From b2b263020274fc0bfe80e038970aee48221b1d96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Manciot?= Date: Thu, 18 Jun 2026 22:01:49 +0200 Subject: [PATCH] fix(audit): prevent deletion of webhook endpoint to maintain client associations and update secret if changed --- .../payment/config/StripeApi.scala | 79 ++++++++++--------- 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/stripe/src/main/scala/app/softnetwork/payment/config/StripeApi.scala b/stripe/src/main/scala/app/softnetwork/payment/config/StripeApi.scala index ea4203c..b30ceb6 100644 --- a/stripe/src/main/scala/app/softnetwork/payment/config/StripeApi.scala +++ b/stripe/src/main/scala/app/softnetwork/payment/config/StripeApi.scala @@ -160,47 +160,48 @@ object StripeApi { log.info(s"Webhook endpoint found: ${webhookEndpoint.getId}") loadSecret(hash) match { case None => - Try(webhookEndpoint.delete(requestOptions)) + // Not deleting the webhook endpoint, as it may be used by other clients + // Try(webhookEndpoint.delete(requestOptions)) None - case value => - val url = s"${config.hooksBaseUrl}?hash=$hash" + case _ => Try( - webhookEndpoint.update( - WebhookEndpointUpdateParams - .builder() - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.ACCOUNT__UPDATED - ) - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.PERSON__UPDATED - ) - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.INVOICE__PAYMENT_SUCCEEDED - ) - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.INVOICE__PAYMENT_FAILED - ) - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.CUSTOMER__SUBSCRIPTION__DELETED - ) - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.CUSTOMER__SUBSCRIPTION__UPDATED - ) - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.CUSTOMER__UPDATED - ) - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.PAYMENT_METHOD__ATTACHED - ) - .addEnabledEvent( - WebhookEndpointUpdateParams.EnabledEvent.PAYMENT_METHOD__DETACHED - ) - .setUrl(url) - .build(), - requestOptions - ) - ) - value + webhookEndpoint + .update( + WebhookEndpointUpdateParams + .builder() + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.ACCOUNT__UPDATED + ) + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.PERSON__UPDATED + ) + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.INVOICE__PAYMENT_SUCCEEDED + ) + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.INVOICE__PAYMENT_FAILED + ) + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.CUSTOMER__SUBSCRIPTION__DELETED + ) + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.CUSTOMER__SUBSCRIPTION__UPDATED + ) + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.CUSTOMER__UPDATED + ) + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.PAYMENT_METHOD__ATTACHED + ) + .addEnabledEvent( + WebhookEndpointUpdateParams.EnabledEvent.PAYMENT_METHOD__DETACHED + ) + .setUrl(url) + .build(), + requestOptions + ) + .getSecret // update secret if changed + ).toOption } case _ => None