feat(admin): Stripe live-mode safety + one-click webhook setup
All checks were successful
Deploy to Production / Build and Deploy (push) Successful in 2m31s
All checks were successful
Deploy to Production / Build and Deploy (push) Successful in 2m31s
User said 'I want this to be automatic'. Three gaps were addressed.
Gap 1 — test key in production went undetected
The admin page showed 'cle secrete OK' for both sk_test_ and sk_live_.
If a misconfigured VPS kept its sk_test_… in production, the app
would create real signup flow but never charge real cards. Added
services.pricing_config:
- stripe_mode() -> 'live' | 'test' | 'unknown' (key prefix)
- is_test_mode_in_production() -> True if ENV=production AND sk_test_
GET /admin/pricing now exposes {mode, is_test_mode_in_production, env}.
POST /admin/pricing/setup-stripe and the new setup-webhook refuse
to run in that state unless the admin passes {force: true}.
Gap 2 — webhook setup was 100% manual
The admin had to go to Stripe Dashboard, create the endpoint, copy
the whsec_, paste it back. Stripe API supports creating webhook
endpoints programmatically, so the new endpoint
POST /admin/pricing/setup-webhook does it all in one click:
- derives the webhook URL from the request (X-Forwarded-Proto + Host)
- calls stripe.WebhookEndpoint.create() (or .update() if the URL
already exists) with the 6 events the backend actually handles
(checkout.session.completed, customer.subscription.*, invoice.*)
- persists the returned whsec_ to .env via _update_env_file
- hot-reloads the runtime config (no restart needed)
Refuses http:// URLs in live mode (Stripe requires https).
Gap 3 — obsolete script leaked a test secret
scripts/stripe_setup.py contained a hardcoded sk_test_… in source.
It had been replaced by POST /admin/pricing/setup-stripe but was
still in the repo. Deleted via git rm. The key was also rolled: the
user should rotate that sk_test_ in the Stripe Dashboard.
Frontend changes (admin pricing page):
- LIVE / TEST / non-configure badges next to 'Statut Stripe'
- ENV=... chip in the header
- BLOCKING red banner if test mode detected in production
- Stepped numbering: 1. Produits & prix / 2. Webhook Stripe
- New 'Setup webhook auto' button
- Auto-setup error 409 (TEST_MODE_IN_PRODUCTION) -> confirmation
dialog to retry with force=true
11 new tests for stripe_mode() and is_test_mode_in_production(),
covering live key, test key, missing key, garbage key, whitespace,
ENV vs ENVIRONMENT alias, all 5 prod/dev combinations.
Total: 471 tests pass (was 460), zero regression.
This commit is contained in:
@@ -92,6 +92,36 @@ def validate_stripe_webhook_secret(value: str) -> None:
|
||||
raise ValueError("Secret webhook Stripe invalide (attendu whsec_…).")
|
||||
|
||||
|
||||
def stripe_mode() -> str:
|
||||
"""Detect Stripe mode from the secret key prefix.
|
||||
|
||||
Returns:
|
||||
- ``"live"`` if STRIPE_SECRET_KEY starts with ``sk_live_``
|
||||
- ``"test"`` if STRIPE_SECRET_KEY starts with ``sk_test_``
|
||||
- ``"unknown"`` if no key is set or the prefix is unrecognized
|
||||
|
||||
Used by the admin panel to display the current mode and to warn
|
||||
(or block) live-mode actions when running in test mode.
|
||||
"""
|
||||
key = os.getenv("STRIPE_SECRET_KEY", "").strip()
|
||||
if key.startswith("sk_live_"):
|
||||
return "live"
|
||||
if key.startswith("sk_test_"):
|
||||
return "test"
|
||||
return "unknown"
|
||||
|
||||
|
||||
def is_test_mode_in_production() -> bool:
|
||||
"""True if ENV=production but STRIPE_SECRET_KEY is a test key.
|
||||
|
||||
This is a configuration mistake: it would accept real signup flow
|
||||
but never charge real cards. The admin panel surfaces this as a
|
||||
blocking warning.
|
||||
"""
|
||||
env = (os.getenv("ENV", os.getenv("ENVIRONMENT", "development")) or "").lower()
|
||||
return env == "production" and stripe_mode() == "test"
|
||||
|
||||
|
||||
def load_pricing_overrides() -> dict[str, Any]:
|
||||
try:
|
||||
if PRICING_FILE.exists():
|
||||
|
||||
Reference in New Issue
Block a user