kovakmedya/isletmem-kovakcrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: support svix-* headers for Polar webhooks, extend timestamp window

Browse Source
This commit is contained in:
kovakmedya
2026-05-04 18:32:56 +03:00
parent 106c33d1b4
commit 89830aa28f
2 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/app/api/payments/polar/callback/route.ts
+7 -3
View File
@@ -9,9 +9,13 @@ import { verifyPolarWebhook } from "@/lib/payments/polar";
const PRO_VALIDITY_DAYS = 30;
export async function POST(req: NextRequest): Promise<NextResponse> {
const webhookId = req.headers.get("webhook-id") ?? "";
const webhookTimestamp = req.headers.get("webhook-timestamp") ?? "";
const webhookSignature = req.headers.get("webhook-signature") ?? "";
// Polar, Svix altyapısı kullandığından hem webhook-* hem svix-* header'ları destekle
const webhookId =
req.headers.get("webhook-id") ?? req.headers.get("svix-id") ?? "";
const webhookTimestamp =
req.headers.get("webhook-timestamp") ?? req.headers.get("svix-timestamp") ?? "";
const webhookSignature =
req.headers.get("webhook-signature") ?? req.headers.get("svix-signature") ?? "";
let rawBody: string;
try {
src/lib/payments/polar.ts
+2 -2
View File
@@ -64,9 +64,9 @@ export function verifyPolarWebhook(
): boolean {
if (!WEBHOOK_SECRET) return false;
// Timestamp replay saldırısı koruması (5 dakika tolerans)
// Timestamp replay koruması (1 saat — Polar retry aralığı uzun olabilir)
const ts = parseInt(webhookTimestamp, 10);
if (isNaN(ts) || Math.abs(Date.now() / 1000 - ts) > 300) return false;
if (isNaN(ts) || Math.abs(Date.now() / 1000 - ts) > 3600) return false;
const signedContent = `${webhookId}.${webhookTimestamp}.${rawBody}`;