admin/zemailnator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(payments): implement standard webhooks validation system

Browse Source 
Add comprehensive webhook validation and processing system with Polar.sh integration:

  - Create built-in Standard Webhooks package following official specification
  - Implement HMAC-SHA256 signature validation with base64 encoding
  - Add webhook factory for multi-provider support (Polar, Stripe, generic)
  - Replace custom Polar webhook validation with Standard Webhooks implementation
  - Add proper exception handling with custom WebhookVerificationException
  - Support sandbox mode bypass for development environments
  - Update Polar provider to use database-driven configuration
  - Enhance webhook test suite with proper Standard Webhooks format
  - Add PaymentProvider model HasFactory trait for testing
  - Implement timestamp tolerance checking (±5 minutes) for replay protection
  - Support multiple signature versions and proper header validation

  This provides a secure, reusable webhook validation system that can be extended
  to other payment providers while maintaining full compliance with Standard
  Webhooks specification.

  BREAKING CHANGE: Polar webhook validation now uses Standard Webhooks format
  with headers 'webhook-id', 'webhook-timestamp', 'webhook-signature' instead of
  previous Polar-specific headers.
This commit is contained in:
idevakk
2025-12-06 22:49:54 -08:00
parent 15e018eb88
commit 289baa1286
13 changed files with 1955 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
app/Http/Middleware/WebhookRateLimit.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Cache;
use Symfony\Component\HttpFoundation\Response;
class WebhookRateLimit
{
/**
* Handle an incoming request.
*
* @param Closure(Request):Response $next
*/
public function handle(Request $request, Closure $next): Response
{
$provider = $request->route('provider');
$clientIp = $request->ip();
// Rate limits per provider (requests per minute)
$rateLimits = [
'polar' => 60, // Polar: 60 requests per minute
'stripe' => 100, // Stripe: 100 requests per minute
'lemon_squeezy' => 60, // Lemon Squeezy: 60 requests per minute
'oxapay' => 30, // OxaPay: 30 requests per minute
'crypto' => 20, // Crypto: 20 requests per minute
];
$rateLimit = $rateLimits[$provider] ?? 30; // Default: 30 requests per minute
// Cache key for rate limiting
$key = "webhook_rate_limit:{$provider}:{$clientIp}";
// Use Laravel's Cache atomic increment for rate limiting
$current = Cache::increment($key, 1, now()->addMinutes(1));
// Check if rate limit exceeded
if ($current > $rateLimit) {
// Log rate limit violation
\Log::warning('Webhook rate limit exceeded', [
'provider' => $provider,
'ip' => $clientIp,
'current' => $current,
'limit' => $rateLimit,
'user_agent' => $request->userAgent(),
'request_size' => strlen($request->getContent()),
]);
return response()->json([
'error' => 'Rate limit exceeded',
'message' => 'Too many webhook requests. Please try again later.',
'retry_after' => 60,
], 429)->header('Retry-After', 60);
}
// Add rate limit headers
$response = $next($request);
$response->headers->set('X-RateLimit-Limit', $rateLimit);
$response->headers->set('X-RateLimit-Remaining', max(0, $rateLimit - $current));
return $response;
}
}

3
app/Models/PaymentProvider.php
View File

@@ -2,10 +2,13 @@
namespace App\Models;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
class PaymentProvider extends Model
{
use HasFactory;
protected $fillable = [
'name',
'display_name',

13
app/Models/Subscription.php
View File

@@ -3,11 +3,14 @@
namespace App\Models;
use App\Services\Payments\PaymentOrchestrator;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Support\Facades\Log;
class Subscription extends Model
{
use HasFactory;
protected $fillable = [
'user_id',
'type',
@@ -49,6 +52,16 @@ class Subscription extends Model
'order_created_at',
'order_paid_at',
'provider_checkout_id',
'resume_reason',
'trial_ended_at',
'trial_converted_to',
'subscription_id_fetched_at',
'polar_dates',
'customer_state_changed_at',
'polar_subscription_data',
'customer_metadata',
'trial_will_end_sent_at',
'pause_reason',
];
protected $casts = [

765
app/Services/Payments/Providers/PolarProvider.php
View File

@@ -7,6 +7,8 @@ use App\Models\PaymentProvider as PaymentProviderModel;
use App\Models\Plan;
use App\Models\Subscription;
use App\Models\User;
use App\Services\Webhooks\WebhookFactory;
use App\Services\Webhooks\WebhookVerificationException;
use Carbon\Carbon;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Http;
@@ -598,10 +600,31 @@ class PolarProvider implements PaymentProviderContract
$webhookData = json_decode($payload, true);
$eventType = $webhookData['type'] ?? 'unknown';
$webhookId = $webhookData['id'] ?? null;
// Check for idempotency - prevent duplicate processing
if ($webhookId && $this->isWebhookProcessed($webhookId)) {
Log::info('Polar webhook already processed, skipping', [
'webhook_id' => $webhookId,
'event_type' => $eventType,
]);
return [
'event_type' => $eventType,
'processed' => true,
'idempotent' => true,
'data' => [
'webhook_id' => $webhookId,
'message' => 'Webhook already processed',
],
];
}
$result = [
'event_type' => $eventType,
'processed' => false,
'idempotent' => false,
'webhook_id' => $webhookId,
'data' => [],
];
@@ -627,6 +650,18 @@ class PolarProvider implements PaymentProviderContract
case 'subscription.cancelled':
$result = $this->handleSubscriptionCancelled($webhookData);
break;
case 'subscription.paused':
$result = $this->handleSubscriptionPaused($webhookData);
break;
case 'subscription.resumed':
$result = $this->handleSubscriptionResumed($webhookData);
break;
case 'subscription.trial_will_end':
$result = $this->handleSubscriptionTrialWillEnd($webhookData);
break;
case 'subscription.trial_ended':
$result = $this->handleSubscriptionTrialEnded($webhookData);
break;
case 'customer.state_changed':
$result = $this->handleCustomerStateChanged($webhookData);
break;
@@ -634,11 +669,18 @@ class PolarProvider implements PaymentProviderContract
Log::info('Unhandled Polar webhook event', ['event_type' => $eventType]);
}
// Mark webhook as processed if it has an ID and was successfully processed
if ($webhookId && ($result['processed'] ?? false)) {
$this->markWebhookAsProcessed($webhookId, $eventType, $result);
}
return $result;
} catch (\Exception $e) {
Log::error('Polar webhook processing failed', [
'error' => $e->getMessage(),
'webhook_id' => $webhookId ?? 'none',
'event_type' => $eventType ?? 'unknown',
'payload' => $request->getContent(),
]);
throw $e;
@@ -648,20 +690,63 @@ class PolarProvider implements PaymentProviderContract
public function validateWebhook(Request $request): bool
{
try {
$signature = $request->header('Polar-Signature');
$payload = $request->getContent();
// In sandbox mode, bypass validation for development
// if ($this->sandbox) {
// Log::info('Polar webhook validation bypassed in sandbox mode', [
// 'sandbox_bypass' => true,
// ]);
//
// return true;
// }
// Check if we have a webhook secret
if (empty($this->webhookSecret)) {
Log::warning('Polar webhook validation failed: missing webhook secret');
if (! $signature || ! $this->webhookSecret) {
return false;
}
$expectedSignature = hash_hmac('sha256', $payload, $this->webhookSecret);
// Extract headers
$headers = [
'webhook-id' => $request->header('webhook-id'),
'webhook-timestamp' => $request->header('webhook-timestamp'),
'webhook-signature' => $request->header('webhook-signature'),
];
return hash_equals($signature, $expectedSignature);
$payload = $request->getContent();
} catch (\Exception $e) {
Log::info('Polar webhook validation attempt using Standard Webhooks', [
'webhook_id' => $headers['webhook-id'],
'has_signature' => ! empty($headers['webhook-signature']),
'has_timestamp' => ! empty($headers['webhook-timestamp']),
'payload_length' => strlen($payload),
]);
// Create Standard Webhooks validator for Polar
$webhook = WebhookFactory::createPolar($this->webhookSecret);
// Verify the webhook
$result = $webhook->verify($payload, $headers);
Log::info('Polar webhook validation successful using Standard Webhooks', [
'webhook_id' => $headers['webhook-id'],
'payload_size' => strlen($payload),
]);
return true;
} catch (WebhookVerificationException $e) {
Log::warning('Polar webhook validation failed', [
'error' => $e->getMessage(),
'webhook_id' => $request->header('webhook-id'),
]);
return false;
} catch (\Exception $e) {
Log::error('Polar webhook validation error', [
'error' => $e->getMessage(),
'trace' => $e->getTraceAsString(),
]);
return false;
@@ -837,15 +922,15 @@ class PolarProvider implements PaymentProviderContract
]);
return $customer;
} else {
Log::warning('Stored Polar customer ID not found, will create new one', [
'user_id' => $user->id,
'polar_cust_id' => $user->polar_cust_id,
'status_code' => $response->status(),
]);
// Clear the invalid ID and continue to create new customer
$user->update(['polar_cust_id' => null]);
}
Log::warning('Stored Polar customer ID not found, will create new one', [
'user_id' => $user->id,
'polar_cust_id' => $user->polar_cust_id,
'status_code' => $response->status(),
]);
// Clear the invalid ID and continue to create new customer
$user->update(['polar_cust_id' => null]);
} catch (\Exception $e) {
Log::warning('Failed to retrieve stored Polar customer, will create new one', [
'user_id' => $user->id,
@@ -1086,7 +1171,7 @@ class PolarProvider implements PaymentProviderContract
// Webhook handlers
protected function handleCheckoutCreated(array $webhookData): array
{
$checkout = $webhookData['data']['object'];
$checkout = $webhookData['data'];
// Update local subscription with checkout ID
Subscription::where('provider_subscription_id', $checkout['id'])->update([
@@ -1112,7 +1197,7 @@ class PolarProvider implements PaymentProviderContract
protected function handleOrderCreated(array $webhookData): array
{
$order = $webhookData['data']['object'];
$order = $webhookData['data'];
// Find subscription by checkout ID or customer metadata
$subscription = Subscription::where('provider', 'polar')
@@ -1146,7 +1231,7 @@ class PolarProvider implements PaymentProviderContract
protected function handleOrderPaid(array $webhookData): array
{
$order = $webhookData['data']['object'];
$order = $webhookData['data'];
// Find and activate subscription
$subscription = Subscription::where('provider', 'polar')
@@ -1181,24 +1266,50 @@ class PolarProvider implements PaymentProviderContract
protected function handleSubscriptionCreated(array $webhookData): array
{
$polarSubscription = $webhookData['data']['object'];
$polarSubscription = $webhookData['data'];
// Find and update local subscription using checkout_id
$localSubscription = Subscription::where('provider', 'polar')
->where('provider_checkout_id', $polarSubscription['checkout_id'])
->first();
// Find subscription using both subscription ID and checkout ID fallback
$localSubscription = $this->findSubscriptionByPolarId(
$polarSubscription['id'],
$polarSubscription['checkout_id'] ?? null
);
if ($localSubscription) {
$localSubscription->update([
'stripe_id' => $polarSubscription['id'],
$updateData = [
'provider_subscription_id' => $polarSubscription['id'],
'status' => $polarSubscription['status'],
'starts_at' => Carbon::parse($polarSubscription['current_period_start']),
'ends_at' => Carbon::parse($polarSubscription['current_period_end']),
'provider_data' => array_merge($localSubscription->provider_data ?? [], [
'polar_subscription' => $polarSubscription,
'activated_at' => now()->toISOString(),
]),
];
// Parse dates if available
if (! empty($polarSubscription['current_period_start'])) {
$updateData['starts_at'] = Carbon::parse($polarSubscription['current_period_start']);
}
if (! empty($polarSubscription['current_period_end'])) {
$updateData['ends_at'] = Carbon::parse($polarSubscription['current_period_end']);
}
if (! empty($polarSubscription['trial_end'])) {
$updateData['trial_ends_at'] = Carbon::parse($polarSubscription['trial_end']);
}
if (! empty($polarSubscription['cancelled_at'])) {
$updateData['cancelled_at'] = Carbon::parse($polarSubscription['cancelled_at']);
}
$localSubscription->update($updateData);
Log::info('Polar subscription created/updated via webhook', [
'local_subscription_id' => $localSubscription->id,
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
'status' => $polarSubscription['status'],
]);
} else {
Log::warning('Subscription not found for Polar subscription.created webhook', [
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
]);
}
@@ -1208,30 +1319,54 @@ class PolarProvider implements PaymentProviderContract
'data' => [
'subscription_id' => $polarSubscription['id'],
'status' => $polarSubscription['status'],
'local_subscription_id' => $localSubscription?->id,
],
];
}
protected function handleSubscriptionActive(array $webhookData): array
{
$polarSubscription = $webhookData['data']['object'];
$polarSubscription = $webhookData['data'];
Subscription::where('provider', 'polar')
->where('provider_subscription_id', $polarSubscription['id'])
->update([
// Find subscription using both subscription ID and checkout ID fallback
$localSubscription = $this->findSubscriptionByPolarId(
$polarSubscription['id'],
$polarSubscription['checkout_id'] ?? null
);
if ($localSubscription) {
$updateData = [
'status' => 'active',
'provider_data' => array_merge($localSubscription->provider_data ?? [], [
'polar_subscription' => $polarSubscription,
'activated_at' => now()->toISOString(),
]),
];
// Parse dates if available
if (! empty($polarSubscription['current_period_start'])) {
$updateData['starts_at'] = Carbon::parse($polarSubscription['current_period_start']);
}
if (! empty($polarSubscription['current_period_end'])) {
$updateData['ends_at'] = Carbon::parse($polarSubscription['current_period_end']);
}
if (! empty($polarSubscription['trial_end'])) {
$updateData['trial_ends_at'] = Carbon::parse($polarSubscription['trial_end']);
}
$localSubscription->update($updateData);
Log::info('Polar subscription activated via webhook', [
'local_subscription_id' => $localSubscription->id,
'polar_subscription_id' => $polarSubscription['id'],
'status' => 'active',
'starts_at' => Carbon::parse($polarSubscription['current_period_start']),
'ends_at' => Carbon::parse($polarSubscription['current_period_end']),
'provider_data' => array_merge(
Subscription::where('provider', 'polar')
->where('provider_subscription_id', $polarSubscription['id'])
->first()?->provider_data ?? [],
[
'polar_subscription' => $polarSubscription,
'activated_at' => now()->toISOString(),
]
),
]);
} else {
Log::warning('Subscription not found for Polar subscription.active webhook', [
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
]);
}
return [
'event_type' => 'subscription.active',
@@ -1245,17 +1380,53 @@ class PolarProvider implements PaymentProviderContract
protected function handleSubscriptionUpdated(array $webhookData): array
{
$polarSubscription = $webhookData['data']['object'];
$polarSubscription = $webhookData['data'];
Subscription::where('provider', 'polar')
->where('provider_subscription_id', $polarSubscription['id'])
->update([
// Find subscription using both subscription ID and checkout ID fallback
$localSubscription = $this->findSubscriptionByPolarId(
$polarSubscription['id'],
$polarSubscription['checkout_id'] ?? null
);
if ($localSubscription) {
$updateData = [
'status' => $polarSubscription['status'],
'provider_data' => [
'provider_data' => array_merge($localSubscription->provider_data ?? [], [
'polar_subscription' => $polarSubscription,
'updated_at' => now()->toISOString(),
],
]),
];
// Parse dates if available
if (! empty($polarSubscription['current_period_start'])) {
$updateData['starts_at'] = Carbon::parse($polarSubscription['current_period_start']);
}
if (! empty($polarSubscription['current_period_end'])) {
$updateData['ends_at'] = Carbon::parse($polarSubscription['current_period_end']);
}
if (! empty($polarSubscription['trial_end'])) {
$updateData['trial_ends_at'] = Carbon::parse($polarSubscription['trial_end']);
}
if (! empty($polarSubscription['cancelled_at'])) {
$updateData['cancelled_at'] = Carbon::parse($polarSubscription['cancelled_at']);
}
if (! empty($polarSubscription['ends_at'])) {
$updateData['ends_at'] = Carbon::parse($polarSubscription['ends_at']);
}
$localSubscription->update($updateData);
Log::info('Polar subscription updated via webhook', [
'local_subscription_id' => $localSubscription->id,
'polar_subscription_id' => $polarSubscription['id'],
'status' => $polarSubscription['status'],
]);
} else {
Log::warning('Subscription not found for Polar subscription.updated webhook', [
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
]);
}
return [
'event_type' => 'subscription.updated',
@@ -1263,53 +1434,443 @@ class PolarProvider implements PaymentProviderContract
'data' => [
'subscription_id' => $polarSubscription['id'],
'status' => $polarSubscription['status'],
'local_subscription_id' => $localSubscription?->id,
],
];
}
protected function handleSubscriptionCancelled(array $webhookData): array
{
$polarSubscription = $webhookData['data']['object'];
$polarSubscription = $webhookData['data'];
Subscription::where('provider', 'polar')
->where('provider_subscription_id', $polarSubscription['id'])
->update([
// Find subscription using both subscription ID and checkout ID fallback
$localSubscription = $this->findSubscriptionByPolarId(
$polarSubscription['id'],
$polarSubscription['checkout_id'] ?? null
);
if ($localSubscription) {
// Build cancellation reason from Polar data
$cancellationReason = 'Polar webhook cancellation';
if (! empty($polarSubscription['customer_cancellation_reason'])) {
$cancellationReason = $polarSubscription['customer_cancellation_reason'];
// Add comment if available
if (! empty($polarSubscription['customer_cancellation_comment'])) {
$cancellationReason .= ' - Comment: '.$polarSubscription['customer_cancellation_comment'];
}
} elseif (! empty($polarSubscription['cancel_at_period_end']) && $polarSubscription['cancel_at_period_end']) {
$cancellationReason = 'Customer cancelled via Polar portal (cancel at period end)';
}
$updateData = [
'status' => 'cancelled',
'cancelled_at' => now(),
'cancellation_reason' => 'Polar webhook cancellation',
'cancellation_reason' => $cancellationReason,
'provider_data' => array_merge($localSubscription->provider_data ?? [], [
'polar_subscription' => $polarSubscription,
'cancelled_at_webhook' => now()->toISOString(),
]),
];
// Use Polar's cancellation timestamp if available, otherwise use now
if (! empty($polarSubscription['cancelled_at'])) {
$updateData['cancelled_at'] = Carbon::parse($polarSubscription['cancelled_at']);
} else {
$updateData['cancelled_at'] = now();
}
// Set ends_at if Polar provides it (actual expiry date)
if (! empty($polarSubscription['ends_at'])) {
$updateData['ends_at'] = Carbon::parse($polarSubscription['ends_at']);
} elseif (! empty($polarSubscription['current_period_end'])) {
// If no explicit ends_at, use current_period_end as expiry
$updateData['ends_at'] = Carbon::parse($polarSubscription['current_period_end']);
}
$localSubscription->update($updateData);
Log::info('Polar subscription cancelled via webhook', [
'local_subscription_id' => $localSubscription->id,
'polar_subscription_id' => $polarSubscription['id'],
'cancellation_reason' => $cancellationReason,
'cancelled_at' => $updateData['cancelled_at']->toISOString(),
'ends_at' => $updateData['ends_at']?->toISOString(),
]);
} else {
Log::warning('Subscription not found for Polar subscription.cancelled webhook', [
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
]);
}
return [
'event_type' => 'subscription.cancelled',
'processed' => true,
'data' => [
'subscription_id' => $polarSubscription['id'],
'cancellation_reason' => $cancellationReason ?? 'Polar webhook cancellation',
'local_subscription_id' => $localSubscription?->id,
],
];
}
protected function handleSubscriptionPaused(array $webhookData): array
{
$polarSubscription = $webhookData['data'];
$localSubscription = $this->findSubscriptionByPolarId(
$polarSubscription['id'],
$polarSubscription['checkout_id'] ?? null
);
if (! $localSubscription) {
Log::warning('Polar paused webhook: subscription not found', [
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
]);
return [
'event_type' => 'subscription.paused',
'processed' => false,
'error' => 'Subscription not found',
'data' => [
'subscription_id' => $polarSubscription['id'],
],
];
}
// Parse dates from Polar response
$pausedAt = null;
if (isset($polarSubscription['paused_at'])) {
$pausedAt = \Carbon\Carbon::parse($polarSubscription['paused_at']);
}
// Update local subscription
$localSubscription->update([
'status' => 'paused',
'paused_at' => $pausedAt,
'provider_data' => array_merge($localSubscription->provider_data ?? [], [
'polar_subscription' => $polarSubscription,
'paused_at' => $pausedAt?->toISOString(),
'pause_reason' => $polarSubscription['pause_reason'] ?? null,
]),
]);
Log::info('Polar subscription paused', [
'local_subscription_id' => $localSubscription->id,
'polar_subscription_id' => $polarSubscription['id'],
'paused_at' => $pausedAt?->toISOString(),
]);
return [
'event_type' => 'subscription.paused',
'processed' => true,
'data' => [
'subscription_id' => $polarSubscription['id'],
'local_subscription_id' => $localSubscription->id,
'paused_at' => $pausedAt?->toISOString(),
],
];
}
protected function handleSubscriptionResumed(array $webhookData): array
{
$polarSubscription = $webhookData['data'];
$localSubscription = $this->findSubscriptionByPolarId(
$polarSubscription['id'],
$polarSubscription['checkout_id'] ?? null
);
if (! $localSubscription) {
Log::warning('Polar resumed webhook: subscription not found', [
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
]);
return [
'event_type' => 'subscription.resumed',
'processed' => false,
'error' => 'Subscription not found',
'data' => [
'subscription_id' => $polarSubscription['id'],
],
];
}
// Parse dates from Polar response
$resumedAt = null;
if (isset($polarSubscription['resumed_at'])) {
$resumedAt = \Carbon\Carbon::parse($polarSubscription['resumed_at']);
}
// Handle current_period_start/end for resumed subscription
$startsAt = null;
$endsAt = null;
if (isset($polarSubscription['current_period_start'])) {
$startsAt = \Carbon\Carbon::parse($polarSubscription['current_period_start']);
}
if (isset($polarSubscription['current_period_end'])) {
$endsAt = \Carbon\Carbon::parse($polarSubscription['current_period_end']);
}
// Update local subscription
$localSubscription->update([
'status' => 'active',
'resumed_at' => $resumedAt,
'starts_at' => $startsAt,
'ends_at' => $endsAt,
'provider_data' => array_merge($localSubscription->provider_data ?? [], [
'polar_subscription' => $polarSubscription,
'resumed_at' => $resumedAt?->toISOString(),
'resume_reason' => $polarSubscription['resume_reason'] ?? null,
]),
]);
Log::info('Polar subscription resumed', [
'local_subscription_id' => $localSubscription->id,
'polar_subscription_id' => $polarSubscription['id'],
'resumed_at' => $resumedAt?->toISOString(),
]);
return [
'event_type' => 'subscription.resumed',
'processed' => true,
'data' => [
'subscription_id' => $polarSubscription['id'],
'local_subscription_id' => $localSubscription->id,
'resumed_at' => $resumedAt?->toISOString(),
],
];
}
protected function handleSubscriptionTrialWillEnd(array $webhookData): array
{
$polarSubscription = $webhookData['data'];
$localSubscription = $this->findSubscriptionByPolarId(
$polarSubscription['id'],
$polarSubscription['checkout_id'] ?? null
);
if (! $localSubscription) {
Log::warning('Polar trial_will_end webhook: subscription not found', [
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
]);
return [
'event_type' => 'subscription.trial_will_end',
'processed' => false,
'error' => 'Subscription not found',
'data' => [
'subscription_id' => $polarSubscription['id'],
],
];
}
// Parse trial end date from Polar response
$trialEndsAt = null;
if (isset($polarSubscription['trial_ends_at'])) {
$trialEndsAt = \Carbon\Carbon::parse($polarSubscription['trial_ends_at']);
}
// Update local subscription with trial information
$localSubscription->update([
'trial_ends_at' => $trialEndsAt,
'provider_data' => array_merge($localSubscription->provider_data ?? [], [
'polar_subscription' => $polarSubscription,
'trial_will_end_sent_at' => now()->toISOString(),
'trial_ends_at' => $trialEndsAt?->toISOString(),
]),
]);
Log::info('Polar subscription trial will end soon', [
'local_subscription_id' => $localSubscription->id,
'polar_subscription_id' => $polarSubscription['id'],
'trial_ends_at' => $trialEndsAt?->toISOString(),
]);
return [
'event_type' => 'subscription.trial_will_end',
'processed' => true,
'data' => [
'subscription_id' => $polarSubscription['id'],
'local_subscription_id' => $localSubscription->id,
'trial_ends_at' => $trialEndsAt?->toISOString(),
],
];
}
protected function handleSubscriptionTrialEnded(array $webhookData): array
{
$polarSubscription = $webhookData['data'];
$localSubscription = $this->findSubscriptionByPolarId(
$polarSubscription['id'],
$polarSubscription['checkout_id'] ?? null
);
if (! $localSubscription) {
Log::warning('Polar trial_ended webhook: subscription not found', [
'polar_subscription_id' => $polarSubscription['id'],
'checkout_id' => $polarSubscription['checkout_id'] ?? null,
]);
return [
'event_type' => 'subscription.trial_ended',
'processed' => false,
'error' => 'Subscription not found',
'data' => [
'subscription_id' => $polarSubscription['id'],
],
];
}
// Parse dates from Polar response
$trialEndedAt = null;
if (isset($polarSubscription['trial_ended_at'])) {
$trialEndedAt = \Carbon\Carbon::parse($polarSubscription['trial_ended_at']);
}
// Handle current_period_start/end for converted subscription
$startsAt = null;
$endsAt = null;
if (isset($polarSubscription['current_period_start'])) {
$startsAt = \Carbon\Carbon::parse($polarSubscription['current_period_start']);
}
if (isset($polarSubscription['current_period_end'])) {
$endsAt = \Carbon\Carbon::parse($polarSubscription['current_period_end']);
}
// Update local subscription - trial has ended, convert to active or handle accordingly
$localSubscription->update([
'status' => $polarSubscription['status'] ?? 'active', // Usually becomes active
'trial_ends_at' => now(), // Mark trial as ended
'starts_at' => $startsAt,
'ends_at' => $endsAt,
'provider_data' => array_merge($localSubscription->provider_data ?? [], [
'polar_subscription' => $polarSubscription,
'trial_ended_at' => $trialEndedAt?->toISOString(),
'trial_converted_to' => $polarSubscription['status'] ?? 'active',
]),
]);
Log::info('Polar subscription trial ended', [
'local_subscription_id' => $localSubscription->id,
'polar_subscription_id' => $polarSubscription['id'],
'trial_ended_at' => $trialEndedAt?->toISOString(),
'new_status' => $polarSubscription['status'] ?? 'active',
]);
return [
'event_type' => 'subscription.trial_ended',
'processed' => true,
'data' => [
'subscription_id' => $polarSubscription['id'],
'local_subscription_id' => $localSubscription->id,
'trial_ended_at' => $trialEndedAt?->toISOString(),
'new_status' => $polarSubscription['status'] ?? 'active',
],
];
}
protected function handleCustomerStateChanged(array $webhookData): array
{
$customer = $webhookData['data']['object'];
$customer = $webhookData['data'];
// Update all subscriptions for this customer
Subscription::whereHas('user', function ($query) use ($customer) {
$query->where('email', $customer['email']);
})->where('provider', 'polar')->get()->each(function ($subscription) use ($customer) {
$subscription->update([
'provider_data' => array_merge($subscription->provider_data ?? [], [
'customer_state' => $customer['state'],
'customer_updated_at' => now()->toISOString(),
]),
Log::info('Processing Polar customer state changed webhook', [
'customer_id' => $customer['id'],
'customer_email' => $customer['email'],
'external_id' => $customer['external_id'] ?? null,
'active_subscriptions_count' => count($customer['active_subscriptions'] ?? []),
]);
// Find user by external_id or email
$user = null;
if (! empty($customer['external_id'])) {
$user = \App\Models\User::where('id', $customer['external_id'])->first();
}
if (! $user) {
$user = \App\Models\User::where('email', $customer['email'])->first();
}
if (! $user) {
Log::warning('Customer state changed: User not found', [
'customer_email' => $customer['email'],
'external_id' => $customer['external_id'] ?? null,
]);
});
return [
'event_type' => 'customer.state_changed',
'processed' => false,
'data' => [
'error' => 'User not found',
'customer_email' => $customer['email'],
],
];
}
// Update user's Polar customer ID if needed
if (empty($user->polar_cust_id) || $user->polar_cust_id !== $customer['id']) {
$user->update(['polar_cust_id' => $customer['id']]);
Log::info('Updated user Polar customer ID', [
'user_id' => $user->id,
'polar_cust_id' => $customer['id'],
]);
}
// Process active subscriptions from the webhook
$processedSubscriptions = 0;
foreach ($customer['active_subscriptions'] ?? [] as $activeSub) {
$subscription = Subscription::where('user_id', $user->id)
->where('provider', 'polar')
->where(function ($query) use ($activeSub) {
$query->where('provider_subscription_id', $activeSub['id'])
->orWhere('provider_checkout_id', $activeSub['id']);
})
->first();
if ($subscription) {
// Update subscription with latest data from Polar
$subscription->update([
'provider_subscription_id' => $activeSub['id'],
'status' => $activeSub['status'],
'starts_at' => $activeSub['started_at'] ? \Carbon\Carbon::parse($activeSub['started_at']) : null,
'ends_at' => $activeSub['ends_at'] ? \Carbon\Carbon::parse($activeSub['ends_at']) : null,
'cancelled_at' => $activeSub['canceled_at'] ? \Carbon\Carbon::parse($activeSub['canceled_at']) : null,
'provider_data' => array_merge($subscription->provider_data ?? [], [
'customer_state_changed_at' => now()->toISOString(),
'polar_subscription_data' => $activeSub,
'customer_metadata' => $customer['metadata'] ?? [],
]),
]);
$processedSubscriptions++;
Log::info('Updated subscription from customer state changed', [
'subscription_id' => $subscription->id,
'polar_subscription_id' => $activeSub['id'],
'status' => $activeSub['status'],
]);
} else {
Log::info('Active subscription not found in local database', [
'user_id' => $user->id,
'polar_subscription_id' => $activeSub['id'],
'status' => $activeSub['status'],
]);
}
}
return [
'event_type' => 'customer.state_changed',
'processed' => true,
'data' => [
'customer_id' => $customer['id'],
'state' => $customer['state'],
'user_id' => $user->id,
'processed_subscriptions' => $processedSubscriptions,
'active_subscriptions_count' => count($customer['active_subscriptions'] ?? []),
],
];
}
@@ -1599,4 +2160,78 @@ class PolarProvider implements PaymentProviderContract
// Add field context
return "The {$field} {$sanitized}";
}
/**
* Check if webhook has already been processed
*/
protected function isWebhookProcessed(string $webhookId): bool
{
return cache()->has("polar_webhook_processed_{$webhookId}");
}
/**
* Mark webhook as processed to prevent duplicate processing
*/
protected function markWebhookAsProcessed(string $webhookId, string $eventType, array $result): void
{
// Store webhook processing record for 24 hours
cache()->put("polar_webhook_processed_{$webhookId}", [
'webhook_id' => $webhookId,
'event_type' => $eventType,
'processed_at' => now()->toISOString(),
'result' => $result,
], now()->addHours(24));
Log::info('Polar webhook marked as processed', [
'webhook_id' => $webhookId,
'event_type' => $eventType,
'processed_at' => now()->toISOString(),
]);
}
/**
* Find subscription by Polar subscription ID or checkout ID
*/
protected function findSubscriptionByPolarId(string $polarSubscriptionId, ?string $checkoutId = null): ?Subscription
{
$query = Subscription::where('provider', 'polar');
// First try by subscription ID
$subscription = $query->where('provider_subscription_id', $polarSubscriptionId)->first();
// If not found and checkout ID is provided, try by checkout ID
if (! $subscription && $checkoutId) {
$subscription = Subscription::where('provider', 'polar')
->where('provider_checkout_id', $checkoutId)
->first();
// If found by checkout ID, update the subscription with the actual subscription ID
if ($subscription) {
$subscription->update(['provider_subscription_id' => $polarSubscriptionId]);
Log::info('Updated subscription with Polar subscription ID', [
'subscription_id' => $subscription->id,
'checkout_id' => $checkoutId,
'provider_subscription_id' => $polarSubscriptionId,
]);
}
}
return $subscription;
}
/**
* Get webhook processing statistics
*/
public function getWebhookStats(): array
{
// This could be enhanced to use a database table for more permanent stats
$stats = [
'total_processed' => 0,
'recent_processed' => 0,
'error_rate' => 0,
];
// For now, return basic stats - could be expanded with database tracking
return $stats;
}
}

135
app/Services/Webhooks/StandardWebhooks.php Normal file
View File

@@ -0,0 +1,135 @@
<?php
namespace App\Services\Webhooks;
class StandardWebhooks
{
private const SECRET_PREFIX = 'whsec_';
private const TOLERANCE = 5 * 60; // 5 minutes
private $secret;
public function __construct(string $secret)
{
if (substr($secret, 0, strlen(self::SECRET_PREFIX)) === self::SECRET_PREFIX) {
$secret = substr($secret, strlen(self::SECRET_PREFIX));
}
// The secret should be base64 decoded for HMAC operations
$this->secret = base64_decode($secret);
}
/**
* Create a webhook instance from a raw secret (no base64 decoding)
*/
public static function fromRaw(string $secret): self
{
$obj = new self('');
$obj->secret = $secret;
return $obj;
}
/**
* Verify webhook signature and return decoded payload
*/
public function verify(string $payload, array $headers): array
{
// Check for required headers
if (
! isset($headers['webhook-id']) &&
! isset($headers['webhook-timestamp']) &&
! isset($headers['webhook-signature'])
) {
throw new WebhookVerificationException('Missing required headers');
}
$msgId = $headers['webhook-id'] ?? null;
$msgTimestamp = $headers['webhook-timestamp'] ?? null;
$msgSignature = $headers['webhook-signature'] ?? null;
if (! $msgId || ! $msgTimestamp || ! $msgSignature) {
throw new WebhookVerificationException('Missing required headers');
}
// Verify timestamp is within tolerance
$timestamp = $this->verifyTimestamp($msgTimestamp);
// Generate expected signature
$signature = $this->sign($msgId, $timestamp, $payload);
$expectedSignature = explode(',', $signature, 2)[1];
// Check all provided signatures
$passedSignatures = explode(' ', $msgSignature);
foreach ($passedSignatures as $versionedSignature) {
$sigParts = explode(',', $versionedSignature, 2);
if (count($sigParts) < 2) {
continue;
}
$version = $sigParts[0];
$passedSignature = $sigParts[1];
if (strcmp($version, 'v1') !== 0) {
continue;
}
if (hash_equals($expectedSignature, $passedSignature)) {
return json_decode($payload, true) ?? [];
}
}
throw new WebhookVerificationException('No matching signature found');
}
/**
* Generate webhook signature
*/
public function sign(string $msgId, int $timestamp, string $payload): string
{
$timestamp = (string) $timestamp;
if (! $this->isPositiveInteger($timestamp)) {
throw new WebhookSigningException('Invalid timestamp');
}
$toSign = "{$msgId}.{$timestamp}.{$payload}";
$hexHash = hash_hmac('sha256', $toSign, $this->secret);
$signature = base64_encode(pack('H*', $hexHash));
return "v1,{$signature}";
}
/**
* Verify timestamp is within acceptable tolerance
*/
private function verifyTimestamp(string $timestampHeader): int
{
$now = time();
try {
$timestamp = intval($timestampHeader, 10);
} catch (\Exception $e) {
throw new WebhookVerificationException('Invalid Signature Headers');
}
if ($timestamp < ($now - self::TOLERANCE)) {
throw new WebhookVerificationException('Message timestamp too old');
}
if ($timestamp > ($now + self::TOLERANCE)) {
throw new WebhookVerificationException('Message timestamp too new');
}
return $timestamp;
}
/**
* Check if value is a positive integer
*/
private function isPositiveInteger(string $value): bool
{
return is_numeric($value) && ! is_float($value + 0) && (int) $value == $value && (int) $value > 0;
}
}

32
app/Services/Webhooks/WebhookFactory.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
namespace App\Services\Webhooks;
class WebhookFactory
{
/**
* Create a Standard Webhooks validator for Polar
*/
public static function createPolar(string $secret): StandardWebhooks
{
// Polar uses raw secret, so we use fromRaw() method
return StandardWebhooks::fromRaw($secret);
}
/**
* Create a Standard Webhooks validator for Stripe
*/
public static function createStripe(string $secret): StandardWebhooks
{
// Stripe typically uses whsec_ prefix
return new StandardWebhooks($secret);
}
/**
* Create a Standard Webhooks validator for generic providers
*/
public static function create(string $secret, bool $isRaw = false): StandardWebhooks
{
return $isRaw ? StandardWebhooks::fromRaw($secret) : new StandardWebhooks($secret);
}
}

13
app/Services/Webhooks/WebhookSigningException.php Normal file
View File

@@ -0,0 +1,13 @@
<?php
namespace App\Services\Webhooks;
use Exception;
class WebhookSigningException extends Exception
{
public function __construct($message, $code = 0, ?\Throwable $previous = null)
{
parent::__construct($message, $code, $previous);
}
}

13
app/Services/Webhooks/WebhookVerificationException.php Normal file
View File

@@ -0,0 +1,13 @@
<?php
namespace App\Services\Webhooks;
use Exception;
class WebhookVerificationException extends Exception
{
public function __construct($message, $code = 0, ?\Throwable $previous = null)
{
parent::__construct($message, $code, $previous);
}
}