fix(stripe-webhooks): validate invoice IDs as UUIDs before DB lookup

This commit is contained in:
Paperclip
2026-04-14 14:00:02 +00:00
committed by Flea Flicker
parent 007643a03c
commit 8de1eb048c
+10 -3
View File
@@ -1,5 +1,6 @@
import { Hono } from "hono"; import { Hono } from "hono";
import Stripe from "stripe"; import Stripe from "stripe";
import { z } from "zod/v3";
import { eq, getDb, invoices } from "@groombook/db"; import { eq, getDb, invoices } from "@groombook/db";
import { getStripeClient } from "../services/payment.js"; import { getStripeClient } from "../services/payment.js";
@@ -44,10 +45,13 @@ webhooksRouter.post("/stripe", async (c) => {
const invoiceIds = pi.metadata.groombook_invoice_ids.split(","); const invoiceIds = pi.metadata.groombook_invoice_ids.split(",");
for (const invoiceId of invoiceIds) { for (const invoiceId of invoiceIds) {
if (!invoiceId) continue; if (!invoiceId) continue;
const parsed = z.string().uuid().safeParse(invoiceId.trim());
if (!parsed.success) continue;
const invoiceIdTrimmed = invoiceId.trim();
const [inv] = await db const [inv] = await db
.select() .select()
.from(invoices) .from(invoices)
.where(eq(invoices.id, invoiceId)) .where(eq(invoices.id, invoiceIdTrimmed))
.limit(1); .limit(1);
if (!inv) continue; if (!inv) continue;
if (inv.stripePaymentIntentId && inv.stripePaymentIntentId !== pi.id) continue; if (inv.stripePaymentIntentId && inv.stripePaymentIntentId !== pi.id) continue;
@@ -60,7 +64,7 @@ webhooksRouter.post("/stripe", async (c) => {
stripePaymentIntentId: pi.id, stripePaymentIntentId: pi.id,
updatedAt: new Date(), updatedAt: new Date(),
}) })
.where(eq(invoices.id, invoiceId)); .where(eq(invoices.id, invoiceIdTrimmed));
} }
} }
} else if (event.type === "payment_intent.payment_failed") { } else if (event.type === "payment_intent.payment_failed") {
@@ -69,13 +73,16 @@ webhooksRouter.post("/stripe", async (c) => {
const invoiceIds = pi.metadata.groombook_invoice_ids.split(","); const invoiceIds = pi.metadata.groombook_invoice_ids.split(",");
for (const invoiceId of invoiceIds) { for (const invoiceId of invoiceIds) {
if (!invoiceId) continue; if (!invoiceId) continue;
const parsed = z.string().uuid().safeParse(invoiceId.trim());
if (!parsed.success) continue;
const invoiceIdTrimmed = invoiceId.trim();
await db await db
.update(invoices) .update(invoices)
.set({ .set({
paymentFailureReason: pi.last_payment_error?.message ?? "Payment failed", paymentFailureReason: pi.last_payment_error?.message ?? "Payment failed",
updatedAt: new Date(), updatedAt: new Date(),
}) })
.where(eq(invoices.id, invoiceId)); .where(eq(invoices.id, invoiceIdTrimmed));
} }
} }
} else if (event.type === "charge.refunded") { } else if (event.type === "charge.refunded") {