DEV Community: Jon Galarraga The latest articles on DEV Community by Jon Galarraga (@jongalarraga). https://dev.to/jongalarraga https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3999306%2F5759defe-18b8-44c7-9edd-276adf89f5fe.png DEV Community: Jon Galarraga https://dev.to/jongalarraga en The subscription bugs that quietly let SaaS users keep access for free Jon Galarraga Tue, 23 Jun 2026 19:42:28 +0000 https://dev.to/jongalarraga/the-subscription-bugs-that-quietly-let-saas-users-keep-access-for-free-mm0 https://dev.to/jongalarraga/the-subscription-bugs-that-quietly-let-saas-users-keep-access-for-free-mm0 <p>My first teardown was about one-time checkouts — the <code>/checkout</code> route bugs that show up<br> right before launch. This one is about the thing that bites a month <em>later</em>: subscriptions.</p> <p>One-time payments fail loudly. Subscriptions fail quietly. The charge that doesn't happen,<br> the cancellation that doesn't revoke access, the trial that never ends — none of it throws<br> an error. You find out when you read your Stripe dashboard and your app's user table and<br> notice they disagree. By then a chunk of your "active" users have been using the product<br> for free for weeks.</p> <p>Here are the recurring-billing bugs I find in almost every pre-launch SaaS, with the bad<br> version and the fix. If you're wiring up Stripe Billing, read it with your subscription<br> code open.</p> <h2> 1. Granting access on payment, but never taking it away </h2> <p>This is the big one. You handle <code>checkout.session.completed</code>, flip a flag, and ship.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// the only handler that exists</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">checkout.session.completed</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">isPro</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">})</span> </code></pre> </div> <p><code>isPro: true</code> goes in. Nothing ever sets it back to <code>false</code>. The user cancels, their card<br> expires, they dispute the charge — and they stay Pro forever, because the only event you<br> listened for was the happy one.</p> <p>Access has to track the <em>current</em> subscription state, not the moment money first arrived.<br> At minimum you also handle the events that end access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">case</span> <span class="dl">'</span><span class="s1">customer.subscription.deleted</span><span class="dl">'</span><span class="p">:</span> <span class="c1">// canceled / ended</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">customer.subscription.updated</span><span class="dl">'</span><span class="p">:</span> <span class="c1">// could be past_due, unpaid, paused</span> <span class="kd">const</span> <span class="nx">sub</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">object</span> <span class="kd">const</span> <span class="nx">active</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">trialing</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">sub</span><span class="p">.</span><span class="nx">status</span><span class="p">)</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">stripeCustomerId</span><span class="p">:</span> <span class="nx">sub</span><span class="p">.</span><span class="nx">customer</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">isPro</span><span class="p">:</span> <span class="nx">active</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <p>The rule: every grant needs a revoke on the same key.</p> <h2> 2. Storing a boolean instead of syncing the real status </h2> <p><code>isPro: true/false</code> feels clean, but a subscription isn't a boolean. Stripe has at least<br> seven states — <code>trialing</code>, <code>active</code>, <code>past_due</code>, <code>canceled</code>, <code>unpaid</code>, <code>paused</code>,<br> <code>incomplete</code> — and your access rules differ across them. A user who is <code>past_due</code> should<br> probably keep access for a few days while dunning retries; a user who is <code>canceled</code> should<br> not.</p> <p>Store the actual status and the period end, and let your access check read them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// what you persist from the webhook</span> <span class="p">{</span> <span class="nl">stripeStatus</span><span class="p">:</span> <span class="nx">sub</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="nx">currentPeriodEnd</span><span class="p">:</span> <span class="nx">sub</span><span class="p">.</span><span class="nx">current_period_end</span> <span class="p">}</span> <span class="c1">// the access check, in one place</span> <span class="kd">function</span> <span class="nf">hasAccess</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">([</span><span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">trialing</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">stripeStatus</span><span class="p">))</span> <span class="k">return</span> <span class="kc">true</span> <span class="c1">// grace window: still in the paid period you already billed for</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">stripeStatus</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">past_due</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">currentPeriodEnd</span> <span class="o">&gt;</span> <span class="nf">now</span><span class="p">())</span> <span class="k">return</span> <span class="kc">true</span> <span class="k">return</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>When in doubt, Stripe is the source of truth — your database is a cache of it.</p> <h2> 3. The trial that never actually ends </h2> <p>Free trials are where access logic goes to die. Two common shapes, both broken:</p> <ul> <li>You start a trial with no payment method on file, so when it ends there's nothing to charge — the subscription goes <code>incomplete</code> and the user just... keeps the trial UI.</li> <li>You compute "is the trial over?" on the client, or off a <code>trialEndsAt</code> you set once and never reconcile with Stripe.</li> </ul> <p>Let Stripe run the trial and tell you when it converts or fails:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">subscriptions</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">customer</span><span class="p">,</span> <span class="na">items</span><span class="p">:</span> <span class="p">[{</span> <span class="nx">price</span> <span class="p">}],</span> <span class="na">trial_period_days</span><span class="p">:</span> <span class="mi">14</span><span class="p">,</span> <span class="c1">// force a decision at trial end instead of a silent dangling sub</span> <span class="na">trial_settings</span><span class="p">:</span> <span class="p">{</span> <span class="na">end_behavior</span><span class="p">:</span> <span class="p">{</span> <span class="na">missing_payment_method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">cancel</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </div> <p>Then drive access off the webhook status (#2), not a date you stored at signup.</p> <h2> 4. No handler for <code>invoice.payment_failed</code> </h2> <p>A renewal fails — expired card, insufficient funds, a bank decline. If you don't listen<br> for it, one of two things happens: the user silently keeps full access while paying you<br> nothing, or (worse, if you <em>did</em> wire up a revoke) they get kicked out mid-month with no<br> warning and no idea why. Both are bad. Both are invisible until someone complains.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">case</span> <span class="dl">'</span><span class="s1">invoice.payment_failed</span><span class="dl">'</span><span class="p">:</span> <span class="c1">// don't cut them off on attempt 1 — Stripe will retry on your dunning schedule</span> <span class="k">await</span> <span class="nf">notifyUser</span><span class="p">(</span><span class="nx">customer</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Your payment didn</span><span class="dl">'</span><span class="nx">t</span> <span class="nx">go</span> <span class="nx">through</span> <span class="err">—</span> <span class="nx">update</span> <span class="nx">your</span> <span class="nx">card</span><span class="dl">'</span><span class="s1">) // access is governed by subscription.status (now </span><span class="dl">'</span><span class="nx">past_due</span><span class="dl">'</span><span class="s1">), per #2 </span></code></pre> </div> <p>Turn on Stripe's automatic retries (Smart Retries) and a couple of dunning emails. Most<br> "failed" payments succeed on retry once the customer updates their card — but only if you<br> gave them the chance.</p> <h2> 5. Plan changes with no proration logic </h2> <p>User upgrades from $9 to $29 mid-cycle. What do they pay today? If your "change plan"<br> button just creates a new subscription, you've now got two active subscriptions billing<br> the same customer. If it swaps the price with no proration setting, the behavior is<br> whatever the default happens to be — which is rarely what you'd have chosen.</p> <p>Update the existing subscription item and be explicit about proration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">subscriptions</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">subId</span><span class="p">,</span> <span class="p">{</span> <span class="na">items</span><span class="p">:</span> <span class="p">[{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">itemId</span><span class="p">,</span> <span class="na">price</span><span class="p">:</span> <span class="nx">newPrice</span> <span class="p">}],</span> <span class="na">proration_behavior</span><span class="p">:</span> <span class="dl">'</span><span class="s1">create_prorations</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// charge/credit the difference now</span> <span class="p">})</span> </code></pre> </div> <p>One subscription per customer, one explicit proration decision. Test the downgrade path<br> too — that's the one that quietly hands out credits you didn't mean to give.</p> <h2> 6. Webhooks that aren't idempotent or ordered </h2> <p>Stripe sends events at-least-once, and not always in the order you'd expect. The same<br> <code>subscription.updated</code> can arrive twice; a <code>deleted</code> can land before a late <code>updated</code>. If<br> your handler isn't idempotent, a duplicate flips state back and forth. If you trust<br> ordering, a stale event overwrites a newer one.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// idempotency: ignore events you've already processed</span> <span class="k">if </span><span class="p">(</span><span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">processedEvent</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">id</span><span class="p">))</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">sendStatus</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> <span class="c1">// ordering: only apply if this event is newer than what you have</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">object</span><span class="p">.</span><span class="nx">created</span> <span class="o">&lt;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lastEventAt</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">sendStatus</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span> </code></pre> </div> <p>Record the event ID, gate on a timestamp, and reconcile against the Stripe object when in<br> doubt. (And verify the webhook signature on the raw body — that's bug #4 from the first<br> teardown, and it applies here too.)</p> <h2> The 5-minute subscription self-check </h2> <ol> <li>When a user cancels or their card fails, does anything actually revoke their access?</li> <li>Is access driven by the live subscription <em>status</em>, or a boolean you set once at signup?</li> <li>Can a trial end with no payment method and leave the user in limbo?</li> <li>Do you have a handler for <code>invoice.payment_failed</code> — and does it warn the user before cutting them off?</li> <li>If a <code>subscription.updated</code> event arrives twice, or out of order, does your state stay correct?</li> </ol> <p>If any of those makes you pause, that's the one to fix before you turn on billing.</p> <p>I do fixed-scope pre-launch payment reviews for small SaaS teams: I map your checkout and<br> billing flow, find the launch-blockers, and send back a prioritized fix list — no code<br> changes, just findings you can act on. The checklist and example code I work from is open<br> here: <strong>github.com/galakurpi/stripe-prelaunch-security-checklist</strong></p> <p>If you're about to switch billing on and want a second set of eyes, I'll do a free<br> 5-minute look at your flow first so you can see how I work before paying for anything.<br> Happy to answer Stripe Billing questions in the comments.</p> stripe saas webdev payments The 7 Stripe bugs I find in almost every pre-launch checkout Jon Galarraga Tue, 23 Jun 2026 18:58:49 +0000 https://dev.to/jongalarraga/the-7-stripe-bugs-i-find-in-almost-every-pre-launch-checkout-35j9 https://dev.to/jongalarraga/the-7-stripe-bugs-i-find-in-almost-every-pre-launch-checkout-35j9 <p>I do pre-launch payment reviews for small SaaS teams — the quick pass you want before<br> real cards start hitting your <code>/checkout</code> route. Different stacks, different teams, but<br> the same handful of bugs show up over and over. None of them are exotic. All of them are<br> the kind of thing that's fine in a demo and quietly expensive once you're live.</p> <p>Here's the list I check first, with the bad version and the fix. If your checkout is<br> about to go live, read it with your own code open in the other window.</p> <h2> 1. Trusting the amount the browser sends you </h2> <p>This is the big one, and it's everywhere.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// client</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/checkout</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">priceId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pro</span><span class="dl">'</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">4900</span> <span class="p">})</span> <span class="c1">// &lt;-- attacker controls this</span> <span class="p">})</span> <span class="c1">// server</span> <span class="kd">const</span> <span class="nx">intent</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">paymentIntents</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">amount</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">amount</span><span class="p">,</span> <span class="c1">// straight from the request</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usd</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>Anyone can open devtools and change <code>amount</code> to <code>1</code>. The fix is boring and absolute:<br> the server decides the price. The client is allowed to say <em>which</em> product, never <em>how<br> much</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">PRICES</span> <span class="o">=</span> <span class="p">{</span> <span class="na">pro</span><span class="p">:</span> <span class="mi">4900</span><span class="p">,</span> <span class="na">team</span><span class="p">:</span> <span class="mi">9900</span> <span class="p">}</span> <span class="c1">// cents, server-side source of truth</span> <span class="kd">const</span> <span class="nx">amount</span> <span class="o">=</span> <span class="nx">PRICES</span><span class="p">[</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">plan</span><span class="p">]</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">amount</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">unknown plan</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">intent</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">paymentIntents</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">amount</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usd</span><span class="dl">'</span> <span class="p">})</span> </code></pre> </div> <p>If your prices live in a database or a config table, look them up by ID server-side.<br> Never let a number from the request reach <code>paymentIntents.create</code>.</p> <h2> 2. No idempotency key, so a retry double-charges </h2> <p>Mobile users tap twice. Networks drop the response after the charge succeeds. Your own<br> frontend retries on timeout. Without an idempotency key, each of those creates a brand<br> new charge.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// one tap, one network hiccup, two charges</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">paymentIntents</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">amount</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usd</span><span class="dl">'</span> <span class="p">})</span> </code></pre> </div> <p>Stripe gives you the fix for free — pass a key tied to the <em>thing being paid for</em>, not<br> a random value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">paymentIntents</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="p">{</span> <span class="nx">amount</span><span class="p">,</span> <span class="na">currency</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usd</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">idempotencyKey</span><span class="p">:</span> <span class="s2">`order_</span><span class="p">${</span><span class="nx">orderId</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <p>Same key, same logical operation, at most one charge. Use the order/cart ID, not<br> <code>crypto.randomUUID()</code> — a fresh UUID on every retry defeats the entire point.</p> <h2> 3. Fulfilling the order before the payment actually settles </h2> <p>The classic race. You create the PaymentIntent, the client says "looks good," and you<br> immediately mark the order paid, send the welcome email, and provision the account —<br> while the charge is still <code>processing</code> and might fail.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">intent</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">paymentIntents</span><span class="p">.</span><span class="nf">create</span><span class="p">(...)</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">orders</span><span class="p">.</span><span class="nf">markPaid</span><span class="p">(</span><span class="nx">orderId</span><span class="p">)</span> <span class="c1">// too early</span> <span class="k">await</span> <span class="nf">sendWelcomeEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="c1">// way too early</span> </code></pre> </div> <p>Payment confirmation is asynchronous. The only thing that should flip an order to "paid"<br> is the <code>payment_intent.succeeded</code> webhook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// webhook handler</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">payment_intent.succeeded</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">orderId</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">object</span><span class="p">.</span><span class="nx">metadata</span><span class="p">.</span><span class="nx">orderId</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">orders</span><span class="p">.</span><span class="nf">markPaid</span><span class="p">(</span><span class="nx">orderId</span><span class="p">)</span> <span class="c1">// now it's real</span> <span class="k">await</span> <span class="nf">sendWelcomeEmail</span><span class="p">(...)</span> <span class="p">}</span> </code></pre> </div> <p>Put <code>orderId</code> in the PaymentIntent <code>metadata</code> when you create it so the webhook can find<br> its way back. If you're giving access before the webhook fires, you're giving away<br> product to failed payments.</p> <h2> 4. The webhook endpoint that trusts anyone </h2> <p>A webhook that doesn't verify the signature is an open <code>POST</code> that flips orders to paid.<br> Anyone who finds the URL can fake a <code>payment_intent.succeeded</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// no verification — anyone can forge this</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">event</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">payment_intent.succeeded</span><span class="dl">'</span><span class="p">)</span> <span class="nf">grantAccess</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>Verify with the signing secret, and verify against the <strong>raw</strong> body (parsing to JSON<br> first breaks the signature):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/webhook</span><span class="dl">'</span><span class="p">,</span> <span class="nx">express</span><span class="p">.</span><span class="nf">raw</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}),</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">event</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">event</span> <span class="o">=</span> <span class="nx">stripe</span><span class="p">.</span><span class="nx">webhooks</span><span class="p">.</span><span class="nf">constructEvent</span><span class="p">(</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">stripe-signature</span><span class="dl">'</span><span class="p">],</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_WEBHOOK_SECRET</span> <span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">bad signature</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// event is now trustworthy</span> <span class="p">})</span> </code></pre> </div> <h2> 5. Live keys committed to the repo </h2> <p>I find <code>sk_live_…</code> in a committed <code>.env</code>, in a config file, or in the git history more<br> often than you'd want to believe. Once it's in a commit, deleting the file doesn't help —<br> it's in the history forever, and anyone who clones the repo has your money keys.</p> <p>Check before you ship:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git log <span class="nt">-p</span> | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'sk_live_|whsec_|sk_test_'</span> </code></pre> </div> <p>If anything turns up: rotate the key in the Stripe dashboard immediately (rotating beats<br> scrubbing — assume it's compromised), then purge it from history with <code>git filter-repo</code>.<br> Secrets belong in the environment, never in the tree.</p> <h2> 6. Discounts and coupons computed on the client </h2> <p>Same disease as #1, second location. If the discount is applied in the browser, the<br> discount is whatever the user wants it to be.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// client</span> <span class="kd">const</span> <span class="nx">final</span> <span class="o">=</span> <span class="nx">price</span> <span class="o">*</span> <span class="p">(</span><span class="mi">1</span> <span class="o">-</span> <span class="nx">couponPercent</span><span class="p">)</span> <span class="c1">// user sets couponPercent to 1.0</span> </code></pre> </div> <p>Validate the coupon server-side, against your own records, and compute the final amount<br> there:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">coupon</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">coupons</span><span class="p">.</span><span class="nf">findValid</span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="c1">// null if expired/fake/used</span> <span class="kd">const</span> <span class="nx">amount</span> <span class="o">=</span> <span class="nx">coupon</span> <span class="p">?</span> <span class="nx">base</span> <span class="o">-</span> <span class="nx">coupon</span><span class="p">.</span><span class="nx">discountCents</span> <span class="p">:</span> <span class="nx">base</span> </code></pre> </div> <p>A free-money coupon bug is the kind of thing that doesn't show up until someone posts<br> the trick on a forum.</p> <h2> 7. Payment-status and admin endpoints with no row-level authorization </h2> <p>The checkout itself is locked down, and then <code>/api/orders/:id</code> returns anyone's order if<br> you change the number in the URL. Receipts, emails, partial card details, addresses —<br> straight out the side door.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// returns ANY order, not just the caller's</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/orders/:id</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">orders</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">))</span> <span class="p">})</span> </code></pre> </div> <p>Scope every read to the authenticated user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/orders/:id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">requireAuth</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">order</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">orders</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">order</span><span class="p">)</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">end</span><span class="p">()</span> <span class="c1">// 404, don't confirm it exists</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">order</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>The same hole shows up on admin/payment-status pages that check "is logged in" but not<br> "is allowed to see <em>this</em> record." Authentication is not authorization.</p> <h2> The 10-minute self-check before you launch </h2> <ol> <li>Can I change the price in devtools and pay less? (#1, #6)</li> <li>Does a double-tap or a retry create two charges? (#2)</li> <li>Does anything get fulfilled before the webhook confirms payment? (#3)</li> <li>Does my webhook verify the Stripe signature on the raw body? (#4)</li> <li>Is there a live key anywhere in my git history? (#5)</li> <li>Can I read someone else's order by changing the ID in the URL? (#7)</li> </ol> <p>If any answer makes you wince, fix that one first.</p> <p>I run this as a fixed-scope pre-launch scan: I map your checkout flow, find the<br> launch-blockers, and send a prioritized fix list — no code changes, just findings you can<br> act on. The checklist and example code I work from is open here:<br> <strong>github.com/galakurpi/stripe-prelaunch-security-checklist</strong></p> <p>If you're about to go live and want a second set of eyes, I'll do a free 5-minute look at<br> your checkout first so you can see how I work before paying for anything. Happy to answer<br> Stripe questions in the comments too.</p> stripe webdev security