chore: don't leak webhook errors · dunkirk.sh/thistle@d024a75

+20 -15

1 changed file

expand all

src

index.ts

+20 -15

src/index.ts

··· 1545 1545 }, 1546 1546 "/api/webhooks/polar": { 1547 1547 POST: async (req) => { 1548 - try { 1549 - const { validateEvent } = await import("@polar-sh/sdk/webhooks"); 1548 + const { validateEvent } = await import("@polar-sh/sdk/webhooks"); 1550 1549 1551 - // Get raw body as string 1552 - const rawBody = await req.text(); 1553 - const headers = Object.fromEntries(req.headers.entries()); 1550 + // Get raw body as string 1551 + const rawBody = await req.text(); 1552 + const headers = Object.fromEntries(req.headers.entries()); 1554 1553 1555 - // Validate webhook signature (validated at startup) 1556 - const webhookSecret = process.env.POLAR_WEBHOOK_SECRET as string; 1557 - const event = validateEvent(rawBody, headers, webhookSecret); 1554 + // Validate webhook signature (validated at startup) 1555 + const webhookSecret = process.env.POLAR_WEBHOOK_SECRET as string; 1556 + let event: ReturnType<typeof validateEvent>; 1557 + try { 1558 + event = validateEvent(rawBody, headers, webhookSecret); 1559 + } catch (error) { 1560 + // Validation failed - log but return generic response 1561 + console.error("[Webhook] Signature validation failed:", error); 1562 + return Response.json({ error: "Invalid webhook" }, { status: 400 }); 1563 + } 1558 1564 1559 - console.log(`[Webhook] Received event: ${event.type}`); 1565 + console.log(`[Webhook] Received event: ${event.type}`); 1560 1566 1561 - // Handle different event types 1567 + // Handle different event types 1568 + try { 1562 1569 switch (event.type) { 1563 1570 case "subscription.updated": { 1564 1571 const { id, status, customerId, metadata } = event.data; ··· 1619 1626 1620 1627 return Response.json({ received: true }); 1621 1628 } catch (error) { 1622 - console.error("[Webhook] Error processing webhook:", error); 1623 - return Response.json( 1624 - { error: "Webhook processing failed" }, 1625 - { status: 400 }, 1626 - ); 1629 + // Processing failed - log with detail but return generic response 1630 + console.error("[Webhook] Event processing failed:", error); 1631 + return Response.json({ error: "Invalid webhook" }, { status: 400 }); 1627 1632 } 1628 1633 }, 1629 1634 },

Configure Feed

Configure Feed