admin/podcastdistributiona
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Comprehensive admin + user dashboards (production-ready)

Browse Source
This commit is contained in:
Leon Serfaty
2026-06-07 17:54:30 -04:00
parent 155507f21a
commit f033f00379
122 changed files with 7878 additions and 805 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/billing/webhooks/stripe.ts
+10 -3
View File
@@ -2,7 +2,12 @@ import type Stripe from "stripe";
import { stripe } from "../stripe";
import { upsertSubscription } from "../subscription";
import { planFromStripePrice } from "../catalog";
import type { PlanKey } from "../plans";
import { PLAN_ORDER, type PlanKey } from "../plans";
/** Narrow attacker-influenceable metadata to a known PlanKey, else null. */
function planFromMetadata(value?: string | null): PlanKey | null {
return value && (PLAN_ORDER as string[]).includes(value) ? (value as PlanKey) : null;
}
function normalizeStatus(status: Stripe.Subscription.Status): string {
switch (status) {
@@ -23,9 +28,11 @@ async function syncStripeSubscription(
const item = sub.items.data[0];
const priceId = item?.price?.id;
const mapped = priceId ? planFromStripePrice(priceId) : null;
const plan = ((metadata?.plan as PlanKey) || mapped?.plan || "free") as PlanKey;
// metadata.plan is attacker-influenceable; only honour it if it's a known plan.
// The price-mapping fallback (derived from the real Stripe price) is preferred.
const plan: PlanKey = planFromMetadata(metadata?.plan) ?? mapped?.plan ?? "free";
const referenceId = metadata?.subjectId || sub.metadata?.subjectId;
if (!referenceId) {
if (!referenceId || referenceId.trim() === "") {
console.warn("[stripe] subscription without subjectId metadata, skipping", sub.id);
return;
}