payment-kit 1.29.0 → 1.29.2

package/api/src/routes/{integrations → hono/integrations}/app-store.ts

@@ -1,4 +1,4 @@
-// App Store integration routes.
+// Phase 3 (express→hono) — hono fork of routes/integrations/app-store.ts.
 //
 // /verify  — client-initiated verify. Payload schema mirrors aistro
 //            (`{ receipt?, signedTransaction?, ... }`, `.or('receipt','signedTransaction')`)
@@ -6,18 +6,24 @@
 //            JWS path takes priority; falls back to legacy receipt verifyReceipt.
 // /webhook — App Store Server Notifications V2. Stubbed; full state machine
 //            lands in A1-followup.
+//
+// NOT raw-body: all three POST routes read the body via c.get('sanitizedBody') ?? {}.
+// (Contrast with stripe.ts which does c.req.arrayBuffer() — that's Stripe only.)
 
-import { Request, Response, Router } from 'express';
+import { Hono } from 'hono';
 import Joi from 'joi';
 
-import handleAppStoreNotification from '../../integrations/app-store/handlers';
-import { ingestVerifiedAppStorePurchase } from '../../integrations/app-store/handlers/subscription';
-import { peekNotificationRouting } from '../../integrations/app-store/notification-routing';
-import logger from '../../libs/logger';
-import { authenticate } from '../../libs/security';
-import { Customer, PaymentMethod } from '../../store/models';
+import handleAppStoreNotification from '../../../integrations/app-store/handlers';
+import { ingestVerifiedAppStorePurchase } from '../../../integrations/app-store/handlers/subscription';
+import { peekNotificationRouting } from '../../../integrations/app-store/notification-routing';
+import logger from '../../../libs/logger';
+import { withTenant } from '../../../libs/context';
+import { TENANT_MISMATCH, resolveRowTenant } from '../../../libs/tenant';
+import { authenticate } from '../../../middlewares/hono/security';
+import { Customer, PaymentMethod } from '../../../store/models';
+import { systemFindAll } from '../../../store/scoped';
 
-const router = Router();
+const app = new Hono();
 const userAuth = authenticate<Customer>({ component: false, ensureLogin: true });
 
 const verifyBodySchema = Joi.object<{
@@ -35,21 +41,20 @@ const verifyBodySchema = Joi.object<{
   language: Joi.string().empty(['', null]),
 }).or('receipt', 'signedTransaction');
 
-router.post('/verify', userAuth, async (req: Request, res: Response) => {
+app.post('/verify', userAuth, async (c) => {
   try {
-    const did = (req as any).user?.did;
+    const did = c.get('user')?.did;
     if (!did) {
-      res.status(401).json({ error: 'unauthenticated' });
-      return;
+      return c.json({ error: 'unauthenticated' }, 401);
     }
-    const input = await verifyBodySchema.validateAsync(req.body, { stripUnknown: true });
+    const body = c.get('sanitizedBody') ?? {};
+    const input = await verifyBodySchema.validateAsync(body, { stripUnknown: true });
 
     const method = await PaymentMethod.findOne({
-      where: { type: 'app_store', active: true, livemode: !!req.livemode },
+      where: { type: 'app_store', active: true, livemode: !!c.get('livemode') },
     });
     if (!method) {
-      res.status(503).json({ error: 'app_store PaymentMethod not configured' });
-      return;
+      return c.json({ error: 'app_store PaymentMethod not configured' }, 503);
     }
     const client = method.getAppStoreClient();
 
@@ -61,7 +66,7 @@ router.post('/verify', userAuth, async (req: Request, res: Response) => {
       receipt: input.receipt,
     });
 
-    res.json({
+    return c.json({
       success: true,
       subscription_id: result.subscription.id,
       isFirstSubscribe: result.isFirstSubscribe,
@@ -77,7 +82,7 @@ router.post('/verify', userAuth, async (req: Request, res: Response) => {
   } catch (err: any) {
     const message = err?.message || (typeof err === 'string' ? err : null) || 'verify failed';
     logger.error('app_store verify failed', { message, stack: err?.stack });
-    res.status(400).json({ success: false, error: { message, code: err?.code } });
+    return c.json({ success: false, error: { message, code: err?.code } }, 400);
   }
 });
 
@@ -112,21 +117,20 @@ const restoreBodySchema = Joi.object<{
  * or create one. Partial success is allowed — per-item failures land in the
  * `errors` array; per-item successes land in `restored`.
  */
-router.post('/restore', userAuth, async (req: Request, res: Response) => {
+app.post('/restore', userAuth, async (c) => {
   try {
-    const did = (req as any).user?.did;
+    const did = c.get('user')?.did;
     if (!did) {
-      res.status(401).json({ error: 'unauthenticated' });
-      return;
+      return c.json({ error: 'unauthenticated' }, 401);
     }
-    const input = await restoreBodySchema.validateAsync(req.body, { stripUnknown: true });
+    const body = c.get('sanitizedBody') ?? {};
+    const input = await restoreBodySchema.validateAsync(body, { stripUnknown: true });
 
     const method = await PaymentMethod.findOne({
-      where: { type: 'app_store', active: true, livemode: !!req.livemode },
+      where: { type: 'app_store', active: true, livemode: !!c.get('livemode') },
     });
     if (!method) {
-      res.status(503).json({ error: 'app_store PaymentMethod not configured' });
-      return;
+      return c.json({ error: 'app_store PaymentMethod not configured' }, 503);
     }
     const client = method.getAppStoreClient();
 
@@ -136,8 +140,8 @@ router.post('/restore', userAuth, async (req: Request, res: Response) => {
     // through `ingestVerifiedAppStorePurchase`.
     const seen = new Set<string>();
     const items: Array<{ kind: 'jws' | 'receipt'; value: string }> = [
-      ...(input.signedTransactions ?? []).map((v) => ({ kind: 'jws' as const, value: v })),
-      ...(input.receipts ?? []).map((v) => ({ kind: 'receipt' as const, value: v })),
+      ...(input.signedTransactions ?? []).map((v: string) => ({ kind: 'jws' as const, value: v })),
+      ...(input.receipts ?? []).map((v: string) => ({ kind: 'receipt' as const, value: v })),
     ].filter((item) => {
       if (seen.has(item.value)) return false;
       seen.add(item.value);
@@ -188,13 +192,13 @@ router.post('/restore', userAuth, async (req: Request, res: Response) => {
       results.push(...batchResults);
     }
 
-    res.json({
+    return c.json({
       restored: results.filter((r) => r.ok),
       errors: results.filter((r) => !r.ok),
     });
   } catch (err: any) {
     logger.error('app_store restore failed', { error: err?.message, stack: err?.stack });
-    res.status(400).json({ error: err?.message ?? 'restore failed' });
+    return c.json({ error: err?.message ?? 'restore failed' }, 400);
   }
 });
 
@@ -206,23 +210,27 @@ router.post('/restore', userAuth, async (req: Request, res: Response) => {
  * Apple doesn't retry-storm; a failure while PROCESSING a verified notification
  * is transient and returns 5xx so Apple retries.
  */
-router.post('/webhook', async (req: Request, res: Response) => {
-  const signedPayload = (req.body?.signedPayload as string | undefined) ?? '';
+app.post('/webhook', async (c) => {
+  const body = c.get('sanitizedBody') ?? {};
+  const signedPayload = (body?.signedPayload as string | undefined) ?? '';
   if (!signedPayload) {
     logger.warn('app_store webhook missing signedPayload');
-    res.json({ skipped: true, reason: 'no signedPayload' });
-    return;
+    return c.json({ skipped: true, reason: 'no signedPayload' });
   }
 
   // --- Select the matching method + verify. Failures here are NOT retryable. ---
   let notification: any;
   let client: any;
+  let matched: PaymentMethod;
   try {
-    const methods = await PaymentMethod.findAll({ where: { type: 'app_store' } });
+    // Reverse lookup: the App Store Server Notification arrives with NO tenant
+    // context — find which tenant registered this bundle_id. A genuine
+    // cross-tenant read (systemFindAll bypasses TenantModel scoping); the
+    // matched method's tenant is enforced via withTenant(resolveRowTenant).
+    const methods = await systemFindAll(PaymentMethod, { where: { type: 'app_store' } });
     if (methods.length === 0) {
       logger.warn('app_store webhook: no PaymentMethod configured');
-      res.json({ skipped: true, reason: 'no app_store PaymentMethod' });
-      return;
+      return c.json({ skipped: true, reason: 'no app_store PaymentMethod' });
     }
 
     // Read bundleId/environment from the UNVERIFIED payload to pick the method.
@@ -230,38 +238,50 @@ router.post('/webhook', async (req: Request, res: Response) => {
     // before the correct method is ever tried, and the old catch then 200'd —
     // silently discarding valid notifications (PR #1381 review P1).
     const routing = peekNotificationRouting(signedPayload);
-    const matched = methods.find((m) => {
+    const candidates = methods.filter((m) => {
       const settings = PaymentMethod.decryptSettings(m.settings);
       if (settings.app_store?.bundle_id !== routing?.bundleId) return false;
       if (!routing?.environment) return true;
       return settings.app_store?.environment === routing.environment.toLowerCase();
     });
-    if (!matched) {
+    if (candidates.length === 0) {
       logger.warn('app_store webhook: no matching PaymentMethod', {
         bundleId: routing?.bundleId,
         environment: routing?.environment,
       });
-      res.json({ skipped: true, reason: 'no matching PaymentMethod' });
-      return;
+      return c.json({ skipped: true, reason: 'no matching PaymentMethod' });
+    }
+    // Phase 6 (W1-4b): a channel identifier must map to exactly ONE tenant in
+    // a deployment — ambiguity means the reverse lookup could land the
+    // notification in the wrong tenant, so it is refused loudly.
+    if (candidates.length > 1) {
+      logger.error('app_store webhook: bundle_id registered by multiple methods, refusing', {
+        code: TENANT_MISMATCH,
+        bundleId: routing?.bundleId,
+        methodIds: candidates.map((m) => m.id),
+      });
+      return c.json({ skipped: true, reason: 'ambiguous bundle_id registration' });
     }
+    matched = candidates[0]!;
 
     client = matched.getAppStoreClient();
     notification = await client.verifyNotificationPayload(signedPayload);
   } catch (err: any) {
     // Malformed / forged / not-for-us → ack so Apple stops retrying.
     logger.warn('app_store webhook: verification/selection failed — acking', { error: err?.message });
-    res.json({ skipped: true, reason: 'verification failed' });
-    return;
+    return c.json({ skipped: true, reason: 'verification failed' });
   }
 
   // --- Process the verified notification. Failures here ARE transient. ---
   try {
-    await handleAppStoreNotification(notification, client);
-    res.json({ received: true });
+    // tenant = the method that registered this bundle_id (reverse lookup);
+    // the whole ingest chain (queries, events, jobs) runs under it
+    await withTenant(resolveRowTenant(matched!), () => handleAppStoreNotification(notification, client));
+    return c.json({ received: true });
   } catch (err: any) {
     logger.error('app_store webhook processing failed — will retry', { error: err?.message, stack: err?.stack });
-    res.status(500).json({ error: err?.message ?? 'processing failed' });
+    return c.json({ error: err?.message ?? 'processing failed' }, 500);
   }
 });
 
-export default router;
+export default app;

package/api/src/routes/{integrations → hono/integrations}/google-play.ts

@@ -1,3 +1,4 @@
+// Phase 3e (express→hono) — hono fork of routes/integrations/google-play.ts.
 // Google Play Real-Time Developer Notification webhook receiver.
 //
 // Pub/Sub Push body:
@@ -8,19 +9,26 @@
 //
 // Auth: Pub/Sub puts a Google-signed JWT in `Authorization: Bearer <jwt>`.
 // We verify the JWT claims here (signature verification is TODO — see verify.ts).
+//
+// NOTE: /webhook, /verify, /restore are NORMAL JSON POSTs — body is read via
+// c.get('sanitizedBody') ?? {} (NOT c.req.arrayBuffer).
 
-import { Request, Response, Router } from 'express';
+import { Hono } from 'hono';
 import Joi from 'joi';
+import { googlePubsubPushServiceAccount, googlePubsubAllowUnverifiedSender, isTestEnv } from '../../../libs/env';
 
-import handleGooglePlayEvent, { GooglePlayRtdnPayload } from '../../integrations/google-play/handlers';
-import { ingestVerifiedGooglePlayPurchase } from '../../integrations/google-play/handlers/subscription';
-import { decodePubSubMessage, verifyPubSubJwt } from '../../integrations/google-play/verify';
-import logger from '../../libs/logger';
-import { authenticate } from '../../libs/security';
-import { googlePlayEndpoint } from '../../libs/util';
-import { Customer, PaymentMethod } from '../../store/models';
+import handleGooglePlayEvent, { GooglePlayRtdnPayload } from '../../../integrations/google-play/handlers';
+import { ingestVerifiedGooglePlayPurchase } from '../../../integrations/google-play/handlers/subscription';
+import { decodePubSubMessage, verifyPubSubJwt } from '../../../integrations/google-play/verify';
+import logger from '../../../libs/logger';
+import { withTenant } from '../../../libs/context';
+import { TENANT_MISMATCH, resolveRowTenant } from '../../../libs/tenant';
+import { authenticate } from '../../../middlewares/hono/security';
+import { googlePlayEndpoint } from '../../../libs/util';
+import { Customer, PaymentMethod } from '../../../store/models';
+import { systemFindAll } from '../../../store/scoped';
 
-const router = Router();
+const app = new Hono();
 const userAuth = authenticate<Customer>({ component: false, ensureLogin: true });
 
 const verifyBodySchema = Joi.object<{
@@ -35,25 +43,24 @@ const verifyBodySchema = Joi.object<{
  * Client-initiated verify (aistro-shape).
  * Mobile client POSTs after StoreKit / BillingClient finishes the purchase.
  */
-router.post('/verify', userAuth, async (req: Request, res: Response) => {
+app.post('/verify', userAuth, async (c) => {
   try {
-    const did = (req as any).user?.did;
+    const did = (c.get('user') as any)?.did;
     if (!did) {
-      res.status(401).json({ error: 'unauthenticated' });
-      return;
+      return c.json({ error: 'unauthenticated' }, 401);
     }
-    const input = await verifyBodySchema.validateAsync(req.body, { stripUnknown: true });
+    const body = c.get('sanitizedBody') ?? {};
+    const input = await verifyBodySchema.validateAsync(body, { stripUnknown: true });
 
     // Resolve the Google Play PaymentMethod for THIS livemode. Without the
     // livemode filter a testmode request would silently fall through to the
     // production method (and vice versa), and its encrypted credentials may
     // not even decrypt under the current process key.
     const method = await PaymentMethod.findOne({
-      where: { type: 'google_play', active: true, livemode: !!req.livemode },
+      where: { type: 'google_play', active: true, livemode: !!c.get('livemode') },
     });
     if (!method) {
-      res.status(503).json({ error: 'google_play PaymentMethod not configured' });
-      return;
+      return c.json({ error: 'google_play PaymentMethod not configured' }, 503);
     }
     const client = method.getGooglePlayClient();
 
@@ -65,7 +72,7 @@ router.post('/verify', userAuth, async (req: Request, res: Response) => {
       subscriptionId: input.subscriptionId,
     });
 
-    res.json({
+    return c.json({
       success: true,
       subscription_id: result.subscription.id,
       isFirstSubscribe: result.isFirstSubscribe,
@@ -86,10 +93,13 @@ router.post('/verify', userAuth, async (req: Request, res: Response) => {
       errKeys: err ? Object.keys(err) : [],
       stack: err?.stack,
     });
-    res.status(400).json({
-      success: false,
-      error: { message, raw: err?.errorMessage ?? null },
-    });
+    return c.json(
+      {
+        success: false,
+        error: { message, raw: err?.errorMessage ?? null },
+      },
+      400
+    );
   }
 });
 
@@ -130,21 +140,20 @@ const restoreBodySchema = Joi.object<{
  * either return the existing local Subscription or create one. Partial
  * success is reported per item.
  */
-router.post('/restore', userAuth, async (req: Request, res: Response) => {
+app.post('/restore', userAuth, async (c) => {
   try {
-    const did = (req as any).user?.did;
+    const did = (c.get('user') as any)?.did;
     if (!did) {
-      res.status(401).json({ error: 'unauthenticated' });
-      return;
+      return c.json({ error: 'unauthenticated' }, 401);
     }
-    const input = await restoreBodySchema.validateAsync(req.body, { stripUnknown: true });
+    const body = c.get('sanitizedBody') ?? {};
+    const input = await restoreBodySchema.validateAsync(body, { stripUnknown: true });
 
     const method = await PaymentMethod.findOne({
-      where: { type: 'google_play', active: true, livemode: !!req.livemode },
+      where: { type: 'google_play', active: true, livemode: !!c.get('livemode') },
     });
     if (!method) {
-      res.status(503).json({ error: 'google_play PaymentMethod not configured' });
-      return;
+      return c.json({ error: 'google_play PaymentMethod not configured' }, 503);
     }
     const client = method.getGooglePlayClient();
 
@@ -152,7 +161,7 @@ router.post('/restore', userAuth, async (req: Request, res: Response) => {
     // Play purchase, so duplicates in the request would otherwise double-
     // call Google's verifier and re-upsert the same Subscription row.
     const seen = new Set<string>();
-    const purchases = input.purchases.filter((p) => {
+    const purchases = input.purchases.filter((p: { purchaseToken: string; subscriptionId: string }) => {
       if (seen.has(p.purchaseToken)) return false;
       seen.add(p.purchaseToken);
       return true;
@@ -175,7 +184,7 @@ router.post('/restore', userAuth, async (req: Request, res: Response) => {
       const batch = purchases.slice(i, i + RESTORE_CONCURRENCY);
       // eslint-disable-next-line no-await-in-loop -- intentional: batches must complete sequentially to bound concurrency
       const batchResults = await Promise.all(
-        batch.map(async (p): Promise<ItemResult> => {
+        batch.map(async (p: { purchaseToken: string; subscriptionId: string }): Promise<ItemResult> => {
           try {
             const r = await ingestVerifiedGooglePlayPurchase({
               customerDid: did,
@@ -202,13 +211,13 @@ router.post('/restore', userAuth, async (req: Request, res: Response) => {
       results.push(...batchResults);
     }
 
-    res.json({
+    return c.json({
       restored: results.filter((r) => r.ok),
       errors: results.filter((r) => !r.ok),
     });
   } catch (err: any) {
     logger.error('google_play restore failed', { error: err?.message, stack: err?.stack });
-    res.status(400).json({ error: err?.message ?? 'restore failed' });
+    return c.json({ error: err?.message ?? 'restore failed' }, 400);
   }
 });
 
@@ -246,17 +255,17 @@ function markHandled(messageId: string): void {
   seenMessageIds.set(messageId, now + MESSAGE_DEDUP_TTL_MS);
 }
 
-router.post('/webhook', async (req: Request, res: Response) => {
-  const expectedEmail = process.env.GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT;
+app.post('/webhook', async (c) => {
+  const expectedEmail = googlePubsubPushServiceAccount();
   // Fail CLOSED: in production the push service account MUST be configured. A
   // sandbox/test bypass has to be explicit (PR #1381 review P1).
-  const allowUnverifiedSender =
-    process.env.GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER === 'true' || process.env.NODE_ENV === 'test';
+  const allowUnverifiedSender = googlePubsubAllowUnverifiedSender() || isTestEnv();
 
   // --- Phase 1: authenticate + select. Failures here are rejections / not-for-us,
   //     NOT processing failures. ---
   let payload: GooglePlayRtdnPayload;
   let client: ReturnType<PaymentMethod['getGooglePlayClient']>;
+  let method: PaymentMethod;
   let messageId: string | undefined;
   try {
     if (!expectedEmail && !allowUnverifiedSender) {
@@ -264,61 +273,72 @@ router.post('/webhook', async (req: Request, res: Response) => {
         'google_play webhook refusing: GOOGLE_PUBSUB_PUSH_SERVICE_ACCOUNT unset ' +
           '(set GOOGLE_PUBSUB_ALLOW_UNVERIFIED_SENDER=true only for sandbox)'
       );
-      res.status(403).json({ error: 'sender verification not configured' });
-      return;
+      return c.json({ error: 'sender verification not configured' }, 403);
     }
 
-    const authHeader = req.get('authorization') || req.get('Authorization');
+    const authHeader = c.req.header('authorization') || c.req.header('Authorization');
     if (authHeader) {
       const token = authHeader.replace(/^Bearer\s+/i, '');
       await verifyPubSubJwt(token, { expectedAudience: googlePlayEndpoint(), expectedEmail });
     } else if (!allowUnverifiedSender) {
       logger.warn('google_play webhook missing Authorization header');
-      res.status(401).json({ error: 'missing authorization' });
-      return;
+      return c.json({ error: 'missing authorization' }, 401);
     }
 
-    messageId = req.body?.message?.messageId;
+    const body = c.get('sanitizedBody') ?? {};
+    messageId = (body as any)?.message?.messageId;
     // Skip only messages we already handled SUCCESSFULLY (mark happens post-success).
     if (messageId && wasHandled(messageId)) {
       logger.info('google_play webhook: duplicate Pub/Sub messageId, skipping', { messageId });
-      res.json({ deduped: true });
-      return;
+      return c.json({ deduped: true });
     }
 
-    payload = decodePubSubMessage<GooglePlayRtdnPayload>(req.body);
+    payload = decodePubSubMessage<GooglePlayRtdnPayload>(body);
 
-    const methods = await PaymentMethod.findAll({ where: { type: 'google_play' } });
-    const method = methods.find((m) => {
+    // Reverse lookup: the RTDN webhook arrives with NO tenant context — find
+    // which tenant registered this package_name. A genuine cross-tenant read,
+    // so it must use systemFindAll to bypass TenantModel scoping; the matched
+    // method's tenant is then enforced via withTenant(resolveRowTenant) below.
+    const methods = await systemFindAll(PaymentMethod, { where: { type: 'google_play' } });
+    const candidates = methods.filter((m) => {
       const settings = PaymentMethod.decryptSettings(m.settings);
       return settings.google_play?.package_name === payload.packageName;
     });
-    if (!method) {
+    if (candidates.length === 0) {
       logger.warn('google_play webhook: no matching PaymentMethod for packageName', {
         packageName: payload.packageName,
       });
       // Not for us → ack so Pub/Sub doesn't retry a misconfigured topic forever.
-      res.json({ skipped: true });
-      return;
+      return c.json({ skipped: true });
+    }
+    // Phase 6 (W1-4b): one channel identifier maps to exactly one tenant
+    if (candidates.length > 1) {
+      logger.error('google_play webhook: package_name registered by multiple methods, refusing', {
+        code: TENANT_MISMATCH,
+        packageName: payload.packageName,
+        methodIds: candidates.map((m) => m.id),
+      });
+      return c.json({ skipped: true, reason: 'ambiguous package_name registration' });
     }
+    method = candidates[0]!;
     client = method.getGooglePlayClient();
   } catch (err: any) {
     // Auth / decode / selection failure → forged or malformed; reject.
     logger.warn('google_play webhook: auth/decode failed', { error: err?.message });
-    res.status(401).json({ error: 'unauthorized' });
-    return;
+    return c.json({ error: 'unauthorized' }, 401);
   }
 
   // --- Phase 2: process the verified event. Failure here is transient → 5xx so
   //     Pub/Sub retries; mark the messageId handled ONLY after success. ---
   try {
-    await handleGooglePlayEvent(payload, client);
+    // tenant = the method that registered this package_name (reverse lookup)
+    await withTenant(resolveRowTenant(method!), () => handleGooglePlayEvent(payload, client));
     if (messageId) markHandled(messageId);
-    res.json({ received: true });
+    return c.json({ received: true });
   } catch (err: any) {
     logger.error('google_play webhook processing failed — will retry', { error: err?.message, stack: err?.stack });
-    res.status(500).json({ error: err?.message ?? 'processing failed' });
+    return c.json({ error: err?.message ?? 'processing failed' }, 500);
   }
 });
 
-export default router;
+export default app;

package/api/src/routes/hono/integrations/stripe.ts

@@ -0,0 +1,74 @@
+// Phase 3e (express→hono) — hono fork of routes/integrations/stripe.ts. The
+// Stripe webhook is RAW-BODY: the signature is an HMAC over the EXACT received
+// bytes, so the body must NOT be parsed/sanitized before verification. xss skips
+// this path (RAW_BODY_PREFIXES); the route reads c.req.arrayBuffer() directly
+// (§3.1). stripeEvent/stripeClient are injected into context by verifyWebhookSig
+// (the route-internal middleware, not a global one).
+import { Hono } from 'hono';
+import type { MiddlewareHandler } from 'hono';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { env } from '@blocklet/sdk/lib/env';
+import get from 'lodash/get';
+import { stripeWebhookSecret } from '../../../libs/env';
+
+import handleStripeEvent from '../../../integrations/stripe/handlers';
+import logger from '../../../libs/logger';
+import { STRIPE_EVENTS } from '../../../libs/util';
+import { PaymentMethod } from '../../../store/models';
+
+const app = new Hono();
+
+const verifyWebhookSig: MiddlewareHandler = async (c, next) => {
+  try {
+    const signature = c.req.header('stripe-signature');
+    if (!signature) {
+      return c.json({ error: 'No stripe webhook signature found' }, 400);
+    }
+
+    // RAW body — read the exact bytes once (xss did not consume this path).
+    const raw = Buffer.from(await c.req.arrayBuffer());
+    const json = JSON.parse(raw.toString('utf8'));
+    const method = await PaymentMethod.findOne({ where: { type: 'stripe', livemode: json.livemode } });
+    if (!method) {
+      return c.json({ error: 'No stripe payment method found' }, 400);
+    }
+
+    const stripe = method.getStripeClient();
+    const settings = PaymentMethod.decryptSettings(method.settings);
+    const secret = stripeWebhookSecret() || settings.stripe?.webhook_signing_secret;
+    c.set('stripeEvent', stripe.webhooks.constructEvent(raw, signature, secret as string));
+    c.set('stripeClient', stripe);
+
+    // eslint-disable-next-line @typescript-eslint/return-await -- do NOT await: downstream route errors must not be caught by this sig-verify catch
+    return next();
+  } catch (err: any) {
+    logger.error('verify signature error', { error: err });
+    return c.json({ error: err.message }, 400);
+  }
+};
+
+const handleEvent: MiddlewareHandler = async (c) => {
+  const stripeEvent = c.get('stripeEvent');
+  const stripeClient = c.get('stripeClient');
+
+  if (STRIPE_EVENTS.includes(stripeEvent.type) === false) {
+    logger.debug('webhook event not interested', { id: stripeEvent.id, type: stripeEvent.type });
+    return c.json({ skipped: true });
+  }
+
+  // only events from this app should be processed
+  const appPid = get(stripeEvent, 'data.object.metadata.appPid');
+  if (appPid && appPid !== (env as any).appPid) {
+    logger.debug('webhook event for other app', { id: stripeEvent.id, type: stripeEvent.type });
+    return c.json({ skipped: true });
+  }
+
+  logger.debug('webhook received event', { id: stripeEvent.id, type: stripeEvent.type });
+  await handleStripeEvent(stripeEvent, stripeClient);
+
+  return c.json({ received: true });
+};
+
+app.post('/webhook', verifyWebhookSig, handleEvent);
+
+export default app;