Stripe Ownership and Webhooks

Stripe billing is protected with a combination of session checks, customer ownership checks, and verified webhook processing.

This area matters because billing security is not only about creating checkout sessions. It is also about proving which user owns which Stripe resources and trusting webhook updates only after signature verification.

What this security area covers

Ownership model

The app ties Stripe objects back to the authenticated user through:

• stripeCustomerId stored on the user
• userId stored in Stripe metadata
• service-level checks before read or write operations

This creates a stronger link between application identity and Stripe resources than using Stripe objects alone.

Examples of current checks

• customer reads and updates verify ownership
• payment intents are checked against metadata.userId
• active subscription lookup is scoped through the user-linked customer

These checks help prevent users from reading or mutating billing data that does not belong to them.

Webhook protection

The webhook route verifies the stripe-signature header before processing any event.

Only after signature verification does the route call handleStripeWebhookEvent.

Why webhook sync matters

Checkout is not enough on its own. Long-lived billing state must be synchronized from Stripe events so the local database reflects:

• subscription status
• current period end
• one-time payments
• recurring invoice payments

That keeps billing state reliable even when payment events happen after redirects, retries, or subscription updates outside the browser.

Main files

• src/app/api/stripe/webhook/route.ts
• src/server/services/billing/customer.ts
• src/server/services/billing/webhook-sync.ts