fix: support svix-* headers for Polar webhooks, extend timestamp window

2026-05-04 18:32:56 +03:00
parent 106c33d1b4
commit 89830aa28f
2 changed files with 9 additions and 5 deletions
@@ -64,9 +64,9 @@ export function verifyPolarWebhook(
 ): boolean {
  if (!WEBHOOK_SECRET) return false;

-  // Timestamp replay saldırısı koruması (5 dakika tolerans)
+  // Timestamp replay koruması (1 saat — Polar retry aralığı uzun olabilir)
  const ts = parseInt(webhookTimestamp, 10);
-  if (isNaN(ts) || Math.abs(Date.now() / 1000 - ts) > 300) return false;
+  if (isNaN(ts) || Math.abs(Date.now() / 1000 - ts) > 3600) return false;

  const signedContent = `${webhookId}.${webhookTimestamp}.${rawBody}`;