stripe_event 1.9.0 → 1.9.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -1
- data/README.md +14 -11
- data/app/controllers/stripe_event/webhook_controller.rb +7 -0
- data/lib/stripe_event.rb +10 -0
- data/lib/stripe_event/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3f827c24a3682b3e707e6f9547bf4237ddda2ffa07341bed8207e6090372abd0
|
|
4
|
+
data.tar.gz: cb1aa0db4c845265921b5755a8f49aa3701447d113ed2139b77b1273eef5d3f1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ed4f46f5d8ce37d6dd55fd91e183b2327f0cd06c3048bff9c900124335745cb95895eb0fa6c7f409db6b46f1f275055a54ab4cf07e8451c42900535c50e4a5cd
|
|
7
|
+
data.tar.gz: 8e20e3249afa9b7320df0abbcac2584788d2904b51030c6b21768cbe2def63a7d43d0bb445de1b5520fc63b7493ee0afa0efde13f372dc7036f48d91edba7fb7
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,17 @@
|
|
|
1
|
+
### 1.9.1 (November 30, 2017)
|
|
2
|
+
|
|
3
|
+
This release is in preparation for some backward incompatible changes due to
|
|
4
|
+
arrive in v2.0.0. It is highly recommended that everyone secure their webhook
|
|
5
|
+
endpoints by using `StripeEvent.signing_secret`. See the README and [Stripe's
|
|
6
|
+
documentation](https://stripe.com/docs/webhooks#signatures) for more
|
|
7
|
+
information.
|
|
8
|
+
|
|
9
|
+
* Deprecate `StripeEvent.authentication_secret` (#96)
|
|
10
|
+
* Deprecate unverified use of Stripe webhook's (#96)
|
|
11
|
+
|
|
1
12
|
### 1.9.0 (November 30, 2017)
|
|
2
13
|
|
|
3
|
-
* Support for Rails 5.1 (#94, Thanks @krasnoukhov and @simplepractice!
|
|
14
|
+
* Support for Rails 5.1 (#94, Thanks @krasnoukhov and @simplepractice!)
|
|
4
15
|
|
|
5
16
|
### 1.8.0 (August 29, 2017)
|
|
6
17
|
|
data/README.md
CHANGED
|
@@ -25,7 +25,8 @@ mount StripeEvent::Engine, at: '/my-chosen-path' # provide a custom path
|
|
|
25
25
|
|
|
26
26
|
```ruby
|
|
27
27
|
# config/initializers/stripe.rb
|
|
28
|
-
Stripe.api_key
|
|
28
|
+
Stripe.api_key = ENV['STRIPE_SECRET_KEY'] # e.g. sk_live_...
|
|
29
|
+
StripeEvent.signing_secret = ENV['STRIPE_SIGNING_SECRET'] # e.g. whsec_...
|
|
29
30
|
|
|
30
31
|
StripeEvent.configure do |events|
|
|
31
32
|
events.subscribe 'charge.failed' do |event|
|
|
@@ -78,6 +79,18 @@ end
|
|
|
78
79
|
|
|
79
80
|
## Securing your webhook endpoint
|
|
80
81
|
|
|
82
|
+
### Authenticating webhooks with signatures (recommended)
|
|
83
|
+
|
|
84
|
+
Stripe will cryptographically sign webhook payloads with a signature that is included in a special header sent with the request. Verifying this signature lets your application properly authenticate the request originated from Stripe. To leverage this feature, please set the `signing_secret` configuration value:
|
|
85
|
+
|
|
86
|
+
```
|
|
87
|
+
StripeEvent.signing_secret = Rails.application.secrets.stripe_signing_secret
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
Please refer to Stripe's documentation for more details: https://stripe.com/docs/webhooks#signatures
|
|
91
|
+
|
|
92
|
+
### Basic authentication (DEPRECATED)
|
|
93
|
+
|
|
81
94
|
StripeEvent automatically fetches events from Stripe to ensure they haven't been forged. However, that doesn't prevent an attacker who knows your endpoint name and an event's ID from forcing your server to process a legitimate event twice. If that event triggers some useful action, like generating a license key or enabling a delinquent account, you could end up giving something the attacker is supposed to pay for away for free.
|
|
82
95
|
|
|
83
96
|
To prevent this, StripeEvent supports using HTTP Basic authentication on your webhook endpoint. If only Stripe knows the basic authentication password, this ensures that the request really comes from Stripe. Here's what you do:
|
|
@@ -99,16 +112,6 @@ To prevent this, StripeEvent supports using HTTP Basic authentication on your we
|
|
|
99
112
|
|
|
100
113
|
This is only truly secure if your webhook endpoint is accessed over SSL, which Stripe strongly recommends anyway.
|
|
101
114
|
|
|
102
|
-
## Authenticating webhooks
|
|
103
|
-
|
|
104
|
-
Stripe will cryptographically sign webhook payloads with a signature that is included in a special header sent with the request. Verifying this signature lets your application properly authenticate the request originated from Stripe. To leverage this feature, please set the `signing_secret` configuration value:
|
|
105
|
-
|
|
106
|
-
```
|
|
107
|
-
StripeEvent.signing_secret = Rails.application.secrets.stripe_signing_secret
|
|
108
|
-
```
|
|
109
|
-
|
|
110
|
-
Please refer to Stripe's documentation for more details: https://stripe.com/docs/webhooks#signatures
|
|
111
|
-
|
|
112
115
|
## Configuration
|
|
113
116
|
|
|
114
117
|
If you have built an application that has multiple Stripe accounts--say, each of your customers has their own--you may want to define your own way of retrieving events from Stripe (e.g. perhaps you want to use the [account parameter](https://stripe.com/docs/connect/webhooks) from the top level to detect the customer for the event, then grab their specific API key). You can do this:
|
|
@@ -37,6 +37,13 @@ module StripeEvent
|
|
|
37
37
|
signature = request.headers['Stripe-Signature']
|
|
38
38
|
|
|
39
39
|
Stripe::Webhook::Signature.verify_header payload, signature, StripeEvent.signing_secret
|
|
40
|
+
else
|
|
41
|
+
ActiveSupport::Deprecation.warn(
|
|
42
|
+
"[STRIPE_EVENT] Unverified use of stripe webhooks is deprecated and configuration of " +
|
|
43
|
+
"`StripeEvent.signing_secret=` will be required in 2.x. The value for your specific " +
|
|
44
|
+
"endpoint's signing secret (starting with `whsec_`) is in your API > Webhooks settings " +
|
|
45
|
+
"(https://dashboard.stripe.com/account/webhooks). " +
|
|
46
|
+
"More information can be found here: https://stripe.com/docs/webhooks#signatures")
|
|
40
47
|
end
|
|
41
48
|
rescue Stripe::SignatureVerificationError
|
|
42
49
|
head :bad_request
|
data/lib/stripe_event.rb
CHANGED
|
@@ -44,6 +44,16 @@ module StripeEvent
|
|
|
44
44
|
namespaced_name = namespace.call(name)
|
|
45
45
|
backend.notifier.listening?(namespaced_name)
|
|
46
46
|
end
|
|
47
|
+
|
|
48
|
+
def authentication_secret=(value)
|
|
49
|
+
ActiveSupport::Deprecation.warn(
|
|
50
|
+
"[STRIPE_EVENT] `StripeEvent.authentication_secret=` is deprecated and will be " +
|
|
51
|
+
"removed in 2.x. Use `StripeEvent.signing_secret=` instead. The value " +
|
|
52
|
+
"for your specific endpoint's signing secret (starting with `whsec_`) is in your " +
|
|
53
|
+
"API > Webhooks settings (https://dashboard.stripe.com/account/webhooks). " +
|
|
54
|
+
"More information can be found here: https://stripe.com/docs/webhooks#signatures")
|
|
55
|
+
@authentication_secret = value
|
|
56
|
+
end
|
|
47
57
|
end
|
|
48
58
|
|
|
49
59
|
class Namespace < Struct.new(:value, :delimiter)
|
data/lib/stripe_event/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: stripe_event
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.9.
|
|
4
|
+
version: 1.9.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Danny Whalen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-12-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|