Skip to content

Fix Phase 17 code review issues#244

Merged
menvil merged 1 commit into
developfrom
fix/phase17-review
Jun 2, 2026
Merged

Fix Phase 17 code review issues#244
menvil merged 1 commit into
developfrom
fix/phase17-review

Conversation

@menvil

@menvil menvil commented Jun 2, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes three issues identified in Phase 17 code review.

P0 — Missing CreditAccount::lockForUpdate() in CreditPackWebhookHandler

Root cause: Concurrent Stripe webhook retries for the same checkout session can both pass the alreadyGrantedForCheckoutSession() check before either transaction commits, resulting in double-grant.

Fix: Acquired a row-level lock on the credit_accounts row inside DB::transaction() before the idempotency check — identical to the pattern in SubscriptionWebhookHandler::handleInvoicePaid().

P0 — Stripe webhook not excluded from CSRF protection

Root cause: Laravel's CSRF middleware guards all POST routes. Stripe delivers webhooks without session cookies or CSRF tokens, so every production webhook would be rejected with HTTP 419.

Fix: Added stripe/webhook to the CSRF exception list in bootstrap/app.php using Laravel 11's validateCsrfTokens(except: [...]). Added a test that sends a POST without cookies/session and asserts status ≠ 419.

P2 — Buy Credits CTA linked to dashboard

Root cause: /billing (Phase 18) didn't exist at the time, so the route fell back to dashboard.

Fix: Changed href to /billing — the correct semantic destination that Phase 18 will implement. Removed route('dashboard') hardcoding.

Test plan

  • CashierWebhookRouteTest — new test verifies webhook accepts sessionless POST (no 419)
  • composer test passes (487 tests)
  • composer lint passes

🤖 Generated with Claude Code


Summary by cubic

Fixes three Phase 17 review issues: prevents double credit grants on concurrent Stripe webhooks, allows Stripe webhooks through CSRF, and updates the Buy Credits CTA to point to /billing.

  • Bug Fixes
    • Prevent double-grant in CreditPackWebhookHandler by locking the credit_accounts row with lockForUpdate() before the idempotency check.
    • Exempt stripe/webhook from CSRF in bootstrap/app.php so Stripe requests aren’t rejected; added a test to assert the endpoint doesn’t return 419.
    • Update Buy Credits CTA href to /billing (instead of dashboard) for the correct destination.

Written for commit 11c6945. Summary will update on new commits.

Review in cubic

- Add CreditAccount::lockForUpdate() before idempotency check in
  CreditPackWebhookHandler to prevent double-grant on concurrent
  Stripe webhook retries (same pattern as SubscriptionWebhookHandler)
- Exclude stripe/webhook route from CSRF protection so Stripe can
  deliver webhooks without a session token in production
- Point Buy Credits CTA to /billing instead of dashboard

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (1)
  • release

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 87f5c63f-34e5-4d44-a0f6-d5e16bc68331

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/phase17-review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@menvil menvil merged commit 6f494a8 into develop Jun 2, 2026
1 check was pending
@menvil menvil deleted the fix/phase17-review branch June 2, 2026 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant