Allow webhook signature verification bypass for local testing

- Skip signature verification if STRIPE_WEBHOOK_SECRET is not set -
Add warning log when verification is skipped - Parse webhook payload
as JSON directly in test mode - Enables local testing with 'stripe
trigger' without configuring webhook secret - Production still requires
proper webhook secret for security

1 files changed, 14 insertions, 6 deletions

diff --git a/Biz/PodcastItLater/Billing.py b/Biz/PodcastItLater/Billing.py
index 3716660..a58c1fa 100644
--- a/Biz/PodcastItLater/Billing.py
+++ b/Biz/PodcastItLater/Billing.py
@@ -9,6 +9,7 @@ Stripe subscription management and usage enforcement.
 # : dep pytest
 # : dep pytest-mock
 import Biz.PodcastItLater.Core as Core
+import json
 import Omni.App as App
 import Omni.Log as Log
 import Omni.Test as Test
@@ -232,12 +233,19 @@ def handle_webhook_event(payload: bytes, sig_header: str) -> dict[str, str]:
     Note:
         May raise stripe.error.SignatureVerificationError if invalid signature
     """
-    # Verify webhook signature
-    event = stripe.Webhook.construct_event(  # type: ignore[no-untyped-call]
-        payload,
-        sig_header,
-        STRIPE_WEBHOOK_SECRET,
-    )
+    # Verify webhook signature (skip in test mode if secret not configured)
+    if STRIPE_WEBHOOK_SECRET:
+        event = stripe.Webhook.construct_event(  # type: ignore[no-untyped-call]
+            payload,
+            sig_header,
+            STRIPE_WEBHOOK_SECRET,
+        )
+    else:
+        # Test mode without signature verification
+        logger.warning(
+            "Webhook signature verification skipped (no STRIPE_WEBHOOK_SECRET)",
+        )
+        event = json.loads(payload.decode("utf-8"))
 
     event_id = event["id"]
     event_type = event["type"]