Sergei a74d6d5e92 fix(security): require STRIPE_WEBHOOK_SECRET for webhook signature verification ...

VULN-001: Remove insecure fallback that allowed processing webhooks without
signature verification when STRIPE_WEBHOOK_SECRET was not set.

Changes:
- Add startup check that exits with error if STRIPE_WEBHOOK_SECRET is missing
- Remove JSON.parse fallback that bypassed signature verification
- Always use stripe.webhooks.constructEvent() for webhook validation

This prevents attackers from forging webhook events to manipulate
orders, subscriptions, or other payment-related data.

2026-01-26 16:41:54 -08:00

..

migrations

feat(api): Add custom_name field to user_access table

2026-01-22 12:34:38 -08:00

public

Stable Light version - App Store submission

2026-01-12 20:28:18 -08:00

scripts

Update Stripe integration, API services, and purchase screens

2026-01-12 21:44:57 -08:00

src

fix(security): require STRIPE_WEBHOOK_SECRET for webhook signature verification

2026-01-26 16:41:54 -08:00

.env.example

Add Stripe checkout, OTP auth improvements, navigation updates

2025-12-24 13:44:10 -08:00

.gitignore

Add Node.js backend with Stripe integration and admin panel

2025-12-19 09:49:24 -08:00

package-lock.json

Show user role under beneficiary name

2026-01-09 19:08:12 -08:00

package.json

Update voice call, equipment tracking, and cleanup

2026-01-22 09:34:01 -08:00

run-migration.js

Add Node.js backend with Stripe integration and admin panel

2025-12-19 09:49:24 -08:00