fix: support svix-* headers for Polar webhooks, extend timestamp window

src/app/api/payments/polar/callback/route.ts

@@ -9,9 +9,13 @@ import { verifyPolarWebhook } from "@/lib/payments/polar";
 const PRO_VALIDITY_DAYS = 30;
 
 export async function POST(req: NextRequest): Promise<NextResponse> {
-  const webhookId = req.headers.get("webhook-id") ?? "";
+  // Polar, Svix altyapısı kullandığından hem webhook-* hem svix-* header'ları destekle
-  const webhookTimestamp = req.headers.get("webhook-timestamp") ?? "";
+  const webhookId =
-  const webhookSignature = req.headers.get("webhook-signature") ?? "";
+    req.headers.get("webhook-id") ?? req.headers.get("svix-id") ?? "";
+  const webhookTimestamp =
+    req.headers.get("webhook-timestamp") ?? req.headers.get("svix-timestamp") ?? "";
+  const webhookSignature =
+    req.headers.get("webhook-signature") ?? req.headers.get("svix-signature") ?? "";
 
   let rawBody: string;
   try {

src/lib/payments/polar.ts

@@ -64,9 +64,9 @@ export function verifyPolarWebhook(
 ): boolean {
   if (!WEBHOOK_SECRET) return false;
 
-  // Timestamp replay saldırısı koruması (5 dakika tolerans)
+  // Timestamp replay koruması (1 saat — Polar retry aralığı uzun olabilir)
   const ts = parseInt(webhookTimestamp, 10);
-  if (isNaN(ts) || Math.abs(Date.now() / 1000 - ts) > 300) return false;
+  if (isNaN(ts) || Math.abs(Date.now() / 1000 - ts) > 3600) return false;
 
   const signedContent = `${webhookId}.${webhookTimestamp}.${rawBody}`;