From 41539014ad173b656ec6a82e44dce975c751e987 Mon Sep 17 00:00:00 2001 From: Rohil Surana Date: Thu, 30 Apr 2026 13:48:28 +0530 Subject: [PATCH] fix: webhook secret rotation rejects valid events when first secret fails The webhook verification loop collects errors from each secret attempt. When multiple secrets are configured for rotation, if the first secret fails but a later one succeeds, the error check `len(parseErrs) > 0` incorrectly returns an error despite successful verification. Change condition to only fail when all secrets have been exhausted. --- core/event/service.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/event/service.go b/core/event/service.go index 7e98204c6..ec26389c1 100644 --- a/core/event/service.go +++ b/core/event/service.go @@ -210,7 +210,7 @@ func (p *Service) BillingWebhook(ctx context.Context, payload ProviderWebhookEve } break } - if len(parseErrs) > 0 { + if len(parseErrs) == len(p.billingConf.StripeWebhookSecrets) { return fmt.Errorf("failed to construct event: %w", errors.Join(parseErrs...)) } ctx = context.WithoutCancel(ctx)