fix: trustProxy for webhook IP validation, filter expired payments, remove dead code

server/src/index.js

@@ -39,6 +39,7 @@ const origin = (process.env.CORS_ORIGIN ?? '')
 const fastify = Fastify({
   logger: true,
   bodyLimit: getMaxUploadBodyBytes(),
+  trustProxy: true,
 })
 
 await fastify.register(cors, {

server/src/routes/user-payments.js

@@ -36,7 +36,11 @@ export async function registerUserPaymentRoutes(fastify) {
     }
 
     const existingPayment = await prisma.payment.findFirst({
-      where: { orderId: id, status: { in: ['pending', 'waiting_for_capture'] } },
+      where: {
+        orderId: id,
+        status: { in: ['pending', 'waiting_for_capture'] },
+        OR: [{ expiresAt: null }, { expiresAt: { gt: new Date() } }],
+      },
       orderBy: { createdAt: 'desc' },
     })
 
@@ -56,7 +60,7 @@ export async function registerUserPaymentRoutes(fastify) {
     const receipt = buildReceipt({
       orderItems: order.items,
       deliveryFeeCents: order.deliveryFeeCents,
-      userEmail: userEmail || 'noemail@example.com',
+        userEmail: userEmail,
     })
 
     let result