xtr.dev/payload-billing
1
0
Fork 0
mirror of https://github.com/xtr-dev/payload-billing.git synced 2025-12-10 10:53:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Address critical security vulnerabilities and improve code quality

Browse Source 
🔒 Security Fixes:
- Make webhook signature validation required for production
- Prevent information disclosure by returning 200 for all webhook responses
- Sanitize external error messages while preserving internal logging

🔧 Code Quality Improvements:
- Add URL validation to prevent localhost usage in production
- Create currency utilities for proper handling of non-centesimal currencies
- Replace unsafe 'any' types with type-safe ProviderData wrapper
- Add comprehensive input validation for amounts, currencies, and descriptions
- Set default Stripe API version for consistency

📦 New Features:
- Currency conversion utilities supporting JPY, KRW, and other special cases
- Type-safe provider data structure with metadata
- Enhanced validation functions for payment data

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Bas van den Aakster
2025-09-17 18:38:44 +02:00
parent 209b683a8a
commit bf9940924c
6 changed files with 197 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/providers/types.ts
View File

@@ -10,3 +10,12 @@ export type PaymentProvider = {
onInit?: (payload: Payload) => Promise<void> | void
initPayment: InitPayment
}
/**
* Type-safe provider data wrapper
*/
export type ProviderData<T = unknown> = {
raw: T
timestamp: string
provider: string
}