stripe_event 1.7.0 → 1.8.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 50adaa42e4c78de01fd97d67a0d04f91ffb7feae
4
- data.tar.gz: 06747a45085df869b71d393ce9d0a9ddc8dce556
3
+ metadata.gz: f9463bf4cf0ff40f3d50526e98d6167dc77dbbd1
4
+ data.tar.gz: 5822f4e55cbc6ca4bc6f0870ac76055ff858cfbf
5
5
  SHA512:
6
- metadata.gz: 71336f7a54da853a9afc8f38bc6487b8acc6118c4cd4e50e8e082c39e6621b79e21578da8a48918e4748012126ecf50225687315dca66bec15d67af835311caa
7
- data.tar.gz: 8822eada3465c54d9912bcdca5ab17459c4aeff344b0ae7e701e1864e2d4f235cbc4cd31111bb40192e5d49e2a4e36fb984260da8c009f92e6f6d2fbc62b88f4
6
+ metadata.gz: 48ece33350c3b997dfc8008bb406e702f53e4c4f343d1789edc4e69b2d491b14652a6016604481a0682a1c639b71885de7128e9d8635481f9dde636359dc9711
7
+ data.tar.gz: 4cc3051021fbfb1cc71c3feb0116a40d79739f5e2ddeb3646edbce592d343af60430d3bfe5deae60fcd026b298187a545618827dd9ec25c0bf18a4673ded85d4
data/CHANGELOG.md CHANGED
@@ -1,3 +1,15 @@
1
+ ### 1.7.0 (July 5, 2017)
2
+
3
+ * Support stripe v3 gem as a dependency (#87)
4
+
5
+ ### 1.6.0 (February 27, 2017)
6
+
7
+ * Support stripe v2 gem as a dependency (#82, b3cee03)
8
+
9
+ ### 1.5.1 (September 20, 2016)
10
+
11
+ * Better Rails 5 support. Prefer `before_action` over `before_filter`. (#69, Thanks @mcolyer)
12
+
1
13
  ### 1.5.0 (February 25, 2015)
2
14
  * Added [replay attack protection](https://github.com/integrallis/stripe_event#securing-your-webhook-endpoint) on webhooks. See `StripeEvent.authentication_secret`. Thanks @brentdax for both the initial discussion and the implementation! #53, #55
3
15
  * Dropped official support for Rails 3.1 and Rails 4.0
data/README.md CHANGED
@@ -99,13 +99,23 @@ To prevent this, StripeEvent supports using HTTP Basic authentication on your we
99
99
 
100
100
  This is only truly secure if your webhook endpoint is accessed over SSL, which Stripe strongly recommends anyway.
101
101
 
102
+ ## Authenticating webhooks
103
+
104
+ Stripe will cryptographically sign webhook payloads with a signature that is included in a special header sent with the request. Verifying this signature lets your application properly authenticate the request originated from Stripe. To leverage this feature, please set the `signing_secret` configuration value:
105
+
106
+ ```
107
+ StripeEvent.signing_secret = Rails.application.secrets.stripe_signing_secret
108
+ ```
109
+
110
+ Please refer to Stripe's documentation for more details: https://stripe.com/docs/webhooks#signatures
111
+
102
112
  ## Configuration
103
113
 
104
- If you have built an application that has multiple Stripe accounts--say, each of your customers has their own--you may want to define your own way of retrieving events from Stripe (e.g. perhaps you want to use the [user_id parameter](https://stripe.com/docs/connect/authentication#webhooks) from the top level to detect the customer for the event, then grab their specific API key). You can do this:
114
+ If you have built an application that has multiple Stripe accounts--say, each of your customers has their own--you may want to define your own way of retrieving events from Stripe (e.g. perhaps you want to use the [account parameter](https://stripe.com/docs/connect/webhooks) from the top level to detect the customer for the event, then grab their specific API key). You can do this:
105
115
 
106
116
  ```ruby
107
117
  StripeEvent.event_retriever = lambda do |params|
108
- api_key = Account.find_by!(stripe_user_id: params[:user_id]).api_key
118
+ api_key = Account.find_by!(stripe_user_id: params[:account]).api_key
109
119
  Stripe::Event.retrieve(params[:id], api_key)
110
120
  end
111
121
  ```
@@ -113,7 +123,7 @@ end
113
123
  ```ruby
114
124
  class EventRetriever
115
125
  def call(params)
116
- api_key = retrieve_api_key(params[:user_id])
126
+ api_key = retrieve_api_key(params[:account])
117
127
  Stripe::Event.retrieve(params[:id], api_key)
118
128
  end
119
129
 
@@ -127,6 +137,8 @@ end
127
137
  StripeEvent.event_retriever = EventRetriever.new
128
138
  ```
129
139
 
140
+ *Note: Older versions of Stripe used `user_id` to reference the Connect account.*
141
+
130
142
  If you'd like to ignore particular webhook events (perhaps to ignore test webhooks in production, or to ignore webhooks for a non-paying customer), you can do so by returning `nil` in you custom `event_retriever`. For example:
131
143
 
132
144
  ```ruby
@@ -2,8 +2,10 @@ module StripeEvent
2
2
  class WebhookController < ActionController::Base
3
3
  if respond_to?(:before_action)
4
4
  before_action :request_authentication
5
+ before_action :verify_signature
5
6
  else
6
7
  before_filter :request_authentication
8
+ before_filter :verify_signature
7
9
  end
8
10
 
9
11
  def event
@@ -24,9 +26,20 @@ module StripeEvent
24
26
  def request_authentication
25
27
  if StripeEvent.authentication_secret
26
28
  authenticate_or_request_with_http_basic do |username, password|
27
- password == StripeEvent.authentication_secret
29
+ ActiveSupport::SecurityUtils.variable_size_secure_compare password, StripeEvent.authentication_secret
28
30
  end
29
31
  end
30
32
  end
33
+
34
+ def verify_signature
35
+ if StripeEvent.signing_secret
36
+ payload = request.body.read
37
+ signature = request.headers['Stripe-Signature']
38
+
39
+ Stripe::Webhook::Signature.verify_header payload, signature, StripeEvent.signing_secret
40
+ end
41
+ rescue Stripe::SignatureVerificationError
42
+ head :bad_request
43
+ end
31
44
  end
32
45
  end
data/lib/stripe_event.rb CHANGED
@@ -4,7 +4,7 @@ require "stripe_event/engine" if defined?(Rails)
4
4
 
5
5
  module StripeEvent
6
6
  class << self
7
- attr_accessor :adapter, :backend, :event_retriever, :namespace, :authentication_secret
7
+ attr_accessor :adapter, :backend, :event_retriever, :namespace, :authentication_secret, :signing_secret
8
8
 
9
9
  def configure(&block)
10
10
  raise ArgumentError, "must provide a block" unless block_given?
@@ -1,3 +1,3 @@
1
1
  module StripeEvent
2
- VERSION = "1.7.0"
2
+ VERSION = "1.8.0"
3
3
  end
@@ -84,4 +84,44 @@ describe StripeEvent::WebhookController do
84
84
  expect(response.code).to eq '200'
85
85
  end
86
86
  end
87
+
88
+ context "with a signing secret" do
89
+ def webhook_with_signature(signature, params)
90
+ request.env['HTTP_STRIPE_SIGNATURE'] = signature
91
+ webhook params
92
+ end
93
+
94
+ def generate_signature(secret)
95
+ payload = 'id=evt_charge_succeeded'
96
+ timestamp = Time.now.to_i
97
+ signature = Stripe::Webhook::Signature.send(:compute_signature, "#{timestamp}.#{payload}", secret)
98
+
99
+ "t=#{timestamp},v1=#{signature}"
100
+ end
101
+
102
+ let(:shared_secret) { 'secret' }
103
+
104
+ before(:each) { StripeEvent.signing_secret = shared_secret }
105
+ after(:each) { StripeEvent.signing_secret = nil }
106
+
107
+ it "rejects missing signature" do
108
+ webhook id: 'evt_charge_succeeded'
109
+
110
+ expect(response.code).to eq '400'
111
+ end
112
+
113
+ it "rejects invalid signature" do
114
+ webhook_with_signature "invalid signature", id: 'evt_charge_succeeded'
115
+
116
+ expect(response.code).to eq '400'
117
+ end
118
+
119
+ it "accepts valid signature" do
120
+ stub_event 'evt_charge_succeeded'
121
+
122
+ webhook_with_signature generate_signature(shared_secret), id: 'evt_charge_succeeded'
123
+
124
+ expect(response.code).to eq '200'
125
+ end
126
+ end
87
127
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: stripe_event
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.7.0
4
+ version: 1.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Danny Whalen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-07-05 00:00:00.000000000 Z
11
+ date: 2017-08-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -210,7 +210,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
210
210
  version: '0'
211
211
  requirements: []
212
212
  rubyforge_project:
213
- rubygems_version: 2.5.2
213
+ rubygems_version: 2.6.11
214
214
  signing_key:
215
215
  specification_version: 4
216
216
  summary: Stripe webhook integration for Rails applications.