Update app.js

app.js

@@ -1,133 +1,134 @@
-// server.js (Bun)
-const rooms = new Map(); // roomId ⇒ Set<ServerWebSocket>
-const VALID_TOKEN = "mysecrettoken";  // ← your hard-coded secret
-
-Bun.serve({
-  port: Number(Bun.env.PORT) || 7860,
-
-  fetch(req, server) {
-    const url = new URL(req.url);
-
-    // Handle CORS preflight
-    if (req.method === "OPTIONS") {
-      return new Response(null, { status: 204, headers: {
-        "Access-Control-Allow-Origin": "*",
-        "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-        "Access-Control-Allow-Headers": "Content-Type, Upgrade",
-        "Access-Control-Allow-Credentials": "true",
-      }});
-    }
-
-    // Upgrade to WebSocket if requested
-    if (req.headers.get("upgrade")?.toLowerCase() === "websocket") {
-      // **AUTH CHECK**: require ?token=VALID_TOKEN
-      const clientToken = url.searchParams.get("token");
-      if (clientToken !== VALID_TOKEN) {
-        return new Response("Unauthorized", { status: 401 });
-      }
-
-      // Accept the upgrade with CORS headers on the handshake
-      const upgradeRes = server.upgrade(req, {
-        headers: {
-          "Access-Control-Allow-Origin": "*",
-          "Access-Control-Allow-Credentials": "true",
-        },
-      });
-      return upgradeRes ?? new Response("Upgrade failed", { status: 500 });
-    }
-
-    // … your existing HTML serve code unchanged …
-    if (url.pathname === "/") {
-      return new Response(`<!doctype html>
-<html><head><title>Dubem Realtime Rooms</title><meta charset="utf-8"/></head><body>
-  <h2>Join a Room & Send Messages</h2>
-  <label><input type="checkbox" id="authToggle" checked> Send Auth Token?</label><br/>
-  <input id="room" placeholder="Room ID"/><button onclick="joinRoom()">Join Room</button>
-  <div id="log"></div>
-  <input id="msg" placeholder="Type a message" style="width:80%;"/><button onclick="sendMsg()">Send</button>
-  <script>
-    const VALID_TOKEN = "mysecrettoken"; // must match backend
-    let includeAuth = true; //false;
-    document.getElementById("authToggle").addEventListener("change", e => {
-      includeAuth = e.target.checked;
-      connect(); // reconnect on toggle
-    });
+// paystack-webhook.js
+// Node >= 14, install dependencies:
+// npm install express firebase-admin
+
+const express = require('express');
+const crypto = require('crypto');
+const admin = require('firebase-admin');
+
+const app = express();
+
+// -------------------------------------------------
+// Environment variables (set these in your env/secrets)
+// -------------------------------------------------
+// - FIREBASE_CREDENTIALS: stringified JSON service account
+// - PAYSTACK_SECRET: your Paystack webhook secret
+// - PORT (optional)
+// -------------------------------------------------
 
-    let ws, currentRoom;
-    function connect() {
-      if (ws) ws.close();
-      const scheme = location.protocol === 'https:' ? 'wss' : 'ws';
-      let socketUrl = scheme + '://' + location.host + '/';
-      if (includeAuth) socketUrl += "?token=" + VALID_TOKEN;
-      ws = new WebSocket(socketUrl);
-      ws.onopen    = () => log('🔌 Connected');
-      ws.onmessage = ev => { const m = JSON.parse(ev.data); log('['+m.roomId+'] '+m.message); };
-      ws.onerror   = () => log('⚠️ WebSocket error');
-      ws.onclose   = c => log('❌ Disconnected (code='+c.code+')');
-    }
-    window.addEventListener('load', connect);
-
-    function joinRoom(){
-      const id = document.getElementById('room').value.trim();
-      if(!id) return alert('Enter room ID');
-      ws.send(JSON.stringify({ action:'join', roomId:id }));
-      currentRoom = id;
-      log('➡️ Joined '+id);
-    }
-    function sendMsg(){
-      const t = document.getElementById('msg').value.trim();
-      if(!t) return;
-      if(!currentRoom) return alert('Join a room first');
-      ws.send(JSON.stringify({ action:'post', roomId:currentRoom, message:t }));
-      document.getElementById('msg').value = '';
-    }
-    function log(txt){
-      const e = document.getElementById('log');
-      e.innerHTML += '<div>'+txt+'</div>';
-      e.scrollTop = e.scrollHeight;
-    }
-  </script>
-</body></html>`, {
-        headers: {
-          "Content-Type": "text/html; charset=utf-8",
-          "Access-Control-Allow-Origin": "*",
-        }
-      });
-    }
-
-    return new Response("Not Found", {
-      status: 404,
-      headers: { "Access-Control-Allow-Origin": "*" },
+const {
+  FIREBASE_CREDENTIALS,
+  PAYSTACK_SECRET,
+  PORT = 3000,
+} = process.env;
+
+if (!PAYSTACK_SECRET) {
+  console.warn('WARNING: PAYSTACK_SECRET is not set. Webhook signature verification will fail.');
+}
+
+// Initialize Firebase Admin using credentials read from env
+if (FIREBASE_CREDENTIALS) {
+  try {
+    const serviceAccount = JSON.parse(FIREBASE_CREDENTIALS);
+    admin.initializeApp({
+      credential: admin.credential.cert(serviceAccount),
     });
-  },
-
-  websocket: {
-    message(ws, raw) {
-      let msg;
-      try { msg = JSON.parse(raw); } catch { return; }
-      if (msg.action === "join" && msg.roomId) {
-        for (const set of rooms.values()) set.delete(ws);
-        let set = rooms.get(msg.roomId);
-        if (!set) { set = new Set(); rooms.set(msg.roomId, set); }
-        set.add(ws);
-      }
-      if (msg.action === "post" && msg.roomId && msg.message) {
-        const set = rooms.get(msg.roomId);
-        if (!set) return;
-        const payload = JSON.stringify({
-          roomId:  msg.roomId,
-          message: msg.message,
-          timestamp: Date.now(),
-        });
-        for (const client of set) {
-          if (client.readyState === 1) client.send(payload);
-        }
-      }
-    },
-    close(ws) {
-      for (const set of rooms.values()) set.delete(ws);
-    }
+    console.log('Firebase admin initialized from FIREBASE_CREDENTIALS env var.');
+  } catch (err) {
+    console.error('Failed to parse FIREBASE_CREDENTIALS JSON:', err);
+    process.exit(1);
+  }
+} else {
+  console.warn('FIREBASE_CREDENTIALS not provided. Firebase admin not initialized.');
+}
+
+// Important: use raw body parser to verify Paystack signature.
+// Paystack signs the raw request body (HMAC SHA512) and puts signature in header `x-paystack-signature`
+app.use(
+  express.raw({
+    type: 'application/json',
+    limit: '1mb',
+  })
+);
+
+// Utility: verify x-paystack-signature
+function verifyPaystackSignature(rawBodyBuffer, signatureHeader) {
+  if (!PAYSTACK_SECRET) return false;
+  const hmac = crypto.createHmac('sha512', PAYSTACK_SECRET);
+  hmac.update(rawBodyBuffer);
+  const expected = hmac.digest('hex');
+  // Paystack header is hex string; compare in constant-time
+  return crypto.timingSafeEqual(Buffer.from(expected, 'utf8'), Buffer.from(signatureHeader || '', 'utf8'));
+}
+
+// Helper: safe JSON parse
+function safeParseJSON(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch (err) {
+    return null;
+  }
+}
+
+// Webhook endpoint
+app.post('/webhook/paystack', (req, res) => {
+  const raw = req.body; // Buffer because we used express.raw
+  const signature = req.get('x-paystack-signature') || req.get('X-Paystack-Signature');
+
+  // Verify signature
+  if (!signature || !verifyPaystackSignature(raw, signature)) {
+    console.warn('Paystack webhook signature verification failed. Signature header:', signature);
+    // Respond 400 to indicate invalid signature
+    return res.status(400).json({ ok: false, message: 'Invalid signature' });
   }
+
+  // Parse payload
+  const bodyStr = raw.toString('utf8');
+  const payload = safeParseJSON(bodyStr);
+
+  if (!payload) {
+    console.warn('Could not parse webhook JSON payload.');
+    return res.status(400).json({ ok: false, message: 'Invalid JSON' });
+  }
+
+  // Paystack typically uses an "event" field: e.g. "charge.success", "refund.create", ...
+  const event = (payload.event || payload.type || '').toString();
+
+  // Identify refund events and payment events (first-time or recurring)
+  const isRefund = /refund/i.test(event); // matches refund.* etc.
+  const isChargeSuccess = /charge\.success/i.test(event); // common payment event
+  // add some broad matches for invoice/subscription events that might indicate recurring payments
+  const isInvoiceOrSubscription = /invoice\.(payment_succeeded|paid)|subscription\./i.test(event);
+
+  const isPayment = isChargeSuccess || isInvoiceOrSubscription;
+
+  // Only interested in refunds and payments
+  if (isRefund || isPayment) {
+    console.log('--- PAYSTACK WEBHOOK (INTERESTING EVENT) ---');
+    console.log('event:', event);
+    console.log('payload:', JSON.stringify(payload, null, 2));
+
+    // TODO: add your business logic here:
+    // - update Firestore / user subscription state
+    // - create refund records, notify user, retry flows, etc.
+    // Example (pseudo):
+    // const db = admin.firestore();
+    // await db.collection('paystack-webhooks').add({ receivedAt: admin.firestore.FieldValue.serverTimestamp(), event, payload });
+
+    // If you want to persist the webhook to Firestore for auditing, uncomment above and ensure Firebase is initialized
+  } else {
+    // For debugging, you can log minimal info for non-interesting events
+    console.log(`Received Paystack webhook for event "${event}" — ignored (not refund/payment).`);
+  }
+
+  // Acknowledge the webhook promptly with 200 OK so Paystack stops retrying
+  return res.status(200).json({ ok: true });
 });
 
-console.log("✅ Bun realtime server running on port " + (Bun.env.PORT || 7860));
+// Simple health check
+app.get('/health', (_req, res) => res.json({ ok: true }));
+
+app.listen(PORT, () => {
+  console.log(`Paystack webhook server listening on port ${PORT}`);
+  console.log('POST /webhook/paystack to receive Paystack callbacks');
+});