From ebdeb74094951fd3277d2aab8143549351a192d2 Mon Sep 17 00:00:00 2001
From: DocFast Bot <openclawd@docfast.dev>
Date: Sun, 15 Feb 2026 10:44:09 +0000
Subject: [PATCH] BUG-037: Filter webhook by product_id prod_TygeG8tQPtEAdE

Shared Stripe account - only process checkout events for DocFast product.
Retrieves session with expanded line_items to check product ID.
---
 src/routes/billing.ts | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/routes/billing.ts b/src/routes/billing.ts
index 3618528..b163d77 100644
--- a/src/routes/billing.ts
+++ b/src/routes/billing.ts
@@ -120,6 +120,27 @@ router.post("/webhook", async (req: Request, res: Response) => {
       const customerId = session.customer as string;
       const email = session.customer_details?.email;
 
+      // Filter by product — this Stripe account is shared with other projects
+      const DOCFAST_PRODUCT_ID = "prod_TygeG8tQPtEAdE";
+      try {
+        const fullSession = await getStripe().checkout.sessions.retrieve(session.id, {
+          expand: ["line_items"],
+        });
+        const lineItems = fullSession.line_items?.data || [];
+        const hasDocfastProduct = lineItems.some((item) => {
+          const price = item.price as Stripe.Price | null;
+          const productId = typeof price?.product === "string" ? price.product : (price?.product as Stripe.Product)?.id;
+          return productId === DOCFAST_PRODUCT_ID;
+        });
+        if (!hasDocfastProduct) {
+          console.log(`Ignoring event for different product (session: ${session.id})`);
+          break;
+        }
+      } catch (err: any) {
+        console.error(`Failed to retrieve session line_items: ${err.message}, skipping`);
+        break;
+      }
+
       if (!customerId || !email) {
         console.warn("checkout.session.completed: missing customerId or email, skipping key provisioning");
         break;