tenseleyflow/shithub / 5713625

+	"errors"

+// TestBillingWebhookRejectsBadSignature locks Agent A's untested

+// claim: a tampered/bad signature returns 400 and writes no row.

+// The real stripe-go signature check is exercised in production;

+// this test wires a fake VerifyWebhook that errors and asserts the

+// handler short-circuits cleanly.

+func TestBillingWebhookRejectsBadSignature(t *testing.T) {

+	t.Parallel()

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	ownerID := insertOrgAvatarUser(t, pool, "owner")

+	_ = insertOrgAvatarOrg(t, pool, ownerID, "acme")

+

+	fake := &fakeStripeRemote{

+		verifyWebhookFn: func(_ []byte, _ string) (stripeapi.Event, error) {

+			return stripeapi.Event{}, errors.New("bad signature")

+		},

+	}

+	mux := newOrgBillingMux(t, pool, ownerID, fake)

+	resp := postBillingWebhook(t, mux, "evt_will_be_rejected")

+	if resp.Code != http.StatusBadRequest {

+		t.Fatalf("bad-sig status=%d body=%s want 400", resp.Code, resp.Body.String())

+	}

+	// No receipt row should exist — signature failure short-circuits

+	// before RecordWebhookEvent runs.

+	var count int

+	if err := pool.QueryRow(ctx, `SELECT count(*) FROM billing_webhook_events`).Scan(&count); err != nil {

+		t.Fatalf("count receipts: %v", err)

+	}

+	if count != 0 {

+		t.Fatalf("bad-sig should not insert receipt row, got count=%d", count)

+	}

+}

+