feat(gatekeeper): verify stripe signature

packages/server/app.ts

@@ -365,7 +365,15 @@ export async function init() {
   }
 
   app.use(corsMiddleware())
-  app.use(express.json({ limit: '100mb' }))
+  // there are some paths, that need the raw body
+  app.use((req, res, next) => {
+    const rawPaths = ['/api/v1/billing/webhooks']
+    if (rawPaths.includes(req.path)) {
+      express.raw({ type: 'application/json' })(req, res, next)
+    } else {
+      express.json({ limit: '100mb' })(req, res, next)
+    }
+  })
   app.use(express.urlencoded({ limit: `${getFileSizeLimitMB()}mb`, extended: false }))
 
   // Trust X-Forwarded-* headers (for https protocol detection)

packages/server/modules/gatekeeper/rest/billing.ts

@@ -139,7 +139,12 @@ router.post('/api/v1/billing/webhooks', async (req, res) => {
   let event: Stripe.Event
 
   try {
-    event = stripe.webhooks.constructEvent(req.body, sig, endpointSecret)
+    event = stripe.webhooks.constructEvent(
+      // yes, the express json middleware auto parses the payload and stri need it in a string
+      req.body,
+      sig,
+      endpointSecret
+    )
   } catch (err) {
     res.status(400).send(`Webhook Error: ${ensureError(err).message}`)
     return