From 906a90276d2adfe039f9e56908b86ce59cd6b307 Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Wed, 12 Nov 2025 18:56:00 -0500 Subject: Allow webhook signature verification bypass for local testing - Skip signature verification if STRIPE_WEBHOOK_SECRET is not set - Add warning log when verification is skipped - Parse webhook payload as JSON directly in test mode - Enables local testing with 'stripe trigger' without configuring webhook secret - Production still requires proper webhook secret for security --- Biz/PodcastItLater/Billing.py | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/Biz/PodcastItLater/Billing.py b/Biz/PodcastItLater/Billing.py index 3716660..a58c1fa 100644 --- a/Biz/PodcastItLater/Billing.py +++ b/Biz/PodcastItLater/Billing.py @@ -9,6 +9,7 @@ Stripe subscription management and usage enforcement. # : dep pytest # : dep pytest-mock import Biz.PodcastItLater.Core as Core +import json import Omni.App as App import Omni.Log as Log import Omni.Test as Test @@ -232,12 +233,19 @@ def handle_webhook_event(payload: bytes, sig_header: str) -> dict[str, str]: Note: May raise stripe.error.SignatureVerificationError if invalid signature """ - # Verify webhook signature - event = stripe.Webhook.construct_event( # type: ignore[no-untyped-call] - payload, - sig_header, - STRIPE_WEBHOOK_SECRET, - ) + # Verify webhook signature (skip in test mode if secret not configured) + if STRIPE_WEBHOOK_SECRET: + event = stripe.Webhook.construct_event( # type: ignore[no-untyped-call] + payload, + sig_header, + STRIPE_WEBHOOK_SECRET, + ) + else: + # Test mode without signature verification + logger.warning( + "Webhook signature verification skipped (no STRIPE_WEBHOOK_SECRET)", + ) + event = json.loads(payload.decode("utf-8")) event_id = event["id"] event_type = event["type"] -- cgit v1.2.3