From 43c57c4225c6992f86cdcecaceddee2d456dd600 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Jedlicska?= <gergo@jedlicska.com>
Date: Fri, 11 Oct 2024 21:57:22 +0200
Subject: [PATCH] feat(gatekeeper): verify stripe signature

---
 packages/server/app.ts                             | 10 +++++++++-
 packages/server/modules/gatekeeper/rest/billing.ts |  7 ++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/packages/server/app.ts b/packages/server/app.ts
index 249b37f09..a35a5c366 100644
--- a/packages/server/app.ts
+++ b/packages/server/app.ts
@@ -365,7 +365,15 @@ export async function init() {
   }
 
   app.use(corsMiddleware())
-  app.use(express.json({ limit: '100mb' }))
+  // there are some paths, that need the raw body
+  app.use((req, res, next) => {
+    const rawPaths = ['/api/v1/billing/webhooks']
+    if (rawPaths.includes(req.path)) {
+      express.raw({ type: 'application/json' })(req, res, next)
+    } else {
+      express.json({ limit: '100mb' })(req, res, next)
+    }
+  })
   app.use(express.urlencoded({ limit: `${getFileSizeLimitMB()}mb`, extended: false }))
 
   // Trust X-Forwarded-* headers (for https protocol detection)
diff --git a/packages/server/modules/gatekeeper/rest/billing.ts b/packages/server/modules/gatekeeper/rest/billing.ts
index dd2ac3afc..205d0bffc 100644
--- a/packages/server/modules/gatekeeper/rest/billing.ts
+++ b/packages/server/modules/gatekeeper/rest/billing.ts
@@ -139,7 +139,12 @@ router.post('/api/v1/billing/webhooks', async (req, res) => {
   let event: Stripe.Event
 
   try {
-    event = stripe.webhooks.constructEvent(req.body, sig, endpointSecret)
+    event = stripe.webhooks.constructEvent(
+      // yes, the express json middleware auto parses the payload and stri need it in a string
+      req.body,
+      sig,
+      endpointSecret
+    )
   } catch (err) {
     res.status(400).send(`Webhook Error: ${ensureError(err).message}`)
     return