stripe_event 1.7.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 50adaa42e4c78de01fd97d67a0d04f91ffb7feae
-  data.tar.gz: 06747a45085df869b71d393ce9d0a9ddc8dce556
+  metadata.gz: f9463bf4cf0ff40f3d50526e98d6167dc77dbbd1
+  data.tar.gz: 5822f4e55cbc6ca4bc6f0870ac76055ff858cfbf
 SHA512:
-  metadata.gz: 71336f7a54da853a9afc8f38bc6487b8acc6118c4cd4e50e8e082c39e6621b79e21578da8a48918e4748012126ecf50225687315dca66bec15d67af835311caa
-  data.tar.gz: 8822eada3465c54d9912bcdca5ab17459c4aeff344b0ae7e701e1864e2d4f235cbc4cd31111bb40192e5d49e2a4e36fb984260da8c009f92e6f6d2fbc62b88f4
+  metadata.gz: 48ece33350c3b997dfc8008bb406e702f53e4c4f343d1789edc4e69b2d491b14652a6016604481a0682a1c639b71885de7128e9d8635481f9dde636359dc9711
+  data.tar.gz: 4cc3051021fbfb1cc71c3feb0116a40d79739f5e2ddeb3646edbce592d343af60430d3bfe5deae60fcd026b298187a545618827dd9ec25c0bf18a4673ded85d4

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+### 1.7.0 (July 5, 2017)
+
+  * Support stripe v3 gem as a dependency (#87)
+
+### 1.6.0 (February 27, 2017)
+
+  * Support stripe v2 gem as a dependency (#82, b3cee03)
+
+### 1.5.1 (September 20, 2016)
+
+  * Better Rails 5 support. Prefer `before_action` over `before_filter`. (#69, Thanks @mcolyer)
+
 ### 1.5.0 (February 25, 2015)
   * Added [replay attack protection](https://github.com/integrallis/stripe_event#securing-your-webhook-endpoint) on webhooks. See  `StripeEvent.authentication_secret`. Thanks @brentdax for both the initial discussion and the implementation! #53, #55
   * Dropped official support for Rails 3.1 and Rails 4.0

data/README.md

@@ -99,13 +99,23 @@ To prevent this, StripeEvent supports using HTTP Basic authentication on your we
 
 This is only truly secure if your webhook endpoint is accessed over SSL, which Stripe strongly recommends anyway.
 
+## Authenticating webhooks
+
+Stripe will cryptographically sign webhook payloads with a signature that is included in a special header sent with the request. Verifying this signature lets your application properly authenticate the request originated from Stripe. To leverage this feature, please set the `signing_secret` configuration value:
+
+```
+StripeEvent.signing_secret = Rails.application.secrets.stripe_signing_secret
+```
+
+Please refer to Stripe's documentation for more details: https://stripe.com/docs/webhooks#signatures
+
 ## Configuration
 
-If you have built an application that has multiple Stripe accounts--say, each of your customers has their own--you may want to define your own way of retrieving events from Stripe (e.g. perhaps you want to use the [user_id parameter](https://stripe.com/docs/connect/authentication#webhooks) from the top level to detect the customer for the event, then grab their specific API key). You can do this:
+If you have built an application that has multiple Stripe accounts--say, each of your customers has their own--you may want to define your own way of retrieving events from Stripe (e.g. perhaps you want to use the [account parameter](https://stripe.com/docs/connect/webhooks) from the top level to detect the customer for the event, then grab their specific API key). You can do this:
 
 ```ruby
 StripeEvent.event_retriever = lambda do |params|
-  api_key = Account.find_by!(stripe_user_id: params[:user_id]).api_key
+  api_key = Account.find_by!(stripe_user_id: params[:account]).api_key
   Stripe::Event.retrieve(params[:id], api_key)
 end
 ```
@@ -113,7 +123,7 @@ end
 ```ruby
 class EventRetriever
   def call(params)
-    api_key = retrieve_api_key(params[:user_id])
+    api_key = retrieve_api_key(params[:account])
     Stripe::Event.retrieve(params[:id], api_key)
   end
 
@@ -127,6 +137,8 @@ end
 StripeEvent.event_retriever = EventRetriever.new
 ```
 
+*Note: Older versions of Stripe used `user_id` to reference the Connect account.*
+
 If you'd like to ignore particular webhook events (perhaps to ignore test webhooks in production, or to ignore webhooks for a non-paying customer), you can do so by returning `nil` in you custom `event_retriever`. For example:
 
 ```ruby

data/app/controllers/stripe_event/webhook_controller.rb

@@ -2,8 +2,10 @@ module StripeEvent
   class WebhookController < ActionController::Base
     if respond_to?(:before_action)
       before_action :request_authentication
+      before_action :verify_signature
     else
       before_filter :request_authentication
+      before_filter :verify_signature
     end
 
     def event
@@ -24,9 +26,20 @@ module StripeEvent
     def request_authentication
       if StripeEvent.authentication_secret
         authenticate_or_request_with_http_basic do |username, password|
-          password == StripeEvent.authentication_secret
+          ActiveSupport::SecurityUtils.variable_size_secure_compare password, StripeEvent.authentication_secret
         end
       end
     end
+
+    def verify_signature
+      if StripeEvent.signing_secret
+        payload   = request.body.read
+        signature = request.headers['Stripe-Signature']
+
+        Stripe::Webhook::Signature.verify_header payload, signature, StripeEvent.signing_secret
+      end
+    rescue Stripe::SignatureVerificationError
+      head :bad_request
+    end
   end
 end

data/lib/stripe_event.rb

@@ -4,7 +4,7 @@ require "stripe_event/engine" if defined?(Rails)
 
 module StripeEvent
   class << self
-    attr_accessor :adapter, :backend, :event_retriever, :namespace, :authentication_secret
+    attr_accessor :adapter, :backend, :event_retriever, :namespace, :authentication_secret, :signing_secret
 
     def configure(&block)
       raise ArgumentError, "must provide a block" unless block_given?

data/lib/stripe_event/version.rb

@@ -1,3 +1,3 @@
 module StripeEvent
-  VERSION = "1.7.0"
+  VERSION = "1.8.0"
 end

data/spec/controllers/webhook_controller_spec.rb

@@ -84,4 +84,44 @@ describe StripeEvent::WebhookController do
       expect(response.code).to eq '200'
     end
   end
+
+  context "with a signing secret" do
+    def webhook_with_signature(signature, params)
+      request.env['HTTP_STRIPE_SIGNATURE'] = signature
+      webhook params
+    end
+
+    def generate_signature(secret)
+      payload   = 'id=evt_charge_succeeded'
+      timestamp = Time.now.to_i
+      signature = Stripe::Webhook::Signature.send(:compute_signature, "#{timestamp}.#{payload}", secret)
+
+      "t=#{timestamp},v1=#{signature}"
+    end
+
+    let(:shared_secret) { 'secret' }
+
+    before(:each) { StripeEvent.signing_secret = shared_secret }
+    after(:each) { StripeEvent.signing_secret = nil }
+
+    it "rejects missing signature" do
+      webhook id: 'evt_charge_succeeded'
+
+      expect(response.code).to eq '400'
+    end
+
+    it "rejects invalid signature" do
+      webhook_with_signature "invalid signature", id: 'evt_charge_succeeded'
+
+      expect(response.code).to eq '400'
+    end
+
+    it "accepts valid signature" do
+      stub_event 'evt_charge_succeeded'
+
+      webhook_with_signature generate_signature(shared_secret), id: 'evt_charge_succeeded'
+
+      expect(response.code).to eq '200'
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stripe_event
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Danny Whalen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-05 00:00:00.000000000 Z
+date: 2017-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -210,7 +210,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Stripe webhook integration for Rails applications.