filter stripe webhooks for correct server (#15320)

Co-authored-by: Kalista Payne <sabrecat@gmail.com>

test/api/unit/libs/payments/stripe/checkout.test.js

@@ -51,6 +51,7 @@ describe('Stripe - Checkout', () => {
         gift: undefined,
         sub: undefined,
         gemsBlock: gemsBlockKey,
+        server_url: BASE_URL,
       };
 
       expect(gems.validateGiftMessage).to.not.be.called;
@@ -101,6 +102,7 @@ describe('Stripe - Checkout', () => {
         gift: JSON.stringify(gift),
         sub: undefined,
         gemsBlock: undefined,
+        server_url: BASE_URL,
       };
 
       expect(gems.validateGiftMessage).to.be.calledOnce;
@@ -155,6 +157,7 @@ describe('Stripe - Checkout', () => {
         gift: JSON.stringify(gift),
         sub: undefined,
         gemsBlock: undefined,
+        server_url: BASE_URL,
       };
 
       expect(oneTimePayments.getOneTimePaymentInfo).to.be.calledOnce;
@@ -192,6 +195,7 @@ describe('Stripe - Checkout', () => {
         userId: user._id,
         gift: undefined,
         sub: JSON.stringify(sub),
+        server_url: BASE_URL,
       };
 
       expect(subscriptions.checkSubData).to.be.calledOnce;
@@ -258,6 +262,7 @@ describe('Stripe - Checkout', () => {
         userId: user._id,
         gift: undefined,
         sub: JSON.stringify(sub),
+        server_url: BASE_URL,
         groupId,
       };
 
@@ -328,8 +333,9 @@ describe('Stripe - Checkout', () => {
       user.purchased.plan.customerId = customerId;
 
       const metadata = {
-        userId: user._id,
         type: 'edit-card-user',
+        userId: user._id,
+        server_url: BASE_URL,
       };
 
       const res = await createEditCardCheckoutSession({ user }, stripe);
@@ -418,6 +424,7 @@ describe('Stripe - Checkout', () => {
         const metadata = {
           userId: user._id,
           type: 'edit-card-group',
+          server_url: BASE_URL,
           groupId,
         };
 
@@ -455,6 +462,7 @@ describe('Stripe - Checkout', () => {
           userId: anotherUser._id,
           type: 'edit-card-group',
           groupId,
+          server_url: BASE_URL,
         };
 
         const res = await createEditCardCheckoutSession({ user: anotherUser, groupId }, stripe);

test/api/unit/libs/payments/stripe/webhooks.test.js

@@ -16,6 +16,7 @@ import * as subscriptions from '../../../../../../website/server/libs/payments/s
 const { i18n } = common;
 
 describe('Stripe - Webhooks', () => {
+  const BASE_URL = nconf.get('BASE_URL');
   const stripe = stripeModule('test');
   const endpointSecret = nconf.get('STRIPE_WEBHOOKS_ENDPOINT_SECRET');
   const headers = {};
@@ -284,7 +285,9 @@ describe('Stripe - Webhooks', () => {
     const session = {};
 
     beforeEach(() => {
-      session.metadata = {};
+      session.metadata = {
+        server_url: BASE_URL,
+      };
       event = { type: eventType, data: { object: session } };
       constructEventStub = sandbox.stub(stripe.webhooks, 'constructEvent');
       constructEventStub.returns(event);

website/server/libs/payments/stripe/checkout.js

@@ -47,6 +47,7 @@ export async function createCheckoutSession (options, stripeInc) {
     userId: user._id,
     gift: gift ? JSON.stringify(gift) : undefined,
     sub: sub ? JSON.stringify(sub) : undefined,
+    server_url: BASE_URL,
   };
 
   let lineItems;
@@ -141,6 +142,7 @@ export async function createEditCardCheckoutSession (options, stripeInc) {
   const metadata = {
     type,
     userId: user._id,
+    server_url: BASE_URL,
   };
 
   let customerId;

website/server/libs/payments/stripe/webhooks.js

@@ -19,6 +19,8 @@ import { applySubscription, handlePaymentMethodChange } from './subscriptions';
 
 const endpointSecret = nconf.get('STRIPE_WEBHOOKS_ENDPOINT_SECRET');
 
+const BASE_URL = nconf.get('BASE_URL');
+
 export async function handleWebhooks (options, stripeInc) {
   const { body, headers } = options;
 
@@ -67,6 +69,10 @@ export async function handleWebhooks (options, stripeInc) {
         const session = event.data.object;
         const { metadata } = session;
 
+        if (metadata.server_url !== BASE_URL) {
+          break;
+        }
+
         if (metadata.type === 'edit-card-group' || metadata.type === 'edit-card-user') {
           await handlePaymentMethodChange(session);
         } else if (metadata.type === 'subscription') {