Add Stripe webhook raw body preservation for payment verification #71

New issue

Closed

opened 2026-04-08 16:51:28 -04:00 by pook · 1 comment

pook commented 2026-04-08 16:51:28 -04:00

Owner

Copy link

ComplianceBot has a Stripe webhook handler (#53) and idempotency guard (#61) in progress, but without raw body preservation, signature verification will fail silently in production, blocking all paid document unlocks.

1. Configure Express to preserve the raw request body buffer on the Stripe webhook route using express.raw() or the verify callback approach
2. Ensure the webhook handler passes the raw buffer (not parsed JSON) to stripe.webhooks.constructEvent()
3. Add a test with a mock Stripe payload that verifies the signature check passes with correct secret and fails with wrong secret

Acceptance criteria:

• Webhook route receives raw buffer for signature verification
• Other routes are unaffected (still use normal JSON parsing)
• Test covers both valid and invalid signature scenarios

---

Generated by CEO Planner (priority: 2)

ComplianceBot has a Stripe webhook handler (#53) and idempotency guard (#61) in progress, but without raw body preservation, signature verification will fail silently in production, blocking all paid document unlocks. 1. Configure Express to preserve the raw request body buffer on the Stripe webhook route using `express.raw()` or the `verify` callback approach 2. Ensure the webhook handler passes the raw buffer (not parsed JSON) to `stripe.webhooks.constructEvent()` 3. Add a test with a mock Stripe payload that verifies the signature check passes with correct secret and fails with wrong secret Acceptance criteria: - Webhook route receives raw buffer for signature verification - Other routes are unaffected (still use normal JSON parsing) - Test covers both valid and invalid signature scenarios --- *Generated by CEO Planner (priority: 2)*

pook added the

agent-task

label 2026-04-08 16:51:28 -04:00

pook referenced this issue 2026-04-08 17:19:28 -04:00

Add Stripe webhook raw body preservation middleware for payment verification #78

pook referenced this issue from a commit 2026-04-08 17:30:42 -04:00

feat: preserve raw request body as Buffer for Stripe webhook signature verification

pook referenced this issue from a pull request that will close it, 2026-04-08 17:30:53 -04:00

feat: preserve raw body buffer for Stripe webhook signature verification #81

pook referenced this issue 2026-04-08 17:34:16 -04:00

Add Stripe webhook raw body preservation before JSON parser middleware #83

pook referenced this issue from a commit 2026-04-08 17:41:17 -04:00

fix: preserve raw body bytes for Stripe webhook signature verification

pook referenced this issue from a pull request that will close it, 2026-04-08 17:41:37 -04:00

fix: preserve raw body bytes for Stripe webhook signature verification #85

pook referenced this issue 2026-04-08 17:45:46 -04:00

Add Stripe webhook raw body preservation middleware before JSON parser #87

pook referenced this issue from a commit 2026-04-08 17:50:04 -04:00

fix: preserve raw body bytes for Stripe webhook signature verification

pook referenced this issue 2026-04-08 17:50:16 -04:00

fix: preserve raw body bytes for Stripe webhook signature verification #89

pook referenced this issue 2026-04-08 17:53:01 -04:00

Close duplicate Stripe raw-body preservation issues and merge best PR #91

pook commented 2026-04-08 17:57:54 -04:00

Author

Owner

Copy link

Closing as duplicate of #87. Fix is tracked in PR #85.

Closing as duplicate of #87. Fix is tracked in PR #85.

pook closed this issue 2026-04-08 17:57:54 -04:00

pook referenced this issue 2026-04-08 17:58:02 -04:00

fix: preserve raw body bytes for Stripe webhook signature verification #85

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

feat/ux-remediation

master

agent-task/681

agent-task/mount-billing-api-prefix

agent-task/772

agent-task/769

agent-task/760

agent-task/756

agent-task/757

agent-task/703

agent-task/702

agent-task/688

agent-task/684

agent-task/683

agent-task/674

agent-task/668

feat/simple-health-endpoint

agent-task/663

agent-task/658

agent-task/653

agent-task/651

feat/api-billing-checkout

agent-task/650

agent-task/641

agent-task/639

agent-task/638

feat/login-brute-force-protection

agent-task/634

feat/generate-retry-tests

agent-task/625

agent-task/622-validate-openai-responses

agent-task/615-csrf-token-validation

agent-task/614

agent-task/612

agent-task/611

agent-task/606

agent-task/597

agent-task/596

agent-task/588

agent-task/583

agent-task/575

agent-task/574

agent-task/571

agent-task/570

agent-task/562

agent-task/561

agent-task/556-npm-audit-fix

agent-task/537

agent-task/533

agent-task/524

agent-task/518

agent-task/517

agent-task/516

agent-task/513

agent-task/512

agent-task/508

feat/llm-error-handling-tests

agent-task/483

feat/openai-retry-502

agent-task/478

agent-task/477

feat/csrf-double-submit

agent-task/468

feat/error-handler-middleware

feat/global-request-timeout

agent-task/454

agent-task/453

agent-task/449

feat/llm-timeout-504

feat/sanitize-generate-inputs

fix/body-limit-1mb-test

feat/openai-error-handling

agent-task/426

agent-task/425

agent-task/421

agent-task/420

agent-task/419

agent-task/408

agent-task/406

agent-task/407

feat/zod-generate-validation

agent-task/401

agent-task/397

agent-task/391

agent-task/390

feat/https-redirect-middleware

agent-task/388

agent-task/360

feat/generate-1mb-body-limit

feat/request-timeout

feat/checkout-rate-limit

feat/webhook-rate-limit

feat/centralized-error-handler

agent-task/345

agent-task/342

agent-task/341

agent-task/337

feat/generate-rate-limit

agent-task/332

agent-task/331

agent-task/329

agent-task/325

agent-task/324

feat/single-stage-dockerfile

feat/jest-typecheck-ci-gate

feat/rebase-open-prs-script

fix/unblock-pr-pipeline

agent-task/251

feat/deploy-migrations-on-startup

agent-task/247

agent-task/242

agent-task/241

agent-task/236

fix/close-duplicate-issues

agent-task/237

agent-task/235

agent-task/232

agent-task/231

agent-task/228

agent-task/227

agent-task/222

agent-task/221

feat/stripe-checkout-endpoint

fix/134-sanitize-ai-output

agent-task/212

agent-task/211

test/export-render-unit-tests

agent-task/206

agent-task/205

feat/download-token-utility

feat/security-headers-v2

agent-task/196

fix/env-var-validation

feat/health-endpoint-tests

feat/cors-middleware

agent-task/185

agent-task/184

agent-task/180

feat/pr-triage-workflow

agent-task/177

feat/dockerfile-deploy

feature/131-api-key-auth

feat/graceful-shutdown

agent-task/170

feat/pr-triage-script

agent-task/166

feat/ccpa-privacy-policy

feat/auto-migrate-on-startup

feat/auto-rebase-workflow

feat/openai-timeout-guard

agent-task/154

agent-task/155

feat/body-size-limit-generate

feat/health-endpoint

ci/pr-checks

agent-task/145

feat/startup-env-validation

agent-task/141

feat/stripe-document-checkout

fix/116-sanitize-ai-generated-content

feat/document-validation-41

feat/api-key-auth-middleware

feature/document-generator-unit-tests

feature/openai-retry-logic

feature/auto-merge-script

feature/ci-auto-labeling

fix/llm-response-null-checks

feat/generate-smoke-tests

feature/request-logging-middleware

feature/csrf-protection

feature/request-id-middleware

feature/cors-allowlist

feature/rate-limit-generate

feature/citation-scanner-and-disclaimer

feature/input-length-validation

feat/ci-quality-gate

fix/stripe-webhook-raw-body

feat/ci-pr-checks

fix/webhook-raw-body-preservation

feat/ci-workflow

feature/71-raw-body-webhook

feature/template-rendering-tests

feature/stripe-document-webhook

feat/security-headers

feat/stripe-webhook-raw-body

feat/startup-migrations

feature/ai-generation-timeout

feature/dependency-audit-ci

feat/webhook-idempotency

feature/body-size-limit

feature/startup-env-validation

ci/add-pr-pipeline

feature/auth-middleware

feature/ccpa-optout-endpoint

feature/async-document-generation

feature/stripe-checkout-paywall

feature/post-generation-validation

feature/llm-retry-mechanism

feature/document-history

feature/prometheus-metrics

feature/dpa-document-type

feature/input-validation-sanitization

feature/document-email-send

feature/api-health-endpoint

No results found.

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot#71

No description provided.