verifikasi).
- Konsistensi kode error via ResponseCode enum untuk semua kasus gagal.

app/Enums/ResponseCode.php

@@ -121,8 +121,7 @@
             $response = [
                 'status'               => $this->value == '00' ? true : false,
                 'response_code'        => $this->value,
-                'response_message'     => $message ?? $this->getMessage(),
-                'response_description' => $this->getDescription(),
+                'response_message'     => $this->getMessage() . ($message ? ' | ' . $message : ''),
             ];
 
             if (isset($data['errors'])) {

app/Http/Controllers/Api/AccountBalanceController.php

@@ -53,7 +53,7 @@ class AccountBalanceController extends Controller
                 return response()->json(
                     ResponseCode::DATA_NOT_FOUND->toResponse(
                         null,
-                        'Data saldo tidak ditemukan untuk nomor rekening: ' . $accountNumber
+                        'Rekening tidak ditemukan'
                     ),
                     ResponseCode::DATA_NOT_FOUND->getHttpStatus()
                 );

app/Http/Requests/BalanceSummaryRequest.php

@@ -4,6 +4,9 @@ namespace Modules\Webstatement\Http\Requests;
 
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Http\Exceptions\HttpResponseException;
+use Modules\Webstatement\Enums\ResponseCode;
+use Modules\Webstatement\Models\AccountBalance;
 
 class BalanceSummaryRequest extends FormRequest
 {
@@ -14,8 +17,78 @@ class BalanceSummaryRequest extends FormRequest
      */
     public function authorize(): bool
     {
-        // Sesuaikan dengan authorization logic jika diperlukan
-        return true;
+        try {
+            // Ambil parameter dari header
+            $signature = $this->header('X-Signature');
+            $timestamp = $this->header('X-Timestamp');
+            $apiKey    = $this->header('X-Api-Key');
+
+            // Validasi keberadaan header yang diperlukan
+            if (!$signature || !$timestamp || !$apiKey) {
+                Log::warning('HMAC validation failed - missing required headers', [
+                    'signature'  => $signature,
+                    'timestamp'  => $timestamp,
+                    'apiKey'     => $apiKey,
+                    'ip'         => $this->ip(),
+                    'user_agent' => $this->userAgent()
+                ]);
+                return false;
+            }
+
+            // Validasi API key dari config
+            $expectedApiKey = config('webstatement.api_key');
+            if ($apiKey !== $expectedApiKey) {
+                Log::warning('HMAC validation failed - invalid API key', [
+                    'provided_api_key' => $apiKey,
+                    'expected_api_key' => $expectedApiKey,
+                    'ip'               => $this->ip(),
+                    'user_agent'       => $this->userAgent()
+                ]);
+                return false;
+            }
+
+              // Ambil secret key dari config
+            $secretKey = config('webstatement.secret_key');
+
+              // Ambil parameter untuk validasi HMAC
+            $httpMethod  = $this->method();
+            $relativeUrl = $this->path();
+            $requestBody = $this->getContent();
+
+            // Validasi HMAC signature
+            $isValid = validateHmac512(
+                $httpMethod,
+                $relativeUrl,
+                $apiKey,
+                $requestBody,
+                $timestamp,
+                $secretKey,
+                $signature
+            );
+
+            if (!$isValid) {
+                Log::warning('HMAC validation failed - invalid signature', [
+                    'http_method'  => $httpMethod,
+                    'relative_url' => $relativeUrl,
+                    'api_key'      => $apiKey,
+                    'timestamp'    => $timestamp,
+                    'ip'           => $this->ip(),
+                    'user_agent'   => $this->userAgent()
+                ]);
+            }
+
+            return $isValid;
+
+        } catch (\Exception $e) {
+            Log::error('HMAC validation error', [
+                'error'      => $e->getMessage(),
+                'file'       => $e->getFile(),
+                'line'       => $e->getLine(),
+                'ip'         => $this->ip(),
+                'user_agent' => $this->userAgent()
+            ]);
+            return false;
+        }
     }
 
       /**
@@ -82,13 +155,50 @@ class BalanceSummaryRequest extends FormRequest
     {
         $errors = $validator->errors();
 
-        throw new \Illuminate\Http\Exceptions\HttpResponseException(
+        throw new HttpResponseException(
             response()->json(
-                \Modules\Webstatement\Enums\ResponseCode::INVALID_FIELD->toResponse(
+                ResponseCode::INVALID_FIELD->toResponse(
                     ['errors' => $errors->all()],
-                    'Field tertentu tidak sesuai aturan'
+                    'Validasi gagal'
                 ),
-                \Modules\Webstatement\Enums\ResponseCode::INVALID_FIELD->getHttpStatus()
+                ResponseCode::INVALID_FIELD->getHttpStatus()
+            )
+        );
+    }
+
+    /**
+     * Handle failed authorization.
+     *
+     * @return void
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
+     */
+    protected function failedAuthorization()
+    {
+        $xApiKey = $this->header('X-Api-Key');
+        $expectedApiKey = config('webstatement.api_key');
+
+        // Cek apakah ini karena invalid API key
+        if ($xApiKey !== $expectedApiKey) {
+            throw new HttpResponseException(
+                response()->json(
+                    ResponseCode::INVALID_TOKEN->toResponse(
+                        null,
+                        'API Key tidak valid'
+                    ),
+                    ResponseCode::INVALID_TOKEN->getHttpStatus()
+                )
+            );
+        }
+
+        // Untuk kasus HMAC signature tidak valid
+        throw new HttpResponseException(
+            response()->json(
+                ResponseCode::UNAUTHORIZED->toResponse(
+                    null,
+                    'Signature tidak valid'
+                ),
+                ResponseCode::UNAUTHORIZED->getHttpStatus()
             )
         );
     }
@@ -105,5 +215,19 @@ class BalanceSummaryRequest extends FormRequest
             'ip'         => $this->ip(),
             'user_agent' => $this->userAgent()
         ]);
+
+        $acount = AccountBalance::where('account_number', $this->account_number)->first();
+
+        if (!$acount) {
+            throw new HttpResponseException(
+                response()->json(
+                    ResponseCode::ACCOUNT_NOT_FOUND->toResponse(
+                        null,
+                        'Nomor rekening tidak ditemukan'
+                    ),
+                    ResponseCode::ACCOUNT_NOT_FOUND->getHttpStatus()
+                )
+            );
+        }
     }
 }