`5713625`

orgs tests: bad-signature webhook is 400 and writes no receipt

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 5 hours ago

SHA: 57136252f18be54129996bd8201604ed33d9b7c8
Parents: 74a52ec
Tree: cb4c387

1 changed file

Status	File	+	-
M	`internal/web/handlers/orgs/billing_webhook_guard_test.go`	34	0

internal/web/handlers/orgs/billing_webhook_guard_test.gomodified

  import (
  	"context"
  	"encoding/json"
 +	"errors"
  	"net/http"
  	"strconv"
  	"strings"
+ 	}
+ }
 +// TestBillingWebhookRejectsBadSignature locks Agent A's untested
 +// claim: a tampered/bad signature returns 400 and writes no row.
 +// The real stripe-go signature check is exercised in production;
 +// this test wires a fake VerifyWebhook that errors and asserts the
 +// handler short-circuits cleanly.
 +func TestBillingWebhookRejectsBadSignature(t *testing.T) {
 +	t.Parallel()
 +	ctx := context.Background()
 +	pool := dbtest.NewTestDB(t)
 +	ownerID := insertOrgAvatarUser(t, pool, "owner")
 +	_ = insertOrgAvatarOrg(t, pool, ownerID, "acme")
++
 +	fake := &fakeStripeRemote{
 +		verifyWebhookFn: func(_ []byte, _ string) (stripeapi.Event, error) {
 +			return stripeapi.Event{}, errors.New("bad signature")
 +		},
 +	}
 +	mux := newOrgBillingMux(t, pool, ownerID, fake)
 +	resp := postBillingWebhook(t, mux, "evt_will_be_rejected")
 +	if resp.Code != http.StatusBadRequest {
 +		t.Fatalf("bad-sig status=%d body=%s want 400", resp.Code, resp.Body.String())
 +	}
 +	// No receipt row should exist — signature failure short-circuits
 +	// before RecordWebhookEvent runs.
 +	var count int
 +	if err := pool.QueryRow(ctx, `SELECT count(*) FROM billing_webhook_events`).Scan(&count); err != nil {
 +		t.Fatalf("count receipts: %v", err)
 +	}
 +	if count != 0 {
 +		t.Fatalf("bad-sig should not insert receipt row, got count=%d", count)
 +	}
 +}
++
  // TestBillingWebhookDropsStaleEvent locks PRO08 D4: a Stripe event
  // with `created` older than the persisted last_event_at must NOT
  // regress state. Pre-PRO08 a reverse-ordered retry could re-activate