A tiny, stage-safe checkout demo designed for live keynotes and integration walkthroughs.
It demonstrates how to build a reliable demo environment with deterministic state, replayable webhook events, and production-style webhook guardrails.
Key capabilities include:
- One-click Reset for deterministic demos
- Golden Replay to resend the last webhook event
- Safe/Live toggle for runtime safety
- Webhook signature verification
- Idempotent event handling
- CI tests to prevent regressions
The goal is simple: make demos impossible to break.
The /webhook endpoint now behaves like a production integration:
- Requires HMAC signature in
X-ShowReady-Signature - Requires
event_id - Ignores duplicate
event_idsafely (status: duplicate_ignored)
🎥 Loom walkthrough
https://www.loom.com/share/2bbf6c4d24db47f79bed83fa9c9869f2
💻 Repo
https://github.com/KatrinaFinney/show-ready-checkout
Live demos often fail because:
- APIs retry events
- webhook events replay
- network timing changes
- demo state drifts from rehearsals
This project adds demo guardrails that mirror real production patterns.
| Feature | Purpose |
|---|---|
| Reset | deterministic demo start |
| Replay | recover from missed webhook events |
| Safe Mode | prevent risky real calls |
| Signature verification | ensure webhook authenticity |
| Idempotency | prevent duplicate event processing |
| CI tests | keep demo behavior stable |
Creates an order and simulates:
payment_intent.succeeded
Clears the DB and seeds:
ord_seed (pending)
Also creates a replayable success event.
Replays the most recent webhook event so the demo can recover instantly.
Triggers:
charge.refunded
for the last paid order.
Switch behavior without restarting the server.
The page updates the State panel without reloads.
Signed requests are accepted. Unsigned requests are rejected.
Duplicate events are safely ignored.
Install dependencies:
npm installConfigure environment variables:
cp .env.example .envExample .env:
SAFE_MODE=1
PORT=3000
WEBHOOK_SHARED_SECRET=dev_demo_secret_change_me
Seed local fixtures:
npm run seedStart the server:
npm run devOpen:
http://localhost:3000
Start the server:
npm run startcurl -s -X POST http://localhost:3000/webhook \
-H "Content-Type: application/json" \
-d '{"event_id":"evt_demo_bad","type":"payment_intent.succeeded","data":{"orderId":"ord_seed"}}'
echoExpected response:
{"ok":false,"error":"unauthorized"}
export WEBHOOK_SHARED_SECRET="dev_demo_secret_change_me"
BODY='{"event_id":"evt_demo_1","type":"payment_intent.succeeded","data":{"orderId":"ord_seed"}}'
SIG=$(node -e "const crypto=require('crypto'); const secret=process.env.WEBHOOK_SHARED_SECRET; const body=process.argv[1]; console.log('sha256='+crypto.createHmac('sha256', secret).update(Buffer.from(body)).digest('hex'));" "$BODY")
curl -s -X POST http://localhost:3000/webhook \
-H "Content-Type: application/json" \
-H "X-ShowReady-Signature: $SIG" \
-d "$BODY"
echoExpected response:
{"ok":true,"status":"processed"}
Run the same request again.
Expected response:
{"ok":true,"status":"duplicate_ignored"}
Duplicate events are safely ignored.
Run the test suite:
npm testThe tests verify:
- missing signature → rejected
- invalid signature → rejected
- valid signature → processed
- duplicate events → ignored
GitHub Actions runs automatically on:
- every Pull Request
- every push to
main
Workflow:
npm ci
npm testThis prevents webhook behavior from regressing.
server.js
├── lib/webhookSignature.js
├── lib/idempotencyStore.js
├── fixtures/db.json
└── public/
Responsibilities:
webhookSignature.js→ HMAC signature verificationidempotencyStore.js→ replay protectionfixtures/db.json→ deterministic demo statepublic/→ UI and AJAX updates
Demo state should always be predictable.
Security and replay protection should exist even in demos.
Signatures, idempotency, tests, and CI mirror real integration patterns.
Katrina Finney
Software Engineer / IAM Engineer
GitHub
https://github.com/KatrinaFinney
ISC