fix: make stripe webhooks explicitly toggleable with mandatory secret validation #23

Merged

hodlbod merged 1 commits from userAdityaa/caravel:webhook-signature into master 2026-04-17 22:57:38 +00:00

Conversation 2 Commits 1 Files Changed 11

+145 -41

userAdityaa commented 2026-04-17 13:30:51 +00:00

Contributor

Copy Link

Copy Source

Summary

This PR keeps webhook verification secure while restoring local development ergonomics. Webhook processing remains opt-in via STRIPE_WEBHOOKS_ENABLED, and local defaults now avoid startup failures when webhook testing is not needed.

Changes

• Add STRIPE_WEBHOOKS_ENABLED boolean toggle (default: false in debug builds,
  true in release builds)
• Require STRIPE_WEBHOOK_SECRET only when STRIPE_WEBHOOKS_ENABLED=true
• Conditionally register /stripe/webhook route based on enablement
• Guard webhook handler against disabled-mode execution
• Update env template defaults for developer ergonomics
• Add comprehensive constructor and integration test coverage
• Fix clippy lint violations and async lock hygiene in tests

Local dev: Can run without STRIPE_WEBHOOK_SECRET when webhooks are disabled
(default for debug builds).

closes #19

### Summary This PR keeps webhook verification secure while restoring local development ergonomics. Webhook processing remains opt-in via `STRIPE_WEBHOOKS_ENABLED`, and local defaults now avoid startup failures when webhook testing is not needed. ### Changes - Add `STRIPE_WEBHOOKS_ENABLED` boolean toggle (default: false in debug builds, true in release builds) - Require `STRIPE_WEBHOOK_SECRET` only when `STRIPE_WEBHOOKS_ENABLED=true` - Conditionally register `/stripe/webhook` route based on enablement - Guard webhook handler against disabled-mode execution - Update env template defaults for developer ergonomics - Add comprehensive constructor and integration test coverage - Fix clippy lint violations and async lock hygiene in tests **Local dev:** Can run without `STRIPE_WEBHOOK_SECRET` when webhooks are disabled (default for debug builds). closes #19

hodlbod reviewed 2026-04-17 18:18:52 +00:00

hodlbod left a comment

Owner

Copy Link

Copy Source

I think it would be simpler to just provide a fake secret for local testing. It would only blow up when receiving a webhook, which would never happen.

I think it would be simpler to just provide a fake secret for local testing. It would only blow up when receiving a webhook, which would never happen.

👍 1

userAdityaa added 1 commit 2026-04-17 22:31:44 +00:00

fix: make stripe webhooks explicitly toggleable with mandatory secret validation c9f9e3d19f

userAdityaa force-pushed webhook-signature from 5a9022bffc to c9f9e3d19f 2026-04-17 22:31:44 +00:00 Compare

userAdityaa commented 2026-04-17 22:34:26 +00:00

Author

Contributor

Copy Link

Copy Source

I think it would be simpler to just provide a fake secret for local testing. It would only blow up when receiving a webhook, which would never happen.

That’s a clean and straightforward approach. I hadn’t thought of it before, I've now pushed a change to use a dummy secret for local testing.

> I think it would be simpler to just provide a fake secret for local testing. It would only blow up when receiving a webhook, which would never happen. That’s a clean and straightforward approach. I hadn’t thought of it before, I've now pushed a change to use a dummy secret for local testing.

hodlbod merged commit 44f9928070 into master 2026-04-17 22:57:38 +00:00

hodlbod referenced this issue from a commit 2026-04-17 22:57:39 +00:00

fix: make stripe webhooks explicitly toggleable with mandatory secret validation (#23)

Sign in to join this conversation.

Reviewers

No Reviewers

hodlbod

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

hodlbod (hodlbod)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coracle/caravel#23

Allow edits from maintainers