Commit graph

5 commits

Author SHA1 Message Date
Snider
301fdb152a fix(migration): remove FK constraints on non-existent orders/subscriptions tables
Some checks are pending
CI / PHP 8.2 (push) Waiting to run
CI / PHP 8.3 (push) Waiting to run
CI / PHP 8.4 (push) Waiting to run
CI / Assets (push) Waiting to run
webhook_events referenced orders and subscriptions tables that don't
exist yet (billing module). Switched to plain unsignedBigInteger columns
with indexes — FKs can be added when the billing tables are created.

Co-Authored-By: Virgil <virgil@lethean.io>
2026-02-08 18:08:20 +00:00
Snider
c19e467735 security: add webhook idempotency and payment amount verification
Idempotency (replay attack protection):
- Add WebhookEvent model for tracking processed events
- Add webhook_events migration with unique constraint
- Add isAlreadyProcessed() to BTCPay and Stripe controllers
- Reject duplicate events with 200 response

Payment amount verification (BTCPay):
- Add verifyPaymentAmount() method
- Reject underpayments (mark order failed, create audit record)
- Reject currency mismatches
- Log overpayments for manual review
- Add 0.01 tolerance for floating point precision

Add comprehensive tests for both features.
Update TODO.md to mark P1 issues as fixed.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 12:32:25 +00:00
Snider
9113cede8a fix: remove FK to non-existent invoice_items, shorten index names
- Remove FK constraint to invoice_items table (not yet created)
- Shorten index names to avoid MariaDB 64-char limit

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 19:46:15 +00:00
Snider
eca97466b8 fix: remove FK constraints to non-existent orders/refunds tables
Credit notes can exist independently of orders. Foreign keys will be
added when orders and refunds modules are implemented.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 17:23:48 +00:00
Snider
a74a02f406 monorepo sepration 2026-01-27 00:24:22 +00:00