From f31d6d3dfe22a512c8d5812806dc6b66ff0d2377 Mon Sep 17 00:00:00 2001 From: Phillip Thelen Date: Thu, 12 Sep 2024 17:57:53 +0200 Subject: [PATCH] filter stripe webhooks for correct server --- habitica-images | 2 +- test/api/unit/libs/payments/stripe/checkout.test.js | 10 +++++++++- test/api/unit/libs/payments/stripe/webhooks.test.js | 5 ++++- website/server/libs/payments/stripe/checkout.js | 2 ++ website/server/libs/payments/stripe/webhooks.js | 6 ++++++ 5 files changed, 22 insertions(+), 3 deletions(-) diff --git a/habitica-images b/habitica-images index 88511f3603b..aa723320199 160000 --- a/habitica-images +++ b/habitica-images @@ -1 +1 @@ -Subproject commit 88511f3603b41da9d1dccd39350dbb58bc90d61a +Subproject commit aa723320199d7f03ce749d431b46e8d7f95cc8de diff --git a/test/api/unit/libs/payments/stripe/checkout.test.js b/test/api/unit/libs/payments/stripe/checkout.test.js index ab724924016..42b05f6efb2 100644 --- a/test/api/unit/libs/payments/stripe/checkout.test.js +++ b/test/api/unit/libs/payments/stripe/checkout.test.js @@ -51,6 +51,7 @@ describe('Stripe - Checkout', () => { gift: undefined, sub: undefined, gemsBlock: gemsBlockKey, + server_url: BASE_URL, }; expect(gems.validateGiftMessage).to.not.be.called; @@ -101,6 +102,7 @@ describe('Stripe - Checkout', () => { gift: JSON.stringify(gift), sub: undefined, gemsBlock: undefined, + server_url: BASE_URL, }; expect(gems.validateGiftMessage).to.be.calledOnce; @@ -155,6 +157,7 @@ describe('Stripe - Checkout', () => { gift: JSON.stringify(gift), sub: undefined, gemsBlock: undefined, + server_url: BASE_URL, }; expect(oneTimePayments.getOneTimePaymentInfo).to.be.calledOnce; @@ -192,6 +195,7 @@ describe('Stripe - Checkout', () => { userId: user._id, gift: undefined, sub: JSON.stringify(sub), + server_url: BASE_URL, }; expect(subscriptions.checkSubData).to.be.calledOnce; @@ -258,6 +262,7 @@ describe('Stripe - Checkout', () => { userId: user._id, gift: undefined, sub: JSON.stringify(sub), + server_url: BASE_URL, groupId, }; @@ -328,8 +333,9 @@ describe('Stripe - Checkout', () => { user.purchased.plan.customerId = customerId; const metadata = { - userId: user._id, type: 'edit-card-user', + userId: user._id, + server_url: BASE_URL, }; const res = await createEditCardCheckoutSession({ user }, stripe); @@ -418,6 +424,7 @@ describe('Stripe - Checkout', () => { const metadata = { userId: user._id, type: 'edit-card-group', + server_url: BASE_URL, groupId, }; @@ -455,6 +462,7 @@ describe('Stripe - Checkout', () => { userId: anotherUser._id, type: 'edit-card-group', groupId, + server_url: BASE_URL, }; const res = await createEditCardCheckoutSession({ user: anotherUser, groupId }, stripe); diff --git a/test/api/unit/libs/payments/stripe/webhooks.test.js b/test/api/unit/libs/payments/stripe/webhooks.test.js index 816a0a9faa7..64d6490e846 100644 --- a/test/api/unit/libs/payments/stripe/webhooks.test.js +++ b/test/api/unit/libs/payments/stripe/webhooks.test.js @@ -16,6 +16,7 @@ import * as subscriptions from '../../../../../../website/server/libs/payments/s const { i18n } = common; describe('Stripe - Webhooks', () => { + const BASE_URL = nconf.get('BASE_URL'); const stripe = stripeModule('test'); const endpointSecret = nconf.get('STRIPE_WEBHOOKS_ENDPOINT_SECRET'); const headers = {}; @@ -284,7 +285,9 @@ describe('Stripe - Webhooks', () => { const session = {}; beforeEach(() => { - session.metadata = {}; + session.metadata = { + server_url: BASE_URL, + }; event = { type: eventType, data: { object: session } }; constructEventStub = sandbox.stub(stripe.webhooks, 'constructEvent'); constructEventStub.returns(event); diff --git a/website/server/libs/payments/stripe/checkout.js b/website/server/libs/payments/stripe/checkout.js index fa4fda9217e..b89175ac4a9 100644 --- a/website/server/libs/payments/stripe/checkout.js +++ b/website/server/libs/payments/stripe/checkout.js @@ -47,6 +47,7 @@ export async function createCheckoutSession (options, stripeInc) { userId: user._id, gift: gift ? JSON.stringify(gift) : undefined, sub: sub ? JSON.stringify(sub) : undefined, + server_url: BASE_URL, }; let lineItems; @@ -141,6 +142,7 @@ export async function createEditCardCheckoutSession (options, stripeInc) { const metadata = { type, userId: user._id, + server_url: BASE_URL, }; let customerId; diff --git a/website/server/libs/payments/stripe/webhooks.js b/website/server/libs/payments/stripe/webhooks.js index ae4d73e660b..be4f2edec9c 100644 --- a/website/server/libs/payments/stripe/webhooks.js +++ b/website/server/libs/payments/stripe/webhooks.js @@ -19,6 +19,8 @@ import { applySubscription, handlePaymentMethodChange } from './subscriptions'; const endpointSecret = nconf.get('STRIPE_WEBHOOKS_ENDPOINT_SECRET'); +const BASE_URL = nconf.get('BASE_URL'); + export async function handleWebhooks (options, stripeInc) { const { body, headers } = options; @@ -67,6 +69,10 @@ export async function handleWebhooks (options, stripeInc) { const session = event.data.object; const { metadata } = session; + if (metadata.server_url !== BASE_URL) { + break; + } + if (metadata.type === 'edit-card-group' || metadata.type === 'edit-card-user') { await handlePaymentMethodChange(session); } else if (metadata.type === 'subscription') {