From 89830aa28f91a745eec0dc706a2ee741c0022d0c Mon Sep 17 00:00:00 2001 From: kovakmedya Date: Mon, 4 May 2026 18:32:56 +0300 Subject: [PATCH] fix: support svix-* headers for Polar webhooks, extend timestamp window --- src/app/api/payments/polar/callback/route.ts | 10 +++++++--- src/lib/payments/polar.ts | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/src/app/api/payments/polar/callback/route.ts b/src/app/api/payments/polar/callback/route.ts index 61a7750..1a38e67 100644 --- a/src/app/api/payments/polar/callback/route.ts +++ b/src/app/api/payments/polar/callback/route.ts @@ -9,9 +9,13 @@ import { verifyPolarWebhook } from "@/lib/payments/polar"; const PRO_VALIDITY_DAYS = 30; export async function POST(req: NextRequest): Promise { - const webhookId = req.headers.get("webhook-id") ?? ""; - const webhookTimestamp = req.headers.get("webhook-timestamp") ?? ""; - const webhookSignature = req.headers.get("webhook-signature") ?? ""; + // Polar, Svix altyapısı kullandığından hem webhook-* hem svix-* header'ları destekle + const webhookId = + req.headers.get("webhook-id") ?? req.headers.get("svix-id") ?? ""; + const webhookTimestamp = + req.headers.get("webhook-timestamp") ?? req.headers.get("svix-timestamp") ?? ""; + const webhookSignature = + req.headers.get("webhook-signature") ?? req.headers.get("svix-signature") ?? ""; let rawBody: string; try { diff --git a/src/lib/payments/polar.ts b/src/lib/payments/polar.ts index d3e0275..4408888 100644 --- a/src/lib/payments/polar.ts +++ b/src/lib/payments/polar.ts @@ -64,9 +64,9 @@ export function verifyPolarWebhook( ): boolean { if (!WEBHOOK_SECRET) return false; - // Timestamp replay saldırısı koruması (5 dakika tolerans) + // Timestamp replay koruması (1 saat — Polar retry aralığı uzun olabilir) const ts = parseInt(webhookTimestamp, 10); - if (isNaN(ts) || Math.abs(Date.now() / 1000 - ts) > 300) return false; + if (isNaN(ts) || Math.abs(Date.now() / 1000 - ts) > 3600) return false; const signedContent = `${webhookId}.${webhookTimestamp}.${rawBody}`;