Improve idempotency handling with deterministic key generation

Introduce deterministic idempotency key generation when a client-provided key is absent.
The key is derived from canonical request payload with a time window to support safe retries.

Enhancements:
- deterministic retry behavior without client-provided keys
- proper JSON canonicalization (ordering, nested objects, null handling)

This change extends the existing idempotency mechanism without replacing it.

Author: elnafateh

fineract-core/src/main/java/org/apache/fineract/commands/service/DeterministicIdempotencyKeyGenerator.java

@@ -0,0 +1,83 @@
+package org.apache.fineract.commands.service;
+
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import lombok.RequiredArgsConstructor;
+import org.apache.fineract.commands.domain.CommandWrapper;
+import org.springframework.stereotype.Component;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+
+@Component
+@RequiredArgsConstructor
+public class DeterministicIdempotencyKeyGenerator {
+
+    private final ObjectMapper objectMapper;
+
+    public String generate(String json) {
+        String canonical = toCanonicalString(json);
+        String window = currentTimeWindow();
+        return hash(canonical + ":" + window);
+    }
+
+    private String toCanonicalString(String json) {
+        try {
+            JsonNode node = objectMapper.readTree(json);
+            JsonNode canonical = canonicalize(node);
+            return objectMapper.writeValueAsString(canonical);
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to canonicalize JSON", e);
+        }
+    }
+
+    private JsonNode canonicalize(JsonNode node) {
+        if (node.isObject()) {
+            ObjectNode sorted = objectMapper.createObjectNode();
+
+            List<String> fieldNames = new ArrayList<>();
+            node.fieldNames().forEachRemaining(fieldNames::add);
+            Collections.sort(fieldNames);
+
+            for (String field : fieldNames) {
+                sorted.set(field, canonicalize(node.get(field))); // recursion to resolve nested obj
+            }
+
+            return sorted;
+        }
+
+        if (node.isArray()) {
+            ArrayNode arrayNode = objectMapper.createArrayNode();
+            for (JsonNode element : node) {
+                arrayNode.add(canonicalize(element)); // recursion inside array
+            }
+            return arrayNode;
+        }
+
+        return node; // primitives + null
+    }
+
+    private String hash(String input) {
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] hashed = digest.digest(input.getBytes(StandardCharsets.UTF_8));
+            return Base64.getEncoder().encodeToString(hashed);
+        } catch (Exception e) {
+            throw new RuntimeException("Hashing failed", e);
+        }
+    }
+
+    private String currentTimeWindow() {
+        Instant now = Instant.now();
+        long window = now.getEpochSecond() / (5 * 60);
+        return String.valueOf(window);
+    }
+}

fineract-core/src/main/java/org/apache/fineract/commands/service/IdempotencyKeyResolver.java

@@ -30,10 +30,23 @@ public class IdempotencyKeyResolver {
 
     private final FineractRequestContextHolder fineractRequestContextHolder;
 
-    private final IdempotencyKeyGenerator idempotencyKeyGenerator;
+    private  final DeterministicIdempotencyKeyGenerator deterministicGenerator;
 
     public String resolve(CommandWrapper wrapper) {
-        return Optional.ofNullable(wrapper.getIdempotencyKey()).orElseGet(() -> getAttribute().orElseGet(idempotencyKeyGenerator::create));
+
+        // If wrapper already has key → use it
+        if (wrapper.getIdempotencyKey() != null) {
+            return wrapper.getIdempotencyKey();
+        }
+
+        // If request attribute exists (internal retry)
+        Optional<String> attributeKey = getAttribute();
+        if (attributeKey.isPresent()) {
+            return attributeKey.get();
+        }
+
+        // hybrid logic (external retry)
+        return deterministicGenerator.generate(wrapper.getJson());
     }
 
     private Optional<String> getAttribute() {

fineract-core/src/test/java/org/apache/fineract/commands/service/DeterministicIdempotencyKeyGeneratorTest.java

@@ -0,0 +1,105 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.fineract.commands.service;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.time.Instant;
+import org.junit.jupiter.api.Test;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+
+class DeterministicIdempotencyKeyGeneratorTest {
+
+    private final DeterministicIdempotencyKeyGenerator underTest = new DeterministicIdempotencyKeyGenerator(new ObjectMapper());
+
+    @Test
+    void shouldGenerateSameKeyForSemanticallyEquivalentJsonWithinSameWindow() {
+        String firstJson = "{\"businessSteps\":[{\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\",\"order\":1}]}";
+        String secondJson = "{\"businessSteps\":[{\"order\":1,\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\"}]}";
+        Instant firstWindowInstant = Instant.ofEpochSecond(60);
+        Instant secondWindowInstant = Instant.ofEpochSecond(299);
+
+        try (MockedStatic<Instant> instant = Mockito.mockStatic(Instant.class, Mockito.CALLS_REAL_METHODS)) {
+            instant.when(Instant::now).thenReturn(firstWindowInstant, secondWindowInstant);
+
+            String firstKey = underTest.generate(firstJson);
+            String secondKey = underTest.generate(secondJson);
+
+            assertEquals(firstKey, secondKey);
+        }
+    }
+
+    @Test
+    void shouldGenerateDifferentKeysForDifferentPayloadsWithinSameWindow() {
+        String firstJson = "{\"businessSteps\":[{\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\",\"order\":1}]}";
+        String secondJson = "{\"businessSteps\":[{\"stepName\":\"LOAN_DELINQUENCY_CLASSIFICATION\",\"order\":1}]}";
+        Instant currentInstant = Instant.ofEpochSecond(60);
+
+        try (MockedStatic<Instant> instant = Mockito.mockStatic(Instant.class, Mockito.CALLS_REAL_METHODS)) {
+            instant.when(Instant::now).thenReturn(currentInstant, currentInstant);
+
+            String firstKey = underTest.generate(firstJson);
+            String secondKey = underTest.generate(secondJson);
+
+            assertNotEquals(firstKey, secondKey);
+        }
+    }
+
+    @Test
+    void shouldPreserveArrayOrderingInGeneratedKey() {
+        String firstJson = "{\"businessSteps\":[{\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\",\"order\":1},{\"stepName\":\"LOAN_DELINQUENCY_CLASSIFICATION\",\"order\":2}]}";
+        String secondJson = "{\"businessSteps\":[{\"stepName\":\"LOAN_DELINQUENCY_CLASSIFICATION\",\"order\":2},{\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\",\"order\":1}]}";
+        Instant currentInstant = Instant.ofEpochSecond(60);
+
+        try (MockedStatic<Instant> instant = Mockito.mockStatic(Instant.class, Mockito.CALLS_REAL_METHODS)) {
+            instant.when(Instant::now).thenReturn(currentInstant, currentInstant);
+
+            String firstKey = underTest.generate(firstJson);
+            String secondKey = underTest.generate(secondJson);
+
+            assertNotEquals(firstKey, secondKey);
+        }
+    }
+
+        @Test
+    void shouldGenerateDifferentKeysAcrossFiveMinuteWindows() {
+        String json = "{\"businessSteps\":[{\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\",\"order\":1}]}";
+        Instant firstWindowInstant = Instant.ofEpochSecond(299);
+        Instant secondWindowInstant = Instant.ofEpochSecond(300);
+
+        try (MockedStatic<Instant> instant = Mockito.mockStatic(Instant.class, Mockito.CALLS_REAL_METHODS)) {
+            instant.when(Instant::now).thenReturn(firstWindowInstant, secondWindowInstant);
+
+            String firstKey = underTest.generate(json);
+            String secondKey = underTest.generate(json);
+
+            assertNotEquals(firstKey, secondKey);
+        }
+    }
+
+    @Test
+    void shouldFailForInvalidJson() {
+        RuntimeException exception = assertThrows(RuntimeException.class, () -> underTest.generate("{invalid-json"));
+        assertEquals("Failed to canonicalize JSON", exception.getMessage());
+    }
+}

fineract-provider/src/test/java/org/apache/fineract/commands/service/IdempotencyKeyResolverTest.java

@@ -18,6 +18,8 @@
  */
 package org.apache.fineract.commands.service;
 
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
 
 import java.util.HashMap;
@@ -36,7 +38,7 @@
 public class IdempotencyKeyResolverTest {
 
     @Mock
-    private IdempotencyKeyGenerator idempotencyKeyGenerator;
+    private DeterministicIdempotencyKeyGenerator deterministicIdempotencyKeyGenerator;
 
     @InjectMocks
     private IdempotencyKeyResolver underTest;
@@ -62,15 +64,19 @@ public void testIPKResolveFromRequest() {
         CommandWrapper wrapper = CommandWrapper.wrap("act", "ent", 1L, 1L);
         String resolvedIdk = underTest.resolve(wrapper);
         Assertions.assertEquals(idk, resolvedIdk);
+        verifyNoInteractions(deterministicIdempotencyKeyGenerator);
     }
 
     @Test
     public void testIPKResolveFromGenerate() {
         String idk = "idk";
-        when(idempotencyKeyGenerator.create()).thenReturn(idk);
-        CommandWrapper wrapper = CommandWrapper.wrap("act", "ent", 1L, 1L);
+        String json = "{\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\",\"order\":1}";
+        when(deterministicIdempotencyKeyGenerator.generate(json)).thenReturn(idk);
+        CommandWrapper wrapper = new CommandWrapper(null, null, null, null, null, "UPDATE", "JOB", 1L, null, "/jobs/LOAN_CLOSE_OF_BUSINESS",
+                json, null, null, null, null, null, null, null, null, null);
         String resolvedIdk = underTest.resolve(wrapper);
         Assertions.assertEquals(idk, resolvedIdk);
+        verify(deterministicIdempotencyKeyGenerator).generate(json);
     }
 
     @Test
@@ -80,5 +86,6 @@ public void testIPKResolveFromWrapper() {
                 null, null, null, idk, null, null);
         String resolvedIdk = underTest.resolve(wrapper);
         Assertions.assertEquals(idk, resolvedIdk);
+        verifyNoInteractions(deterministicIdempotencyKeyGenerator);
     }
 }

integration-tests/src/test/java/org/apache/fineract/integrationtests/IdempotencyTest.java

@@ -154,6 +154,74 @@ public void shouldTheSecondRequestWithSameIdempotencyKeyWillFailureToo() {
         assertEquals((Map) body1.jsonPath().get(""), response2.getBody().jsonPath().get(""));
     }
 
+    @Test
+    public void shouldReuseDeterministicIdempotencyKeyWhenHeaderMissing() {
+        ResponseSpecification updateResponseSpec = new ResponseSpecBuilder().expectStatusCode(204).build();
+        JobBusinessStepConfigData originalStepConfig = IdempotencyHelper.getConfiguredBusinessStepsByJobName(requestSpec, responseSpec,
+                LOAN_JOB_NAME);
+
+        try {
+            String requestBody = "{\"businessSteps\":[{\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\",\"order\":1}]}";
+            Response response = IdempotencyHelper.updateBusinessStepOrderWithoutIdempotencyKey(requestSpec, updateResponseSpec,
+                    LOAN_JOB_NAME, requestBody);
+            Response responseSecond = IdempotencyHelper.updateBusinessStepOrderWithoutIdempotencyKey(requestSpec, updateResponseSpec,
+                    LOAN_JOB_NAME, requestBody);
+
+            assertEquals(response.getBody().asString(), responseSecond.getBody().asString());
+            assertNull(response.header(AbstractIdempotentCommandException.IDEMPOTENT_CACHE_HEADER));
+            assertNotNull(responseSecond.header(AbstractIdempotentCommandException.IDEMPOTENT_CACHE_HEADER));
+        } finally {
+            restoreOriginalStepConfig(updateResponseSpec, originalStepConfig);
+        }
+    }
+
+    @Test
+    public void shouldReuseDeterministicIdempotencyKeyForReorderedJsonWhenHeaderMissing() {
+        ResponseSpecification updateResponseSpec = new ResponseSpecBuilder().expectStatusCode(204).build();
+        JobBusinessStepConfigData originalStepConfig = IdempotencyHelper.getConfiguredBusinessStepsByJobName(requestSpec, responseSpec,
+                LOAN_JOB_NAME);
+
+        try {
+            String firstRequestBody = "{\"businessSteps\":[{\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\",\"order\":1},"
+                    + "{\"stepName\":\"LOAN_DELINQUENCY_CLASSIFICATION\",\"order\":2}]}";
+            String secondRequestBody = "{\"businessSteps\":[{\"order\":1,\"stepName\":\"APPLY_CHARGE_TO_OVERDUE_LOANS\"},"
+                    + "{\"order\":2,\"stepName\":\"LOAN_DELINQUENCY_CLASSIFICATION\"}]}";
+
+            Response response = IdempotencyHelper.updateBusinessStepOrderWithoutIdempotencyKey(requestSpec, updateResponseSpec,
+                    LOAN_JOB_NAME, firstRequestBody);
+            Response responseSecond = IdempotencyHelper.updateBusinessStepOrderWithoutIdempotencyKey(requestSpec, updateResponseSpec,
+                    LOAN_JOB_NAME, secondRequestBody);
+
+            assertEquals(response.getBody().asString(), responseSecond.getBody().asString());
+            assertNull(response.header(AbstractIdempotentCommandException.IDEMPOTENT_CACHE_HEADER));
+            assertNotNull(responseSecond.header(AbstractIdempotentCommandException.IDEMPOTENT_CACHE_HEADER));
+        } finally {
+            restoreOriginalStepConfig(updateResponseSpec, originalStepConfig);
+        }
+    }
+
+    @Test
+    public void shouldCacheFailedRequestWhenHeaderMissing() {
+        ResponseSpecification responseSpecForError = new ResponseSpecBuilder().expectStatusCode(400).build();
+        List<BusinessStep> requestBody = new ArrayList<>();
+
+        Response response1 = IdempotencyHelper.updateBusinessStepOrderWithErrorWithoutIdempotencyKey(requestSpec, responseSpecForError,
+                LOAN_JOB_NAME, IdempotencyHelper.toJsonString(requestBody));
+        assertNull(response1.getHeader(AbstractIdempotentCommandException.IDEMPOTENT_CACHE_HEADER));
+        ResponseBody body1 = response1.getBody();
+        assertNotNull(body1);
+
+        Response response2 = IdempotencyHelper.updateBusinessStepOrderWithErrorWithoutIdempotencyKey(requestSpec, responseSpecForError,
+                LOAN_JOB_NAME, IdempotencyHelper.toJsonString(requestBody));
+        assertNotNull(response2.getHeader(AbstractIdempotentCommandException.IDEMPOTENT_CACHE_HEADER));
+        assertEquals((Map) body1.jsonPath().get(""), response2.getBody().jsonPath().get(""));
+    }
+
+    private void restoreOriginalStepConfig(ResponseSpecification updateResponseSpec, JobBusinessStepConfigData originalStepConfig) {
+        IdempotencyHelper.updateBusinessStepOrder(requestSpec, updateResponseSpec, LOAN_JOB_NAME,
+                IdempotencyHelper.toJsonString(originalStepConfig.getBusinessSteps()), UUID.randomUUID().toString());
+    }
+
     private BusinessStep getBusinessSteps(Long order, String stepName) {
         BusinessStep businessStep = new BusinessStep();
         businessStep.setStepName(stepName);

integration-tests/src/test/java/org/apache/fineract/integrationtests/common/IdempotencyHelper.java

@@ -94,9 +94,26 @@ public static JobBusinessStepDetail getAvailableBusinessStepsByJobName(final Req
     @Deprecated(forRemoval = true)
     public static Response updateBusinessStepOrder(final RequestSpecification requestSpec, final ResponseSpecification responseSpec,
             String jobName, String jsonBodyToSend, String idempotencyKey) {
+        return updateBusinessStepOrder(requestSpec, responseSpec, jobName, jsonBodyToSend, true, idempotencyKey);
+    }
+
+    @Deprecated(forRemoval = true)
+    public static Response updateBusinessStepOrderWithoutIdempotencyKey(final RequestSpecification requestSpec,
+            final ResponseSpecification responseSpec, String jobName, String jsonBodyToSend) {
+        return updateBusinessStepOrder(requestSpec, responseSpec, jobName, jsonBodyToSend, false, null);
+    }
+
+    @Deprecated(forRemoval = true)
+    private static Response updateBusinessStepOrder(final RequestSpecification requestSpec, final ResponseSpecification responseSpec,
+            String jobName, String jsonBodyToSend, boolean useIdempotencyKey, String idempotencyKey) {
         Response response = Utils.performServerPutRaw(requestSpec, responseSpec,
-                BUSINESS_STEPS_API_URL_START + jobName + BUSINESS_STEPS_API_URL_END,
-                request -> request.header("Idempotency-Key", idempotencyKey).body(jsonBodyToSend));
+                BUSINESS_STEPS_API_URL_START + jobName + BUSINESS_STEPS_API_URL_END, request -> {
+                    RequestSpecification mappedRequest = request.body(jsonBodyToSend);
+                    if (useIdempotencyKey) {
+                        mappedRequest = mappedRequest.header("Idempotency-Key", idempotencyKey);
+                    }
+                    return mappedRequest;
+                });
         log.info("BusinessStepConfigurationHelper Response: {}", response.getBody().asString());
         return response;
     }
@@ -107,9 +124,27 @@ public static Response updateBusinessStepOrder(final RequestSpecification reques
     @Deprecated(forRemoval = true)
     public static Response updateBusinessStepOrderWithError(final RequestSpecification requestSpec,
             final ResponseSpecification responseSpec, String jobName, String jsonBodyToSend, String idempotencyKey) {
+        return updateBusinessStepOrderWithError(requestSpec, responseSpec, jobName, jsonBodyToSend, true, idempotencyKey);
+    }
+
+    @Deprecated(forRemoval = true)
+    public static Response updateBusinessStepOrderWithErrorWithoutIdempotencyKey(final RequestSpecification requestSpec,
+            final ResponseSpecification responseSpec, String jobName, String jsonBodyToSend) {
+        return updateBusinessStepOrderWithError(requestSpec, responseSpec, jobName, jsonBodyToSend, false, null);
+    }
+
+    @Deprecated(forRemoval = true)
+    private static Response updateBusinessStepOrderWithError(final RequestSpecification requestSpec,
+            final ResponseSpecification responseSpec, String jobName, String jsonBodyToSend, boolean useIdempotencyKey,
+            String idempotencyKey) {
         String url = BUSINESS_STEPS_API_URL_START + jobName + BUSINESS_STEPS_API_URL_END;
-        return Utils.performServerPutRaw(requestSpec, responseSpec, url,
-                request -> request.header("Idempotency-Key", idempotencyKey).body(jsonBodyToSend));
+        return Utils.performServerPutRaw(requestSpec, responseSpec, url, request -> {
+            RequestSpecification mappedRequest = request.body(jsonBodyToSend);
+            if (useIdempotencyKey) {
+                mappedRequest = mappedRequest.header("Idempotency-Key", idempotencyKey);
+            }
+            return mappedRequest;
+        });
     }
 
     private static final class BusinessStepWrapper {