[Agent] Issue #756: Add Zod webhook payload validation for Stripe events #759

Open

pook wants to merge 64 commits from agent-task/756 into main

pull from: agent-task/756

merge into: pook:main

pook:main

pook:feat/ux-remediation

pook:master

pook:agent-task/681

pook:agent-task/mount-billing-api-prefix

pook:agent-task/772

pook:agent-task/769

pook:agent-task/760

pook:agent-task/757

pook:agent-task/703

pook:agent-task/702

pook:agent-task/688

pook:agent-task/684

pook:agent-task/683

pook:agent-task/674

pook:agent-task/668

pook:feat/simple-health-endpoint

pook:agent-task/663

pook:agent-task/658

pook:agent-task/653

pook:agent-task/651

pook:feat/api-billing-checkout

pook:agent-task/650

pook:agent-task/641

pook:agent-task/639

pook:agent-task/638

pook:feat/login-brute-force-protection

pook:agent-task/634

pook:feat/generate-retry-tests

pook:agent-task/625

pook:agent-task/622-validate-openai-responses

pook:agent-task/615-csrf-token-validation

pook:agent-task/614

pook:agent-task/612

pook:agent-task/611

pook:agent-task/606

pook:agent-task/597

pook:agent-task/596

pook:agent-task/588

pook:agent-task/583

pook:agent-task/575

pook:agent-task/574

pook:agent-task/571

pook:agent-task/570

pook:agent-task/562

pook:agent-task/561

pook:agent-task/556-npm-audit-fix

pook:agent-task/537

pook:agent-task/533

pook:agent-task/524

pook:agent-task/518

pook:agent-task/517

pook:agent-task/516

pook:agent-task/513

pook:agent-task/512

pook:agent-task/508

pook:feat/llm-error-handling-tests

pook:agent-task/483

pook:feat/openai-retry-502

pook:agent-task/478

pook:agent-task/477

pook:feat/csrf-double-submit

pook:agent-task/468

pook:feat/error-handler-middleware

pook:feat/global-request-timeout

pook:agent-task/454

pook:agent-task/453

pook:agent-task/449

pook:feat/llm-timeout-504

pook:feat/sanitize-generate-inputs

pook:fix/body-limit-1mb-test

pook:feat/openai-error-handling

pook:agent-task/426

pook:agent-task/425

pook:agent-task/421

pook:agent-task/420

pook:agent-task/419

pook:agent-task/408

pook:agent-task/406

pook:agent-task/407

pook:feat/zod-generate-validation

pook:agent-task/401

pook:agent-task/397

pook:agent-task/391

pook:agent-task/390

pook:feat/https-redirect-middleware

pook:agent-task/388

pook:agent-task/360

pook:feat/generate-1mb-body-limit

pook:feat/request-timeout

pook:feat/checkout-rate-limit

pook:feat/webhook-rate-limit

pook:feat/centralized-error-handler

pook:agent-task/345

pook:agent-task/342

pook:agent-task/341

pook:agent-task/337

pook:feat/generate-rate-limit

pook:agent-task/332

pook:agent-task/331

pook:agent-task/329

pook:agent-task/325

pook:agent-task/324

pook:feat/single-stage-dockerfile

pook:feat/jest-typecheck-ci-gate

pook:feat/rebase-open-prs-script

pook:fix/unblock-pr-pipeline

pook:agent-task/251

pook:feat/deploy-migrations-on-startup

pook:agent-task/247

pook:agent-task/242

pook:agent-task/241

pook:agent-task/236

pook:fix/close-duplicate-issues

pook:agent-task/237

pook:agent-task/235

pook:agent-task/232

pook:agent-task/231

pook:agent-task/228

pook:agent-task/227

pook:agent-task/222

pook:agent-task/221

pook:feat/stripe-checkout-endpoint

pook:fix/134-sanitize-ai-output

pook:agent-task/212

pook:agent-task/211

pook:test/export-render-unit-tests

pook:agent-task/206

pook:agent-task/205

pook:feat/download-token-utility

pook:feat/security-headers-v2

pook:agent-task/196

pook:fix/env-var-validation

pook:feat/health-endpoint-tests

pook:feat/cors-middleware

pook:agent-task/185

pook:agent-task/184

pook:agent-task/180

pook:feat/pr-triage-workflow

pook:agent-task/177

pook:feat/dockerfile-deploy

pook:feature/131-api-key-auth

pook:feat/graceful-shutdown

pook:agent-task/170

pook:feat/pr-triage-script

pook:agent-task/166

pook:feat/ccpa-privacy-policy

pook:feat/auto-migrate-on-startup

pook:feat/auto-rebase-workflow

pook:feat/openai-timeout-guard

pook:agent-task/154

pook:agent-task/155

pook:feat/body-size-limit-generate

pook:feat/health-endpoint

pook:ci/pr-checks

pook:agent-task/145

pook:feat/startup-env-validation

pook:agent-task/141

pook:feat/stripe-document-checkout

pook:fix/116-sanitize-ai-generated-content

pook:feat/document-validation-41

pook:feat/api-key-auth-middleware

pook:feature/document-generator-unit-tests

pook:feature/openai-retry-logic

pook:feature/auto-merge-script

pook:feature/ci-auto-labeling

pook:fix/llm-response-null-checks

pook:feat/generate-smoke-tests

pook:feature/request-logging-middleware

pook:feature/csrf-protection

pook:feature/request-id-middleware

pook:feature/cors-allowlist

pook:feature/rate-limit-generate

pook:feature/citation-scanner-and-disclaimer

pook:feature/input-length-validation

pook:feat/ci-quality-gate

pook:fix/stripe-webhook-raw-body

pook:feat/ci-pr-checks

pook:fix/webhook-raw-body-preservation

pook:feat/ci-workflow

pook:feature/71-raw-body-webhook

pook:feature/template-rendering-tests

pook:feature/stripe-document-webhook

pook:feat/security-headers

pook:feat/stripe-webhook-raw-body

pook:feat/startup-migrations

pook:feature/ai-generation-timeout

pook:feature/dependency-audit-ci

pook:feat/webhook-idempotency

pook:feature/body-size-limit

pook:feature/startup-env-validation

pook:ci/add-pr-pipeline

pook:feature/auth-middleware

pook:feature/ccpa-optout-endpoint

pook:feature/async-document-generation

pook:feature/stripe-checkout-paywall

pook:feature/post-generation-validation

pook:feature/llm-retry-mechanism

pook:feature/document-history

pook:feature/prometheus-metrics

pook:feature/dpa-document-type

pook:feature/input-validation-sanitization

pook:feature/document-email-send

pook:feature/api-health-endpoint

Conversation 0 Commits 64 Files changed 68 +6696 -71

pook commented 2026-04-11 15:36:38 -04:00

Owner

Copy link

Summary

• Adds packages/api/src/billing/webhook-schemas.ts with Zod schemas that validate Stripe webhook event envelopes and per-event data.object payloads
• Covers four event types: checkout.session.completed, customer.subscription.updated, customer.subscription.deleted, invoice.payment_succeeded
• Exports validateWebhookEvent function that returns fully typed data or throws WebhookValidationError with descriptive issue details
• Adds zod as a dependency in the API package

Test plan

• Call validateWebhookEvent with a valid checkout.session.completed payload and verify typed return
• Call with missing id or wrong prefix and verify 400-style validation error
• Call with unknown event type and verify it passes envelope validation without crashing
• Integrate into billing.ts webhook route and confirm malformed payloads return 400
• Run npx tsc --noEmit to confirm no type errors

🤖 Generated with Claude Code

## Summary - Adds `packages/api/src/billing/webhook-schemas.ts` with Zod schemas that validate Stripe webhook event envelopes and per-event `data.object` payloads - Covers four event types: `checkout.session.completed`, `customer.subscription.updated`, `customer.subscription.deleted`, `invoice.payment_succeeded` - Exports `validateWebhookEvent` function that returns fully typed data or throws `WebhookValidationError` with descriptive issue details - Adds `zod` as a dependency in the API package ## Test plan - [ ] Call `validateWebhookEvent` with a valid checkout.session.completed payload and verify typed return - [ ] Call with missing `id` or wrong prefix and verify 400-style validation error - [ ] Call with unknown event type and verify it passes envelope validation without crashing - [ ] Integrate into `billing.ts` webhook route and confirm malformed payloads return 400 - [ ] Run `npx tsc --noEmit` to confirm no type errors 🤖 Generated with [Claude Code](https://claude.com/claude-code)

pook added 1 commit 2026-04-11 15:36:38 -04:00

Add Zod webhook payload validation for Stripe events ... f3a0cc4732

Validates webhook payloads before processing to prevent crashes from
malformed data and injection attacks. Includes typed schemas for
checkout.session.completed, customer.subscription.updated,
customer.subscription.deleted, and invoice.payment_succeeded events.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

agent-bot added 1 commit 2026-04-11 15:36:51 -04:00

feat: issue #756 before-processing-stripe-webhook-events (agent task liancebot756) 921bcdfcc6

pook referenced this pull request 2026-04-11 15:40:20 -04:00

Verify PR #759: Zod webhook validation rejects malformed Stripe events #762

pook referenced this pull request 2026-04-11 19:13:20 -04:00

Verify PR #759: Zod webhook payload validation for Stripe events #797

pook referenced this pull request 2026-04-11 20:25:17 -04:00

Add STRIPE_WEBHOOK_SECRET to startup env validation #818

pook referenced this pull request 2026-04-11 21:24:08 -04:00

Verify PR #759: Zod webhook payload validation, test, merge #829

pook referenced this pull request 2026-04-12 01:32:13 -04:00

Verify PR #759: Zod webhook payload validation for Stripe events — checkout, build, test, merge #875

pook referenced this pull request 2026-04-12 02:37:14 -04:00

Verify PR #692: database migration for processing tables #895

pook referenced this pull request 2026-04-12 02:56:10 -04:00

Verify PR #759: Zod webhook payload validation — checkout, test, merge #902

pook referenced this pull request 2026-04-12 03:54:45 -04:00

Batch verify billing PRs #758 #759 #782: checkout, test, merge #919

pook referenced this pull request 2026-04-12 04:52:34 -04:00

Add Stripe webhook signature verification middleware returning 401 for unsigned requests #935

pook referenced this pull request 2026-04-12 05:25:49 -04:00

Verify and merge Zod webhook payload validation PR #759 #947

pook referenced this pull request 2026-04-12 06:33:31 -04:00

Review and merge Zod webhook payload validation PR #759 #976

pook referenced this pull request 2026-04-12 07:03:43 -04:00

Add CSRF protection middleware for cookie-based session auth #990

pook referenced this pull request 2026-04-12 08:13:36 -04:00

Review and merge PR #759 (Zod webhook payload validation) #1005

pook referenced this pull request 2026-04-12 08:54:24 -04:00

Merge 3 billing/subscription PRs: #706, #759, #782 #1015

pook referenced this pull request 2026-04-12 09:44:00 -04:00

Add test: Stripe webhook returns 400 for events missing required fields #1034

pook referenced this pull request 2026-04-12 14:03:43 -04:00

Review and merge PR #759 (Zod webhook payload validation) #1092

pook referenced this pull request 2026-04-12 16:33:02 -04:00

Review and merge PR #759: Zod webhook payload validation for Stripe events #1142

pook referenced this pull request 2026-04-12 16:44:20 -04:00

Wire Stripe webhook POST route into Express app #1147

pook referenced this pull request 2026-04-12 18:05:23 -04:00

Review and merge PR #759: Zod webhook payload validation #1172

pook referenced this pull request 2026-04-12 18:23:19 -04:00

Review PR #759: Zod webhook payload validation for Stripe events #1176

pook referenced this pull request 2026-04-12 20:16:07 -04:00

Review and merge PR #759: Zod webhook payload validation for Stripe events #1204

pook referenced this pull request 2026-04-13 08:45:28 -04:00

Test PR #759: Zod webhook payload validation for Stripe events #1246

pook referenced this pull request 2026-04-13 09:14:32 -04:00

Create src/billing/webhook-schema.ts with Zod validation for Stripe events #1253

pook referenced this pull request 2026-04-13 11:55:22 -04:00

Test PR #759 feat: Zod webhook payload validation for Stripe events #1293

pook referenced this pull request 2026-04-13 12:32:12 -04:00

Batch review and merge 3 security PRs: #767 (rate limit), #759 (webhook validation), #705 (OpenAI timeout) #1304

pook referenced this pull request 2026-04-13 14:43:53 -04:00

Review PR #759: Zod webhook payload validation for Stripe events #1344

pook referenced this pull request 2026-04-13 16:42:33 -04:00

Review and merge PR #759 Zod webhook payload validation #1387

pook referenced this pull request 2026-04-13 17:43:40 -04:00

Add Stripe subscription lifecycle webhook handlers for cancellation and updates #1409

pook referenced this pull request 2026-04-13 19:13:58 -04:00

Review and merge PR #759 — Zod webhook payload validation for Stripe events #1434

pook referenced this pull request 2026-04-13 21:25:23 -04:00

Review and merge PR #759 — Zod webhook payload validation for Stripe events #1461

pook referenced this pull request 2026-04-14 00:13:08 -04:00

Batch merge billing module PRs (#758, #776, #782, #706, #759) #1476

pook referenced this pull request 2026-04-14 00:25:12 -04:00

Verify billing module test suite passes on main after PR merges #1480

pook referenced this pull request 2026-04-14 01:14:17 -04:00

Review and merge PR #759 — Zod validation for Stripe webhook payloads #1498

pook referenced this pull request 2026-04-14 07:13:11 -04:00

Review and merge PR #759 — Zod webhook payload validation for Stripe events #1529

Some checks failed

Hide all checks

CI Quality Gate / Lint / Typecheck / Test / Build (pull_request) Has been cancelled

Details

This pull request has changes conflicting with the target branch.

• .forgejo/workflows/ci.yml
• bun.lock
• package.json
• packages/api/package.json
• packages/api/src/db/schema.ts
• packages/api/src/index.ts
• packages/api/src/middleware/csrf.ts
• packages/api/src/middleware/rate-limit.ts
• packages/api/src/middleware/security-headers.ts
• packages/api/src/routes/admin.ts
• packages/api/src/routes/billing.ts
• packages/api/src/routes/generate-tos.ts
• packages/api/src/routes/generate.ts
• packages/api/src/routes/health.ts
• packages/api/src/routes/questionnaire.ts
• packages/api/src/services/document-generator.ts
• packages/api/src/services/llm.ts
• packages/api/src/templates/index.ts
• packages/api/tsconfig.json
• packages/shared/src/types.ts
• packages/web/src/app/questionnaire/page.tsx
• packages/web/src/components/documents/DocumentList.tsx
• packages/web/src/components/questionnaire/ReviewStep.tsx

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin agent-task/756:agent-task/756

git switch agent-task/756

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot!759

No description provided.