Stripe calls edge-function safely?
I’m using Supabase and Stripe, and I’d like to understand if the way I’ve implemented my payment flow is secure, or if there is a better pattern.
I’ve created a Supabase Edge Function that is called by Stripe via a webhook. When Stripe calls the Edge Function, the function:
1)Verifies that the request really comes from Stripe.
2)If the verification passes, it uses the "supabase service role key" to update the database and bypass RLS, so that the reservation status is always updated after the payment is confirmed.
In more detail:
Stripe is verified through authenticated API calls using the stripe secret key (and/or the webhook secret).
The database updates use the "supabase service role key" so the function can bypass Row Level Security and modify the reservation record, even if the user is not logged in.
Is this approach secure?
Are there recommended best practices or alternative ways to implement this flow with Supabase + Stripe? I would like something that doesn't bypass the RLS
I’ve created a Supabase Edge Function that is called by Stripe via a webhook. When Stripe calls the Edge Function, the function:
1)Verifies that the request really comes from Stripe.
2)If the verification passes, it uses the "supabase service role key" to update the database and bypass RLS, so that the reservation status is always updated after the payment is confirmed.
In more detail:
Stripe is verified through authenticated API calls using the stripe secret key (and/or the webhook secret).
The database updates use the "supabase service role key" so the function can bypass Row Level Security and modify the reservation record, even if the user is not logged in.
Is this approach secure?
Are there recommended best practices or alternative ways to implement this flow with Supabase + Stripe? I would like something that doesn't bypass the RLS
