stripe-rails 1.4.2 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cc77c2742f14d5d7042f2a3ed06af604144c2d956e0fd5a627f45c01e82a9461
-  data.tar.gz: 570149b8d68d0429d5257e45099739ba9da0c52fe1c5432251207e98edc2f9e8
+  metadata.gz: 8fbadf81c0f8478feeffda1a46ed1b29b7fd5771eec9fbec5f2a8cd0684a051f
+  data.tar.gz: baa6413f94ecc16b4ac4ba192e29dc7ef3c5742de759ed1e22397a13e71b764e
 SHA512:
-  metadata.gz: f5eb46629a7af4564ce45f3bb4f219f93413c88bc46773b2546fb8032d40441c164d62ac207e868ac2efb46622df0cb1a1256e6b9915bd9cfd3675e6d88d8a1b
-  data.tar.gz: f865412f3696550203443d037b26fb8472a818049014622b67391b7565c0fe97116391129378734cf7e422c110b0c8a740d1c75e913cf229b203a3315e6647c0
+  metadata.gz: ca51fc8a16bac65cd5ecda5d92130ecf18e83870cacc3c422952846d61359f89ecb877151b4ff9ea93c0e1b25746dd9efe6f86d6790a363de0ede13e6727a9c3
+  data.tar.gz: 7b380bb3b762c6acc39de20b4d0187c15623dc3141adda0bed62d0017a533ccbb546ba4352682d903dae04bf567f504f0a8eb27487b3ab2327d21f1fe973cb41

data/Changelog.md

@@ -1,3 +1,8 @@
+## 1.5.0 (2018-09-27)
+
+* Add Webhook Signature Validation - Thanks to @wkirby
+* Include nickname in the payload for plans - Thanks to @jeanmartin
+
 ## 1.4.2 (2018-08-06)
 
 * New attributes for Stripe Billing Plans.

data/README.md

@@ -212,6 +212,61 @@ config.stripe.endpoint = '/payment/stripe-integration'
 
 Your new webhook URL would then be `http://myproductionapp/payment/stripe-integration/events`
 
+### Signed Webhooks
+
+Validation of your webhook's signature uses your webhook endpoint signing secret.
+Before you can verify signatures, you need to retrieve your endpoint’s secret your
+Stripe Dashboard. Select an endpoint for which you want to obtain
+the secret, then select the Click to reveal button.
+
+```ruby
+# config/application.rb
+# ...
+config.stripe.signing_secret = 'whsec_XXXYYYZZZ'
+```
+
+Each secret is unique to the endpoint to which it corresponds. If you use multiple endpoints,
+you must obtain a secret for each one. After this setup, Stripe starts to sign each webhook
+it sends to the endpoint. Because of this, we recommend setting this variable with an environment
+variable:
+
+```sh
+export STRIPE_SIGNING_SECRET=whsec_XXXYYYZZZ
+```
+
+```ruby
+config.stripe.signing_secret = ENV.fetch('STRIPE_SIGNING_SECRET')
+```
+
+#### Testing Signed Webhooks Locally
+
+In order to test signed webhooks, you'll need to trigger test webhooks from your Stripe dashboard,
+and configure your local environment to receive remote network requests. To do so, we recommend using
+[ngrok](https://ngrok.com/) to configure a secure tunnel to `localhost`.
+
+Once configured and running, `ngrok` will give you a unique URL which can be used to set up a webhook
+endpoint. Webhook endpoints are configured in your Dashboard's [Webhook settings](https://dashboard.stripe.com/account/webhooks)
+section. Make sure you are in **Test** mode and click `Add endpoint`, and provide your `ngrok` URL along with the `stripe.endpoint` suffix.
+
+An example webhook URL would then be `https://bf2a5d21.ngrok.io/stripe/events`.
+
+Once your endpoint is configured, you can reveal the **Signing secret**. This will need to be set
+as documented above:
+
+```ruby
+# config/application.rb
+# ...
+config.stripe.signing_secret = 'whsec_XXXYYYZZZ'
+```
+
+And you'll need to restart your rails server with:
+
+```sh
+rails restart
+```
+
+Now you're ready to click **Send test webhook**, and trigger whichever events you'd like to test from Stripe itself.
+
 ### Disabling auto mount
 
 Sometimes, you don't want the stripe engine to be auto-mounted so that

data/app/controllers/stripe/events_controller.rb

@@ -4,8 +4,14 @@ module Stripe
     respond_to :json
 
     def create
-      @event = dispatch_stripe_event params
+      @event = dispatch_stripe_event(request)
       head :ok
+    rescue JSON::ParserError => e
+      ::Rails.logger.error e.message
+      head :bad_request, status: 400
+    rescue Stripe::SignatureVerificationError => e
+      ::Rails.logger.error e.message
+      head :bad_request, status: 400
     end
   end
 end

data/app/models/stripe/event_dispatch.rb

@@ -1,20 +1,29 @@
 require 'stripe/event'
 module Stripe
   module EventDispatch
-    def dispatch_stripe_event(params)
-      retrieve_stripe_event(params) do |evt|
+    def dispatch_stripe_event(request)
+      retrieve_stripe_event(request) do |evt|
         target = evt.data.object
         ::Stripe::Callbacks.run_callbacks(evt, target)
       end
     end
 
-    def retrieve_stripe_event(params)
-      id = params['id']
-      if id == 'evt_00000000000000' #this is a webhook test
-        yield Stripe::Event.construct_from(params.to_unsafe_h)
+    def retrieve_stripe_event(request)
+      id = request['id']
+      body = request.body.read
+      sig_header = request.headers['HTTP_STRIPE_SIGNATURE']
+      endpoint_secret = ::Rails.application.config.stripe.signing_secret
+
+      # this is a webhook test
+      if id == 'evt_00000000000000'
+        event = Stripe::Event.construct_from(JSON.parse(body))
+      elsif Object.const_defined?('Stripe::Webhook') && sig_header && endpoint_secret
+        event = ::Stripe::Webhook.construct_event(body, sig_header, endpoint_secret)
       else
-        yield Stripe::Event.retrieve(id)
+        event = Stripe::Event.retrieve(id)
       end
+
+      yield event
     end
   end
 end

data/lib/stripe/engine.rb

@@ -8,7 +8,7 @@ module Stripe
       attr_accessor :testing
     end
 
-    stripe_config = config.stripe = Struct.new(:api_base, :api_version, :secret_key, :verify_ssl_certs, :publishable_key, :endpoint, :debug_js, :auto_mount, :eager_load, :open_timeout, :read_timeout).new
+    stripe_config = config.stripe = Struct.new(:api_base, :api_version, :secret_key, :verify_ssl_certs, :signing_secret, :publishable_key, :endpoint, :debug_js, :auto_mount, :eager_load, :open_timeout, :read_timeout).new
 
     def stripe_config.api_key=(key)
       warn "[DEPRECATION] to align with stripe nomenclature, stripe.api_key has been renamed to config.stripe.secret_key"

data/lib/stripe/plans.rb

@@ -22,10 +22,10 @@ module Stripe
       validates_presence_of :id, :amount, :currency
 
       validates_inclusion_of  :interval,
-                              :in => %w(day week month year),
-                              :message => "'%{value}' is not one of 'day', 'week', 'month' or 'year'"
+                              in: %w(day week month year),
+                              message: "'%{value}' is not one of 'day', 'week', 'month' or 'year'"
 
-      validates :statement_descriptor, :length => { :maximum => 22 }
+      validates :statement_descriptor, length: { maximum: 22 }
 
       validates :active,          inclusion: { in: [true, false] }, allow_nil: true
       validates :usage_type,      inclusion: { in: %w{ metered licensed } }, allow_nil: true
@@ -62,31 +62,32 @@ module Stripe
 
       def default_create_options
         {
-          :currency => @currency,
+          currency: currency,
           product: product_options,
-          :amount => @amount,
-          :interval => @interval,
-          :interval_count => @interval_count,
-          :trial_period_days => @trial_period_days,
-          :metadata => @metadata,
-        }
+          amount: amount,
+          interval: interval,
+          interval_count: interval_count,
+          trial_period_days: trial_period_days,
+          metadata: metadata,
+          nickname: nickname
+        }.delete_if{|_, v| v.nil? }
       end
 
       def product_options
-        @product_id.presence || { :name => @name, :statement_descriptor => @statement_descriptor }
+        product_id.presence || { name: name, statement_descriptor: statement_descriptor }
       end
 
       def create_options_without_products
         {
-          :currency => @currency,
-          :name => @name,
-          :amount => @amount,
-          :interval => @interval,
-          :interval_count => @interval_count,
-          :trial_period_days => @trial_period_days,
-          :metadata => @metadata,
-          :statement_descriptor => @statement_descriptor
-        }
+          currency: currency,
+          name: name,
+          amount: amount,
+          interval: interval,
+          interval_count: interval_count,
+          trial_period_days: trial_period_days,
+          metadata: metadata,
+          statement_descriptor: statement_descriptor
+        }.delete_if{|_, v| v.nil? }
       end
     end
   end

data/lib/stripe/rails/version.rb

@@ -1,5 +1,5 @@
 module Stripe
   module Rails
-    VERSION = '1.4.2'
+    VERSION = '1.5.0'
   end
 end

data/test/dummy_stripes_controller_spec.rb

@@ -1,3 +1,5 @@
+require 'spec_helper'
+
 class DummyStripesControllerSpec < ApplicationSystemTestCase
   setup do
     Dummy::Application.configure do

data/test/events_controller_spec.rb

@@ -1,7 +1,6 @@
 require 'spec_helper'
 
 describe Stripe::EventsController do
-  parallelize_me!
   include Rack::Test::Methods
 
   let(:app) { Rails.application }
@@ -11,7 +10,7 @@ describe Stripe::EventsController do
   end
 
   describe 'the events interface' do
-    let(:params) { 
+    let(:params) {
       {
         id: 'evt_00000000000000',
         type: 'customer.updated',
@@ -22,4 +21,36 @@ describe Stripe::EventsController do
 
     it { subject.must_be :ok? }
   end
+
+  describe 'signed webhooks' do
+    before do
+      header 'Stripe-Signature', 't=1537832721,v1=123,v0=123'
+      app.config.stripe.signing_secret = 'SECRET'
+    end
+
+    after { app.config.stripe.signing_secret = nil }
+
+    let(:params) {
+      {
+        id: 'evt_00000000000001',
+        type: 'customer.updated',
+        data: {
+          object: 'customer',
+          fingerprint: 'xxxyyyzzz'
+        },
+      }
+    }
+
+    subject { post '/stripe/events', params.to_json }
+
+    it 'returns bad_request when invalid' do
+      Stripe::Webhook.expects(:construct_event).raises(Stripe::SignatureVerificationError.new('msg', 'sig_header'))
+      subject.must_be :bad_request?
+    end
+
+    it 'returns ok when valid' do
+      Stripe::Webhook.expects(:construct_event).returns(Stripe::Event.construct_from(params))
+      subject.must_be :ok?
+    end
+  end
 end

data/test/plan_builder_spec.rb

@@ -218,9 +218,7 @@ describe 'building plans' do
             :amount => 699,
             :interval => 'month',
             :interval_count => 1,
-            :trial_period_days => 0,
-            :metadata => nil,
-            :statement_descriptor => nil
+            :trial_period_days => 0
           )
           Stripe::Plans::GOLD.put!
         end
@@ -233,9 +231,7 @@ describe 'building plans' do
             :amount => 699,
             :interval => 'month',
             :interval_count => 1,
-            :trial_period_days => 0,
-            :metadata => nil,
-            :statement_descriptor => nil
+            :trial_period_days => 0
           )
           Stripe::Plans::ALTERNATIVE_CURRENCY.put!
         end
@@ -255,8 +251,7 @@ describe 'building plans' do
               :amount => 699,
               :interval => 'month',
               :interval_count => 1,
-              :trial_period_days => 0,
-              :metadata => nil,
+              :trial_period_days => 0
             )
             Stripe::Plans::GOLD.put!
           end
@@ -279,8 +274,7 @@ describe 'building plans' do
                 :amount => 699,
                 :interval => 'month',
                 :interval_count => 1,
-                :trial_period_days => 0,
-                :metadata => nil,
+                :trial_period_days => 0
               )
               Stripe::Plans::GOLD.put!
             end
@@ -303,8 +297,7 @@ describe 'building plans' do
               :amount => 699,
               :interval => 'month',
               :interval_count => 1,
-              :trial_period_days => 0,
-              :metadata => nil,
+              :trial_period_days => 0
             )
 
             subject

data/test/spec_helper.rb

@@ -8,7 +8,13 @@ require 'minitest/autorun'
 require 'webmock/minitest'
 WebMock.disable_net_connect!(allow_localhost: true)
 
+# Chrome Setup
 require 'selenium-webdriver'
+require 'capybara'
+require 'chromedriver-helper'
+Capybara.register_driver :selenium do |app|
+  Capybara::Selenium::Driver.new(app, :browser => :chrome)
+end
 
 # Configure Rails Environment
 ENV["RAILS_ENV"] = "test"

data/test/stripe_initializers_spec.rb

@@ -34,6 +34,7 @@ describe "Configuring the stripe engine" do
     subject do
       app.config.stripe.api_base          = 'http://localhost:5000'
       app.config.stripe.secret_key        = 'SECRET_XYZ'
+      app.config.stripe.signing_secret    = 'SIGNING_SECRET_XYZ'
       app.config.stripe.verify_ssl_certs  = false
       app.config.stripe.api_version       = '2015-10-16'
       app.config.stripe.open_timeout      = 33
@@ -50,6 +51,8 @@ describe "Configuring the stripe engine" do
       Stripe.api_version.must_equal       '2015-10-16'
       Stripe.open_timeout.must_equal      33
       Stripe.read_timeout.must_equal      88
+
+      app.config.stripe.signing_secret.must_equal   'SIGNING_SECRET_XYZ'
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stripe-rails
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.5.0
 platform: ruby
 authors:
 - Charles Lowell
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-06 00:00:00.000000000 Z
+date: 2018-09-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -178,7 +178,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: A gem to integrate stripe into your rails app