stripe-rails 1.8.2 → 1.9.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5c3458e73514e9d287513ab9ff1192ccc37f7eed53681d407027f8a828c4e629
4
- data.tar.gz: 3cf53318d3cc31fac81c7d4ea4e5d981138eb1a0266dcc4a261fd8a49ddb014b
3
+ metadata.gz: 9c6add3569f0d6ebce78539fea9a2f3bc5364779be1a2984f6fc3287ffa40ff7
4
+ data.tar.gz: ac4a7af14e8eaafcf73ab20143886e5d9ed7492175aaba925e70cc10d0e5f527
5
5
  SHA512:
6
- metadata.gz: c4283ef2ffddcddda494634e58cdda112f26dc82fc14428eaa8130e4d94b138862cdf6b8aa04886ad3291dd67788d75780420f4e00847845a59a1016d4ac7c4f
7
- data.tar.gz: 2ea2f1dc27ab45a92e4ba49b67430bb1b0b51a3379e192740ec4bc9eb7bb068004c9b9d213937727cc95718328e4c9786611969d515e5e9db5b3fa306c2698ed
6
+ metadata.gz: 0c9d7181d6a2ba947af2aa102b40d7547ebc3339cea5adcbf71699e16b49734dacf471f3a0b590da0fd013f645ea51c2d3a943d019395c5d91c22a986ba81287
7
+ data.tar.gz: 96ca6a73ea1d133cc9023a125dd658ad1258b4af030bb2478304bc442dd80527f23817825f483348e30eaac08421d6bef96e7f81515acc8284113565786208bc
data/Changelog.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## 1.9.0 (2019-09-01)
2
+
3
+ - Adds support for multiple signing secrets. Thanks again @jacobcsmith !
4
+
1
5
  ## 1.8.2 (2019-08-31)
2
6
 
3
7
  - adds missing callbacks for `payment_intent`, `payment_method` and `setup_intent`. Thanks @jacobcsmith !
data/README.md CHANGED
@@ -310,29 +310,32 @@ Your new webhook URL would then be `http://myproductionapp/payment/stripe-integr
310
310
  ### Signed Webhooks
311
311
 
312
312
  Validation of your webhook's signature uses your webhook endpoint signing secret.
313
- Before you can verify signatures, you need to retrieve your endpoint’s secret your
313
+ Before you can verify signatures, you need to retrieve your endpoint’s secret from your
314
314
  Stripe Dashboard. Select an endpoint for which you want to obtain
315
315
  the secret, then select the Click to reveal button.
316
316
 
317
317
  ```ruby
318
318
  # config/application.rb
319
319
  # ...
320
- config.stripe.signing_secret = 'whsec_XXXYYYZZZ'
320
+ config.stripe.signing_secrets = ['whsec_XXXYYYZZZ']
321
321
  ```
322
322
 
323
- Each secret is unique to the endpoint to which it corresponds. If you use multiple endpoints,
323
+ Each secret is unique to the endpoint to which it corresponds. If you use multiple endpoint,
324
324
  you must obtain a secret for each one. After this setup, Stripe starts to sign each webhook
325
- it sends to the endpoint. Because of this, we recommend setting this variable with an environment
326
- variable:
325
+ it sends to the endpoint. Because of this, we recommend setting this variable with environment
326
+ variables:
327
327
 
328
328
  ```sh
329
329
  export STRIPE_SIGNING_SECRET=whsec_XXXYYYZZZ
330
+ export STRIPE_CONNECT_SIGNING_SECRET=whsec_AAABBBCCC
330
331
  ```
331
332
 
332
333
  ```ruby
333
- config.stripe.signing_secret = ENV.fetch('STRIPE_SIGNING_SECRET')
334
+ config.stripe.signing_secrets = [ENV.fetch('STRIPE_SIGNING_SECRET'), ENV.fetch('STRIPE_CONNECT_SIGNING_SECRET')]
334
335
  ```
335
336
 
337
+ The first secret that successfully matches for each incoming webhook will be used to verify the incoming events.
338
+
336
339
  #### Testing Signed Webhooks Locally
337
340
 
338
341
  In order to test signed webhooks, you'll need to trigger test webhooks from your Stripe dashboard,
@@ -351,7 +354,7 @@ as documented above:
351
354
  ```ruby
352
355
  # config/application.rb
353
356
  # ...
354
- config.stripe.signing_secret = 'whsec_XXXYYYZZZ'
357
+ config.stripe.signing_secrets = ['whsec_XXXYYYZZZ']
355
358
  ```
356
359
 
357
360
  And you'll need to restart your rails server with:
@@ -11,15 +11,27 @@ module Stripe
11
11
  id = request['id']
12
12
  body = request.body.read
13
13
  sig_header = request.headers['HTTP_STRIPE_SIGNATURE']
14
- endpoint_secret = ::Rails.application.config.stripe.signing_secret
14
+ endpoint_secrets = ::Rails.application.config.stripe.signing_secrets
15
15
 
16
- if Object.const_defined?('Stripe::Webhook') && sig_header && endpoint_secret
17
- event = ::Stripe::Webhook.construct_event(body, sig_header, endpoint_secret)
16
+ if Object.const_defined?('Stripe::Webhook') && sig_header && endpoint_secrets
17
+ event = webhook_event(body, sig_header, endpoint_secrets)
18
18
  else
19
19
  event = Stripe::Event.retrieve(id)
20
20
  end
21
21
 
22
22
  yield event
23
23
  end
24
+
25
+ private
26
+
27
+ def webhook_event(body, sig_header, endpoint_secrets)
28
+ endpoint_secrets.each_with_index do |secret, i|
29
+ begin
30
+ return ::Stripe::Webhook.construct_event(body, sig_header, secret.to_s)
31
+ rescue ::Stripe::SignatureVerificationError
32
+ raise if i == endpoint_secrets.length - 1
33
+ end
34
+ end
35
+ end
24
36
  end
25
37
  end
data/lib/stripe/engine.rb CHANGED
@@ -8,7 +8,16 @@ module Stripe
8
8
  attr_accessor :testing
9
9
  end
10
10
 
11
- stripe_config = config.stripe = Struct.new(:api_base, :api_version, :secret_key, :verify_ssl_certs, :signing_secret, :publishable_key, :endpoint, :debug_js, :auto_mount, :eager_load, :open_timeout, :read_timeout).new
11
+ stripe_config = config.stripe = Struct.new(:api_base, :api_version, :secret_key, :verify_ssl_certs, :signing_secret, :signing_secrets, :publishable_key, :endpoint, :debug_js, :auto_mount, :eager_load, :open_timeout, :read_timeout) do
12
+ # for backwards compatibility treat signing_secret as an alias for signing_secrets
13
+ def signing_secret=(value)
14
+ self.signing_secrets = Array(value)
15
+ end
16
+
17
+ def signing_secret
18
+ self.signing_secrets && self.signing_secrets.first
19
+ end
20
+ end.new
12
21
 
13
22
  def stripe_config.api_key=(key)
14
23
  warn "[DEPRECATION] to align with stripe nomenclature, stripe.api_key has been renamed to config.stripe.secret_key"
@@ -1,5 +1,5 @@
1
1
  module Stripe
2
2
  module Rails
3
- VERSION = '1.8.2'.freeze
3
+ VERSION = '1.9.0'.freeze
4
4
  end
5
5
  end
@@ -58,4 +58,36 @@ describe Stripe::EventsController do
58
58
  subject.must_be :ok?
59
59
  end
60
60
  end
61
+
62
+ describe 'multiple signed webhooks' do
63
+ before do
64
+ header 'Stripe-Signature', 't=1537832721,v1=123,v0=123'
65
+ app.config.stripe.signing_secrets = ['SECRET1', 'SECRET2']
66
+ end
67
+
68
+ after { app.config.stripe.signing_secrets = nil }
69
+
70
+ let(:params) {
71
+ {
72
+ id: 'evt_00000000000001',
73
+ type: 'customer.updated',
74
+ data: {
75
+ object: 'customer',
76
+ fingerprint: 'xxxyyyzzz'
77
+ },
78
+ }
79
+ }
80
+
81
+ subject { post '/stripe/events', params.to_json }
82
+
83
+ it 'returns bad_request when invalid' do
84
+ Stripe::Webhook.expects(:construct_event).twice.raises(Stripe::SignatureVerificationError.new('msg', 'sig_header'))
85
+ subject.must_be :bad_request?
86
+ end
87
+
88
+ it 'returns ok when valid' do
89
+ Stripe::Webhook.expects(:construct_event).returns(Stripe::Event.construct_from(params))
90
+ subject.must_be :ok?
91
+ end
92
+ end
61
93
  end
@@ -40,7 +40,7 @@ describe "Configuring the stripe engine" do
40
40
  app.config.stripe.open_timeout = 33
41
41
  app.config.stripe.read_timeout = 88
42
42
  rerun_initializers!
43
- end
43
+ end
44
44
 
45
45
  it "reads values that is set in the environment" do
46
46
  subject
@@ -52,8 +52,20 @@ describe "Configuring the stripe engine" do
52
52
  Stripe.open_timeout.must_equal 33
53
53
  Stripe.read_timeout.must_equal 88
54
54
 
55
- app.config.stripe.signing_secret.must_equal 'SIGNING_SECRET_XYZ'
55
+ app.config.stripe.signing_secret.must_equal 'SIGNING_SECRET_XYZ'
56
+ app.config.stripe.signing_secrets.length.must_equal 1
57
+ end
58
+
59
+ it "supports multiple signing secrets" do
60
+ subject
61
+
62
+ app.config.stripe.signing_secrets = ['SIGNING_SECRET_XYZ', 'SIGNING_SECRET_XYZ_CONNECT']
63
+ rerun_initializers!
64
+
65
+ app.config.stripe.signing_secret.must_equal 'SIGNING_SECRET_XYZ'
66
+ app.config.stripe.signing_secrets.length.must_equal 2
56
67
  end
68
+
57
69
  end
58
70
 
59
71
  describe 'eager loaded callbacks' do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: stripe-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.8.2
4
+ version: 1.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Charles Lowell
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2019-08-31 00:00:00.000000000 Z
13
+ date: 2019-09-01 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: rails