Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firestore database rules blocking stripe webhook updates #372

Open
camunity opened this issue Apr 10, 2022 · 4 comments
Open

Firestore database rules blocking stripe webhook updates #372

camunity opened this issue Apr 10, 2022 · 4 comments
Labels
awaiting author feedback

Comments

@camunity
Copy link

Bug report

  • Extension name: [e.g. firestore-stripe-payments]

Describe the bug

I am using Stripe to allow users to pay for a subscription service in my React app. I am using the firebase stripe extension to write updates to my customers collection. I have setup stripe.js on the server side of my application following the best practices in the docs and everything seems to be working well with passing data between the client and the server, but my issue is that the Firebase collection for customers isn't updating with the subscription status.

Screen Shot 2022-04-10 at 8 57 15 AM

I'm using the stripe cli to monitor webhooks and confirmed that the customer.subscription.updated event is being called and passing back data confirming that the customer has successfully subscribed but the firestore collection isn't updating as per the handleWebhookEvents and manageSubscriptionStatusChange function inside of the extension source code.

The handleWebhookEvents function is throwing errors in the Firestore logs that says that customer cannot be found:
Firestore Stripe Extension handleWebhooks logs

My datastore rules are set to the default:
Firestore Security Rules

I believe the issue is that the rules for the customers collection require a user to only edit their own document, which makes complete sense but in the source code the handleWebhookEvents function uses this syntax to identify the user's document:

Screen Shot 2022-04-10 at 9 08 33 AM

Expected behavior

I would expect the customer to be returned and the collection to update with the subscription data from the webhook:
Screen Shot 2022-04-10 at 9 16 02 AM

System information

  • OS: macOS
  • Browser: Brave

Additional context

I thought that the issue may have been given how the function in the manageSubscriptionStatusChange is written it needs access to read every customer document for the where query to work.

 const customersSnap = await admin
        .firestore()
        .collection(config_1.default.customersCollectionPath)
        .where('stripeId', '==', customerId)
        .get();
    if (customersSnap.size !== 1) {
        throw new Error('User not found!');
    }

I changed my datastore rules to allow read access to every customer object and it is still failing. I wonder if the function were written more like

 const customersSnap = await admin
        .firestore()
        .collection(`config_1.default.customersCollectionPath/${stripeId}`)
        .get();
    if (customersSnap.size !== 1) {
        throw new Error('User not found!');
    }

Where the path directly looks for the customer/uid path if it would support the match clause in the security rules. I'm all outta ideas now that I've tried changing the security rules though.
@jsteele-stripe
Copy link
Contributor

@camunity Is your customersCollectionPath configuration set to the correct value?

@TheRedSpy15
Copy link

I'm having the same exact issue

However I did notice your firestore rule for /customers/ doesn't have write permission allowed

Mine is set to allow read, write and still having the issue

but I have seen a lot of other people are also adding the write permission and it seems related, so maybe it'll work in your case

I have a suspicion my problem is also caused by the firestore rules which I copied from the "How this extension works" page

@jsteele-stripe
Copy link
Contributor

@TheRedSpy15 What issue(s) are you encountering?

@TheRedSpy15
Copy link

I thankfully managed to address my issue a few hours after my previous comment. Ended up being a mistake on my end and creating test purchases directly their Stripe without going through my web app

@camunity did you ever get your issue solved? I'm nearly 100% convinced the issue will be solved by using

match /customers/{uid} {
      allow read, write: if request.auth.uid == uid;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting author feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dackers86 @camunity @TheRedSpy15 @jsteele-stripe