Historical bugs resolved

TLDR: technical transparency. Below is the list of significant bugs resolved since launch (Q2 2026). For the merchant: none of these are active today. For those evaluating WooshPayment: here's how we handle incidents.

2026-05 — Security hardening sprint + UX consistency fixes

Wave of technical and UX fixes:

Security (14-fix OWASP sprint)

• Mass-assignment: all Zod bodies marked .strict() to reject non-whitelisted fields
• Encryption at rest: AES-256-GCM on whopApiKey, Shopify accessToken, wooConsumerSecret
• Timing-equalize login: bcrypt compare against a dummy hash when the email doesn't exist → no email enumeration
• Rate limit: 10 logins / 5 registers per IP every 15 min
• Body limit: 1MB with 413/400/403 error handler in a single middleware
• CORS apex-of-subdomain: rule recognizing the apex of a verified custom subdomain (e.g. yourstore.com if checkout.yourstore.com is verified)
• JWT signing: claim reduced to { merchantId, shopDomain }, no extra PII

Whop connection

• Switch from /api/v2/me to /v5/company: the old endpoint was for user-token; with a Company API key it returned 401. We now use /v5/company, which works with any Company key with Owner role. Documented in Setup Whop.

UX consistency

• Sidebar/Settings sync after OAuth: after Shopify OAuth, the dashboard still showed "Not connected" because the merchant in localStorage was stale. Fixed with refreshMerchant() called on mount of the /dashboard/* segment, which refetches /api/merchant/me and updates the Zustand store.
• Apex domain → auto-prepend checkout.: the custom domain field now has a fixed visual checkout. prefix; if you paste an apex, the backend converts it to the checkout.X subdomain. See Custom domain.
• Bank transfer removed from onboarding: feature dropped to simplify setup. Now only Whop + COD as checkout methods.

Old Audit sprint (historical reference — Q2 2026)

Post-launch internal audit. Categories:

Security (CRITICAL — immediate fix)

• BUG-C1: marketing API keys returned in plaintext from public endpoints → fix: allowlist sanitization, at-rest encryption
• BUG-C2: XSS via custom_scripts checkout → fix: Zod strict allowlist + 10k char cap
• BUG-C3: broken GDPR footer links (href="#") → fix: linked to /privacy, /terms, /refund
• BUG-C4: signup → onboarding skipped verify email → fix: /verify-email-pending polling gate
• BUG-C5: ExpressCheckoutBlock localizable strings hardcoded → fix: i18n props threading

HIGH (UX / data integrity)

• BUG-H1: admin JWT in localStorage (XSS-stealable) → fix: httpOnly cookie on .wooshpayment.com
• BUG-H2: accessToken had a plaintext fallback → fix: nullable + warn log on decryption failure
• BUG-H3: CORS regex with Vercel preview and ngrok wildcards in prod → fix: gated by NODE_ENV !== production
• BUG-H4: impersonation token in URL (CSRF/log leak) → fix: ImpersonationToken model + single-use updateMany + JSON body
• BUG-H5: reset/verify token using cuid (low-entropy) → fix: randomBytes(24).toString('base64url')
• BUG-H6: Pay button ignored brandColor → fix: .sp-pay-cta CSS class honors it
• BUG-H7: blank white checkout loading → fix: skeleton animate-pulse
• BUG-H8: onboarding step "Proceed to launch" clickable without preview → fix: gated by state
• BUG-H10: API logs emitted full email → fix: redactEmail() helper everywhere
• BUG-H12 / PERF-1: API region iad1 (us-east) → fix: pinned cdg1 (Paris). p95 1500ms → 180ms

MEDIUM (quality / a11y)

• 18 various fixes: silent empty catches, non-a11y native confirm() dialog, missing Permissions-Policy for Apple Pay Whop iframe, next/image migration (LCP), empty states with CTA, stepper a11y.

LOW (polish)

• 44px touch target, WCAG AA contrast, CSS custom sanitization, schema drift between root and apps.

See work/context/bugs-known.md for the full list with line:column references.

2026-04 — Whop duplicate webhooks

Incident: between April 5 and 8, 2026, some orders were marked PAID twice → customer confirmation email sent twice, duplicate Purchase pixel event.

Cause: Whop in rare cases (~0.1%) resends webhooks without a change in idempotencyKey. Our deduplication logic used whopPaymentId + status instead of webhookDeliveryId.

Fix (deploy dpl_K2x...): introduced WebhookDelivery model with a unique index on provider + deliveryId. True idempotency. Manual backfill of the 12 double-fired orders.

Impact: 12 merchants affected, notified by email + €5 credit on the next plan.

2026-04 — Apple Pay didn't open on iOS 17.4+

Incident: iPhone users on iOS 17.4 saw the Apple Pay button grayed out.

Cause: iOS 17.4 changed the default Permissions-Policy → it requires the explicit Permissions-Policy: payment=(self "https://whop.com") header on the embedding page.

Fix (BUG-M5): added the header in apps/web/next.config.js:33. Deployed 24h after the report.

Impact: ~40% of iOS users saw Apple Pay broken in those 3 days → fell back to manually typing the card. iOS mobile conversion dropped 15% temporarily. Recovered post-fix.

2026-03 — RESEND_API_KEY missing in prod

Incident: for 6 hours transactional emails were not sent. Customers didn't receive order confirmations.

Cause: during initial env variables setup, RESEND_API_KEY had not been added on the Vercel API project.

Fix: configured via the Resend Auto-Configure API directly, bypassing the GoDaddy UI that was blocking due to a wildcard CNAME conflict. See work/context/bugs-known.md for details.

Impact: ~30 orders without confirmation email in that window. Manual resend done for all of them.

2026-02 — Wrong Whop volume fee ($10 vs $15.99)

Incident: some customers paid $10 instead of $15.99 at checkout for a test access pass.

Cause: Whop sandbox vs prod product ID mismatch. The test Whop product had a $10 price quote.

Fix: pre-checkout validation that cross-references merchant.whopProductId with the real Whop catalog. Refuse checkout if mismatch. See changelog 2026-02.

Impact: ~5 mispriced orders. Resolved with a consensual supplementary charge (5/5 customers OK).

2026-02 — Whop webhook delays/missing

Ongoing issue: Whop webhook delivery is best-effort. We see delays of minutes / missing 0.5-1% of volume.

Mitigation (always active):

• /refresh-status endpoint polls the Whop API directly when the return page detects a stale PROCESSING
• Admin panel "Verify payment" forces a manual backfill
• Return page polls every 3s for 45s post-redirect

Proposed real fix: delivery monitoring + auto-replay via Whop "resend webhook" API. Q3 roadmap.

Transparency history

Full post-mortems: write to noreply@wooshpayment.com with subject [POSTMORTEM] + incident date. We send a detailed PDF.

How we handle bugs

1. Severity SLA:

   • CRITICAL (data loss, security) → fix within 4h
   • HIGH (broken core feature) → fix within 24h
   • MEDIUM (partial bug or workaround) → fix within 7d
   • LOW (polish) → next sprint

2. Communication:

   • CRITICAL → email to all merchants + dashboard banner
   • HIGH → email to affected merchants
   • MEDIUM/LOW → monthly changelog

3. Compensation:

   • Did the bug cause order losses? → proportional credit on the next plan
   • Did the bug cause a data leak? → GDPR notification + compliance support

Useful links

• Payment fails
• Email not arriving
• Shopify disconnected
• Script tag debug