Endpoint: POST /checkout/webhooks/stripe (CSRF-exempt; signature-verified)
Handles 5 Stripe events:
- checkout.session.completed -> create Subscription, activate user
- customer.subscription.updated -> sync status + current_period_end
- customer.subscription.deleted -> mark canceled
- invoice.payment_succeeded -> recover from past_due if applicable
- invoice.payment_failed -> mark past_due
Idempotency via WebhookEvent table (Stripe ID dedup) and Subscription
unique constraint on stripe_subscription_id (defends against duplicate
deliveries with distinct event IDs).
User resolution prefers stripe_customer_id (server-set, anti-tamper)
over event metadata.dictia_user_id over customer_email (per B-2.7
review note).
New tables created via db.create_all():
- subscription (FK user.id ondelete=SET NULL for Loi 25 art. 28.1)
- webhook_event (idempotency ledger)
CSRF exemption wired via src/billing/exempt_webhook_csrf(csrf) called
from src/app.py after billing_bp registration.
Tests: 17/17 pass via tests/_run_stripe_webhook_windows.py.
Existing 25 B-2.7 + 21 TOTP + 22 WebAuthn + 21 OAuth + 16 email tests
unaffected.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
