Remove dead Stripe webhook and refresh session after checkout#17
Remove dead Stripe webhook and refresh session after checkout#17chaance wants to merge 2 commits into
Conversation
The setup script created a Stripe webhook endpoint subscribed to checkout.session.completed pointed at <deployment>.site/stripe-webhook, but convex/http.ts only registers /workos-webhook. There is no /stripe-webhook handler, so that endpoint was dead. Entitlement sync does not depend on it: WorkOS provisions entitlements onto the org access token via the Stripe integration once the org has a stripeCustomerId. The app only needs to refresh the session after checkout so new entitlements appear immediately. - setup.ts: drop setupStripeWebhook(); keep STRIPE_API_KEY set in Convex - subscribe route: tag success_url with ?checkout=success - dashboard: refresh AuthKit session when ?checkout=success - router/route.ts: fix pre-existing const reassignment breaking build Co-Authored-By: chance <chance.strickland@gmail.com>
Original prompt from chance
|
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Greptile SummaryThis PR removes a dead Stripe webhook setup (the
Confidence Score: 5/5Safe to merge — removes genuinely dead code, adds a well-guarded post-checkout session refresh, and fixes a pre-existing Turbopack build failure. All six changed files are straightforward and correct. The new CheckoutSuccessRefresh component handles cancellation and failure gracefully. The searchParams type matches the Next.js 15 async API. The setup script correctly preserves the Stripe API key step while discarding the webhook wiring that pointed at a non-existent handler. No logic gaps were found across the changed paths. No files require special attention. Important Files Changed
|
Co-Authored-By: chance <chance.strickland@gmail.com>
Summary
scripts/setup.tscreated a Stripe webhook endpoint (subscribed tocheckout.session.completed) pointed at<convex-deployment>.site/stripe-webhook, butconvex/http.tsonly ever registers a/workos-webhookroute — there is no/stripe-webhookhandler (git history confirms one was never committed). So setup wired up a dead Stripe endpoint, and the code implied you must run your own Stripe listener.Entitlement sync does not depend on that webhook. With the WorkOS Stripe integration enabled, WorkOS listens to Stripe and provisions entitlements onto the org's access token once
stripeCustomerIdis set on the org (already done insrc/app/api/subscribe/route.ts). The app's only responsibility is to refresh the session after checkout so new entitlements appear in the token immediately rather than on next login.This PR removes the misleading dead webhook and makes the post-checkout refresh explicit.
Changes
scripts/setup.ts: RemovedsetupStripeWebhook()and its call. It also setSTRIPE_API_KEYin Convex (read byconvex/stripe.ts), so that one step is preserved in a smallsetStripeApiKeyInConvex()helper.STRIPE_WEBHOOK_SECRETis no longer set (only the dead handler would have used it). The.cloud→.sitewebhookUrlderivation is kept — it still feedssetupWorkOSWebhook().src/app/api/subscribe/route.ts: Added a comment explaining WorkOS provisions entitlements automatically (no app-side Stripe webhook), and tagged the checkoutsuccess_urlwith a marker:src/app/dashboard/page.tsx+ newcheckout-success-refresh.tsx: When?checkout=successis present, refresh the AuthKit session so new entitlements land in the token now.refreshAuthkitSessioncallsrefreshSession(), which sets cookies — that throws during a Server Component render ("Cookies can only be modified in a Server Action or Route Handler"). The existing repo pattern (src/app/dashboard/audit-logs/page.tsx) invokes it from a client component inuseEffect, so I matched that: a smallCheckoutSuccessRefreshclient component runs the action on mount, thenrouter.replace('/dashboard')+router.refresh()to drop the marker and re-render with fresh entitlements. VerifiedrefreshAuthkitSession()returnsPromise<string>(a stringified session) and takes no args.README.md: Added one line — entitlement sync is handled by WorkOS; the only app responsibility is refreshing the session after checkout; no Stripe webhook required for entitlements.Incidental (unrelated) build fix
next buildwas already failing onmain(verified on a clean tree) with an error insrc/app/router/route.ts:sessionwas destructured withconstthen reassigned under a@ts-expect-error. Turbopack treats const reassignment as a hard error, so the build was red. Changedconst { session }→let { session }and removed the now-unused@ts-expect-errordirective. This is unrelated to the webhook work but was necessary to get a greenlint/build. Happy to split it out if preferred.Validation
eslint— passestsc --noEmit— passesnext build— passes (with env vars set)Optional follow-up (not required for entitlements)
If app-side Stripe events are ever wanted (owning your own DB records, receipts, dunning, etc.), you could add a real
/stripe-webhookConvex HTTP route and re-introduce the setup step +STRIPE_WEBHOOK_SECRET. Noteconvex/stripe.tsalready contains an unusedverifyStripeWebhookaction that such a handler would use. This is explicitly not required for entitlements and intentionally left out of this PR.Docs: https://workos.com/docs/authkit/add-ons/stripe · https://workos.com/docs/user-management/entitlements
Link to Devin session: https://app.devin.ai/sessions/0b653638165f422a9cb0808ecc0aff04
Requested by: @chaance