admin/zemailnator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(payments): implement standard webhooks validation system

Browse Source 
Add comprehensive webhook validation and processing system with Polar.sh integration:

  - Create built-in Standard Webhooks package following official specification
  - Implement HMAC-SHA256 signature validation with base64 encoding
  - Add webhook factory for multi-provider support (Polar, Stripe, generic)
  - Replace custom Polar webhook validation with Standard Webhooks implementation
  - Add proper exception handling with custom WebhookVerificationException
  - Support sandbox mode bypass for development environments
  - Update Polar provider to use database-driven configuration
  - Enhance webhook test suite with proper Standard Webhooks format
  - Add PaymentProvider model HasFactory trait for testing
  - Implement timestamp tolerance checking (±5 minutes) for replay protection
  - Support multiple signature versions and proper header validation

  This provides a secure, reusable webhook validation system that can be extended
  to other payment providers while maintaining full compliance with Standard
  Webhooks specification.

  BREAKING CHANGE: Polar webhook validation now uses Standard Webhooks format
  with headers 'webhook-id', 'webhook-timestamp', 'webhook-signature' instead of
  previous Polar-specific headers.
This commit is contained in:
idevakk
2025-12-06 22:49:54 -08:00
parent 15e018eb88
commit 289baa1286
13 changed files with 1955 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
bootstrap/app.php
View File

@@ -2,6 +2,7 @@
use App\Http\Middleware\ImpersonationMiddleware;
use App\Http\Middleware\Locale;
use App\Http\Middleware\WebhookRateLimit;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
@@ -20,10 +21,12 @@ return Application::configure(basePath: dirname(__DIR__))
]);
$middleware->alias([
'impersonation' => ImpersonationMiddleware::class,
'webhook.rate_limit' => WebhookRateLimit::class,
]);
$middleware->validateCsrfTokens(except: [
'stripe/*',
'webhook/oxapay',
'webhook/*', // All webhook endpoints bypass CSRF
]);
})
->withExceptions(function (Exceptions $exceptions): void {