stripe_event 1.9.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f827c24a3682b3e707e6f9547bf4237ddda2ffa07341bed8207e6090372abd0
-  data.tar.gz: cb1aa0db4c845265921b5755a8f49aa3701447d113ed2139b77b1273eef5d3f1
+  metadata.gz: 5a15817b36adbede92cb27a9ceea978c9b0c54331a5dcf02b62fc92e1e0cd1ca
+  data.tar.gz: '09022bc7c1330fa75f41cd676c841a47637438414e462e8a09aedbd7b06add6a'
 SHA512:
-  metadata.gz: ed4f46f5d8ce37d6dd55fd91e183b2327f0cd06c3048bff9c900124335745cb95895eb0fa6c7f409db6b46f1f275055a54ab4cf07e8451c42900535c50e4a5cd
-  data.tar.gz: 8e20e3249afa9b7320df0abbcac2584788d2904b51030c6b21768cbe2def63a7d43d0bb445de1b5520fc63b7493ee0afa0efde13f372dc7036f48d91edba7fb7
+  metadata.gz: 4358816b6c78747d9c3b03179895cbb62bf63cf4e7a42ac3e0108447c7e2c63f361520112bd70815c550bbc53cf3c4024538c6253e4e0249a2d09ec7f208482a
+  data.tar.gz: 19e6384d6cdbed7393a010f4c7b812c33ebe4f45beb01df90b5776327429f40c7a6e565497ea69b12706ef01a00e4a86d2e6f45e56f2c2dc5f42a4e3b952819f

data/CHANGELOG.md

@@ -1,4 +1,13 @@
-### 1.9.1 (November 30, 2017)
+### 2.0.0 (December 14, 2017)
+
+**Backwards incompatible release. [Signed webhooks are now required.](https://stripe.com/docs/webhooks#signatures).**
+
+- **Requires `StripeEvent.signing_secret` configuration** (#95, #97)
+- Adds support for multiple signing secrets using `StripeEvent.signing_secrets` (#98, #99)
+- Removes `StripeEvent.authentication_secret` and associated basic auth support (#97)
+- Adds `StripeEvent.event_filter` (replaces use-cases for the now removed `event_retriever` config) (#97)
+
+### 1.9.1 (December 5, 2017)
 
 This release is in preparation for some backward incompatible changes due to
 arrive in v2.0.0.  It is highly recommended that everyone secure their webhook
@@ -7,7 +16,7 @@ documentation](https://stripe.com/docs/webhooks#signatures) for more
 information.
 
   * Deprecate `StripeEvent.authentication_secret` (#96)
-  * Deprecate unverified use of Stripe webhook's (#96)
+  * Deprecate unverified use of Stripe's webhooks (#96)
 
 ### 1.9.0 (November 30, 2017)
 

data/README.md

@@ -79,86 +79,76 @@ end
 
 ## Securing your webhook endpoint
 
-### Authenticating webhooks with signatures (recommended)
+### Authenticating webhooks with signatures
 
 Stripe will cryptographically sign webhook payloads with a signature that is included in a special header sent with the request. Verifying this signature lets your application properly authenticate the request originated from Stripe. To leverage this feature, please set the `signing_secret` configuration value:
 
-```
+```ruby
 StripeEvent.signing_secret = Rails.application.secrets.stripe_signing_secret
 ```
 
 Please refer to Stripe's documentation for more details: https://stripe.com/docs/webhooks#signatures
 
-### Basic authentication (DEPRECATED)
-
-StripeEvent automatically fetches events from Stripe to ensure they haven't been forged. However, that doesn't prevent an attacker who knows your endpoint name and an event's ID from forcing your server to process a legitimate event twice. If that event triggers some useful action, like generating a license key or enabling a delinquent account, you could end up giving something the attacker is supposed to pay for away for free.
-
-To prevent this, StripeEvent supports using HTTP Basic authentication on your webhook endpoint. If only Stripe knows the basic authentication password, this ensures that the request really comes from Stripe. Here's what you do:
+### Support for multiple signing secrets
 
-1. Arrange for a secret key to be available in your application's environment variables or `secrets.yml` file. You can generate a suitable secret with the `rake secret` command. (Remember, the `secrets.yml` file shouldn't contain production secrets directly; it should use ERB to include them.)
+Sometimes, you'll have multiple Stripe webhook subscriptions pointing at your application each with a different signing secret. For example, you might have both a main Account webhook and a webhook for a Connect application point at the same endpoint. It's possible to configure an array of signing secrets using the `signing_secrets` configuration option. The first one that successfully matches for each incoming webhook will be used to verify your incoming events.
 
-2. Configure StripeEvent to require that secret be used as a basic authentication password, using code along the lines of these examples:
-
-    ```ruby
-    # STRIPE_WEBHOOK_SECRET environment variable
-    StripeEvent.authentication_secret = ENV['STRIPE_WEBHOOK_SECRET']
-    # stripe_webhook_secret key in secrets.yml file
-    StripeEvent.authentication_secret = Rails.application.secrets.stripe_webhook_secret
-    ```
-
-3. When you specify your webhook's URL in Stripe's settings, include the secret as a password in the URL, along with any username:
-
-        https://stripe:my-secret-key@myapplication.com/my-webhook-path
+```ruby
+StripeEvent.signing_secrets = [
+  Rails.application.secrets.stripe_account_signing_secret,
+  Rails.application.secrets.stripe_connect_signing_secret,
+]
+```
 
-This is only truly secure if your webhook endpoint is accessed over SSL, which Stripe strongly recommends anyway.
+(NOTE: `signing_secret=` and `signing_secrets=` are just aliases for one another)
 
 ## Configuration
 
 If you have built an application that has multiple Stripe accounts--say, each of your customers has their own--you may want to define your own way of retrieving events from Stripe (e.g. perhaps you want to use the [account parameter](https://stripe.com/docs/connect/webhooks) from the top level to detect the customer for the event, then grab their specific API key). You can do this:
 
 ```ruby
-StripeEvent.event_retriever = lambda do |params|
-  api_key = Account.find_by!(stripe_user_id: params[:account]).api_key
-  Stripe::Event.retrieve(params[:id], api_key)
+StripeEvent.event_filter = lambda do |event|
+  api_key = Account.find_by!(stripe_account_id: event.account).api_key
+  Stripe::Event.retrieve(event.id, api_key)
 end
 ```
 
 ```ruby
-class EventRetriever
-  def call(params)
-    api_key = retrieve_api_key(params[:account])
-    Stripe::Event.retrieve(params[:id], api_key)
+class EventFilter
+  def call(event)
+    event.api_key = lookup_api_key(event.account)
+    event
   end
 
-  def retrieve_api_key(stripe_user_id)
-    Account.find_by!(stripe_user_id: stripe_user_id).api_key
+  def lookup_api_key(account_id)
+    Account.find_by!(stripe_account_id: account_id).api_key
   rescue ActiveRecord::RecordNotFound
     # whoops something went wrong - error handling
   end
 end
 
-StripeEvent.event_retriever = EventRetriever.new
+StripeEvent.event_filter = EventFilter.new
 ```
 
-*Note: Older versions of Stripe used `user_id` to reference the Connect account.*
-
-If you'd like to ignore particular webhook events (perhaps to ignore test webhooks in production, or to ignore webhooks for a non-paying customer), you can do so by returning `nil` in you custom `event_retriever`. For example:
+If you'd like to ignore particular webhook events (perhaps to ignore test webhooks in production, or to ignore webhooks for a non-paying customer), you can do so by returning `nil` in your custom `event_filter`. For example:
 
 ```ruby
-StripeEvent.event_retriever = lambda do |params|
-  return nil if Rails.env.production? && !params[:livemode]
-  Stripe::Event.retrieve(params[:id])
+StripeEvent.event_filter = lambda do |event|
+  return nil if Rails.env.production? && !event.livemode
+  event
 end
 ```
 
 ```ruby
-StripeEvent.event_retriever = lambda do |params|
-  account = Account.find_by!(stripe_user_id: params[:user_id])
+StripeEvent.event_filter = lambda do |event|
+  account = Account.find_by!(stripe_account_id: event.account)
   return nil if account.delinquent?
-  Stripe::Event.retrieve(params[:id], account.api_key)
+  event
 end
 ```
 
+*Note: Older versions of Stripe used `event.user_id` to reference the Connect Account ID.*
+
 ## Without Rails
 
 StripeEvent can be used outside of Rails applications as well. Here is a basic Sinatra implementation:
@@ -183,25 +173,24 @@ end
 
 ## Testing
 
-Handling webhooks is a critical piece of modern billing systems. Verifying the behavior of StripeEvent subscribers can be done fairly easily by stubbing out the HTTP request used to authenticate the webhook request. Tools like [Webmock](https://github.com/bblimke/webmock) and [VCR](https://github.com/vcr/vcr) work well. [RequestBin](http://requestb.in/) is great for collecting the payloads. For exploratory phases of development, [UltraHook](http://www.ultrahook.com/) and other tools can forward webhook requests directly to localhost. You can check out [test-hooks](https://github.com/invisiblefunnel/test-hooks), an example Rails application to see how to test StripeEvent subscribers with RSpec request specs and Webmock. A quick look:
+Handling webhooks is a critical piece of modern billing systems. Verifying the behavior of StripeEvent subscribers can be done fairly easily by stubbing out the HTTP signature header used to authenticate the webhook request. Tools like [Webmock](https://github.com/bblimke/webmock) and [VCR](https://github.com/vcr/vcr) work well. [RequestBin](http://requestb.in/) is great for collecting the payloads. For exploratory phases of development, [UltraHook](http://www.ultrahook.com/) and other tools can forward webhook requests directly to localhost. You can check out [test-hooks](https://github.com/invisiblefunnel/test-hooks), an example Rails application to see how to test StripeEvent subscribers with RSpec request specs and Webmock. A quick look:
 
 ```ruby
 # spec/requests/billing_events_spec.rb
 require 'spec_helper'
 
 describe "Billing Events" do
-  def stub_event(fixture_id, status = 200)
-    stub_request(:get, "https://api.stripe.com/v1/events/#{fixture_id}").
-      to_return(status: status, body: File.read("spec/support/fixtures/#{fixture_id}.json"))
+  def bypass_event_signature(payload)
+    event = Stripe::Event.construct_from(JSON.parse(payload, symbolize_names: true))
+    expect(Stripe::Webhook).to receive(:construct_event).and_return(event)
   end
 
   describe "customer.created" do
-    before do
-      stub_event 'evt_customer_created'
-    end
+    let(:payload) { File.read("spec/support/fixtures/evt_customer_created.json")
+    before(:each) { bypass_event_signature payload }
 
     it "is successful" do
-      post '/_billing_events', id: 'evt_customer_created'
+      post '/_billing_events', body: payload
       expect(response.code).to eq "200"
       # Additional expectations...
     end
@@ -209,10 +198,6 @@ describe "Billing Events" do
 end
 ```
 
-### Note: 'Test Webhooks' Button on Stripe Dashboard
-
-This button sends an example event to your webhook urls, including an `id` of `evt_00000000000000`. To confirm that Stripe sent the webhook, StripeEvent attempts to retrieve the event details from Stripe using the given `id`. In this case the event does not exist and StripeEvent responds with `401 Unauthorized`. Instead of using the 'Test Webhooks' button, trigger webhooks by using the Stripe API or Dashboard to create test payments, customers, etc.
-
 ### Maintainers
 
 * [Ryan McGeary](https://github.com/rmm5t)

data/app/controllers/stripe_event/webhook_controller.rb

@@ -1,52 +1,40 @@
 module StripeEvent
   class WebhookController < ActionController::Base
-    if respond_to?(:before_action)
-      before_action :request_authentication
-      before_action :verify_signature
-    else
-      before_filter :request_authentication
-      before_filter :verify_signature
-    end
-
     def event
-      StripeEvent.instrument(params)
+      StripeEvent.instrument(verified_event)
       head :ok
-    rescue StripeEvent::UnauthorizedError => e
+    rescue Stripe::SignatureVerificationError => e
       log_error(e)
-      head :unauthorized
+      head :bad_request
     end
 
     private
 
-    def log_error(e)
-      logger.error e.message
-      e.backtrace.each { |line| logger.error "  #{line}" }
-    end
+    def verified_event
+      payload          = request.body.read
+      signature        = request.headers['Stripe-Signature']
+      possible_secrets = secrets(payload, signature)
 
-    def request_authentication
-      if StripeEvent.authentication_secret
-        authenticate_or_request_with_http_basic do |username, password|
-          ActiveSupport::SecurityUtils.variable_size_secure_compare password, StripeEvent.authentication_secret
+      possible_secrets.each_with_index do |secret, i|
+        begin
+          return Stripe::Webhook.construct_event(payload, signature, secret.to_s)
+        rescue Stripe::SignatureVerificationError
+          raise if i == possible_secrets.length - 1
+          next
         end
       end
     end
 
-    def verify_signature
-      if StripeEvent.signing_secret
-        payload   = request.body.read
-        signature = request.headers['Stripe-Signature']
+    def secrets(payload, signature)
+      return StripeEvent.signing_secrets if StripeEvent.signing_secret
+      raise Stripe::SignatureVerificationError.new(
+              "Cannot verify signature without a `StripeEvent.signing_secret`",
+              signature, http_body: payload)
+    end
 
-        Stripe::Webhook::Signature.verify_header payload, signature, StripeEvent.signing_secret
-      else
-        ActiveSupport::Deprecation.warn(
-        "[STRIPE_EVENT] Unverified use of stripe webhooks is deprecated and configuration of " +
-        "`StripeEvent.signing_secret=` will be required in 2.x. The value for your specific " +
-        "endpoint's signing secret (starting with `whsec_`) is in your API > Webhooks settings " +
-        "(https://dashboard.stripe.com/account/webhooks). " +
-        "More information can be found here: https://stripe.com/docs/webhooks#signatures")
-      end
-    rescue Stripe::SignatureVerificationError
-      head :bad_request
+    def log_error(e)
+      logger.error e.message
+      e.backtrace.each { |line| logger.error "  #{line}" }
     end
   end
 end

data/lib/stripe_event.rb

@@ -4,7 +4,8 @@ require "stripe_event/engine" if defined?(Rails)
 
 module StripeEvent
   class << self
-    attr_accessor :adapter, :backend, :event_retriever, :namespace, :authentication_secret, :signing_secret
+    attr_accessor :adapter, :backend, :namespace, :event_filter
+    attr_reader :signing_secrets
 
     def configure(&block)
       raise ArgumentError, "must provide a block" unless block_given?
@@ -12,24 +13,9 @@ module StripeEvent
     end
     alias :setup :configure
 
-    def instrument(params)
-      begin
-        event = event_retriever.call(params)
-      rescue Stripe::AuthenticationError => e
-        if params[:type] == "account.application.deauthorized"
-          if defined?(ActionController::Parameters) && params.is_a?(ActionController::Parameters)
-            params = params.permit!.to_h
-          end
-
-          event = Stripe::Event.construct_from(params.deep_symbolize_keys)
-        else
-          raise UnauthorizedError.new(e)
-        end
-      rescue Stripe::StripeError => e
-        raise UnauthorizedError.new(e)
-      end
-
-      backend.instrument namespace.call(event[:type]), event if event
+    def instrument(event)
+      event = event_filter.call(event)
+      backend.instrument namespace.call(event.type), event if event
     end
 
     def subscribe(name, callable = Proc.new)
@@ -45,14 +31,13 @@ module StripeEvent
       backend.notifier.listening?(namespaced_name)
     end
 
-    def authentication_secret=(value)
-      ActiveSupport::Deprecation.warn(
-        "[STRIPE_EVENT] `StripeEvent.authentication_secret=` is deprecated and will be " +
-        "removed in 2.x. Use `StripeEvent.signing_secret=` instead. The value " +
-        "for your specific endpoint's signing secret (starting with `whsec_`) is in your " +
-        "API > Webhooks settings (https://dashboard.stripe.com/account/webhooks). " +
-        "More information can be found here: https://stripe.com/docs/webhooks#signatures")
-      @authentication_secret = value
+    def signing_secret=(value)
+      @signing_secrets = Array(value)
+    end
+    alias signing_secrets= signing_secret=
+
+    def signing_secret
+      self.signing_secrets && self.signing_secrets.first
     end
   end
 
@@ -82,6 +67,6 @@ module StripeEvent
 
   self.adapter = NotificationAdapter
   self.backend = ActiveSupport::Notifications
-  self.event_retriever = lambda { |params| Stripe::Event.retrieve(params[:id]) }
   self.namespace = Namespace.new("stripe_event", ".")
+  self.event_filter = lambda { |event| event }
 end

data/lib/stripe_event/version.rb

@@ -1,3 +1,3 @@
 module StripeEvent
-  VERSION = "1.9.1"
+  VERSION = "2.0.0"
 end

data/spec/controllers/webhook_controller_spec.rb

@@ -2,131 +2,124 @@ require 'rails_helper'
 require 'spec_helper'
 
 describe StripeEvent::WebhookController, type: :controller do
-  def stub_event(identifier, status = 200)
-    stub_request(:get, "https://api.stripe.com/v1/events/#{identifier}").
-      to_return(status: status, body: File.read("spec/support/fixtures/#{identifier}.json"))
-  end
-
-  def webhook(params)
-    data = if Rails::VERSION::MAJOR > 4
-      { params: params }
-    else
-      params
-    end
+  let(:secret1) { 'secret1' }
+  let(:secret2) { 'secret2' }
+  let(:charge_succeeded) { stub_event('evt_charge_succeeded') }
 
-    post :event, data
+  def stub_event(identifier)
+    JSON.parse(File.read("spec/support/fixtures/#{identifier}.json"))
   end
 
-  routes { StripeEvent::Engine.routes }
-
-  it "succeeds with valid event data" do
-    count = 0
-    StripeEvent.subscribe('charge.succeeded') { |evt| count += 1 }
-    stub_event('evt_charge_succeeded')
+  def generate_signature(params, secret)
+    payload   = params.to_json
+    timestamp = Time.now.to_i
+    signature = Stripe::Webhook::Signature.send(:compute_signature, "#{timestamp}.#{payload}", secret)
 
-    webhook id: 'evt_charge_succeeded'
-
-    expect(response.code).to eq '200'
-    expect(count).to eq 1
+    "t=#{timestamp},v1=#{signature}"
   end
 
-  it "succeeds when the event_retriever returns nil (simulating an ignored webhook event)" do
-    count = 0
-    StripeEvent.event_retriever = lambda { |params| return nil }
-    StripeEvent.subscribe('charge.succeeded') { |evt| count += 1 }
-    stub_event('evt_charge_succeeded')
-
-    webhook id: 'evt_charge_succeeded'
-
-    expect(response.code).to eq '200'
-    expect(count).to eq 0
+  def webhook(signature, params)
+    request.env['HTTP_STRIPE_SIGNATURE'] = signature
+    request.env['RAW_POST_DATA'] = params.to_json # works with Rails 3, 4, or 5
+    post :event
   end
 
-  it "denies access with invalid event data" do
-    count = 0
-    StripeEvent.subscribe('charge.succeeded') { |evt| count += 1 }
-    stub_event('evt_invalid_id', 404)
-
-    webhook id: 'evt_invalid_id'
-
-    expect(response.code).to eq '401'
-    expect(count).to eq 0
+  def webhook_with_signature(params, secret = secret1)
+    webhook generate_signature(params, secret), params
   end
 
-  it "ensures user-generated Stripe exceptions pass through" do
-    StripeEvent.subscribe('charge.succeeded') { |evt| raise Stripe::StripeError, "testing" }
-    stub_event('evt_charge_succeeded')
+  routes { StripeEvent::Engine.routes }
 
-    expect { webhook id: 'evt_charge_succeeded' }.to raise_error(Stripe::StripeError, /testing/)
-  end
+  context "without a signing secret" do
+    before(:each) { StripeEvent.signing_secret = nil }
 
-  context "with an authentication secret" do
-    def webhook_with_secret(secret, params)
-      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('user', secret)
-      webhook params
+    it "denies invalid signature" do
+      webhook "invalid signature", charge_succeeded
+      expect(response.code).to eq '400'
     end
 
-    before(:each) { StripeEvent.authentication_secret = "secret" }
-    after(:each) { StripeEvent.authentication_secret = nil }
+    it "denies valid signature" do
+      webhook_with_signature charge_succeeded
+      expect(response.code).to eq '400'
+    end
+  end
+
+  context "with a signing secret" do
+    before(:each) { StripeEvent.signing_secret = secret1 }
 
-    it "rejects requests with no secret" do
-      stub_event('evt_charge_succeeded')
+    it "denies missing signature" do
+      webhook nil, charge_succeeded
+      expect(response.code).to eq '400'
+    end
 
-      webhook id: 'evt_charge_succeeded'
-      expect(response.code).to eq '401'
+    it "denies invalid signature" do
+      webhook "invalid signature", charge_succeeded
+      expect(response.code).to eq '400'
     end
 
-    it "rejects requests with incorrect secret" do
-      stub_event('evt_charge_succeeded')
+    it "denies signature from wrong secret" do
+      webhook_with_signature charge_succeeded, 'bogus'
+      expect(response.code).to eq '400'
+    end
 
-      webhook_with_secret 'incorrect', id: 'evt_charge_succeeded'
-      expect(response.code).to eq '401'
+    it "succeeds with valid signature from correct secret" do
+      webhook_with_signature charge_succeeded, secret1
+      expect(response.code).to eq '200'
     end
 
-    it "accepts requests with correct secret" do
-      stub_event('evt_charge_succeeded')
+    it "succeeds with valid event data" do
+      count = 0
+      StripeEvent.subscribe('charge.succeeded') { |evt| count += 1 }
+
+      webhook_with_signature charge_succeeded
 
-      webhook_with_secret 'secret', id: 'evt_charge_succeeded'
       expect(response.code).to eq '200'
+      expect(count).to eq 1
     end
-  end
 
-  context "with a signing secret" do
-    def webhook_with_signature(signature, params)
-      request.env['HTTP_STRIPE_SIGNATURE'] = signature
-      webhook params
-    end
+    it "succeeds when the event_filter returns nil (simulating an ignored webhook event)" do
+      count = 0
+      StripeEvent.event_filter = lambda { |event| return nil }
+      StripeEvent.subscribe('charge.succeeded') { |evt| count += 1 }
 
-    def generate_signature(secret)
-      payload   = 'id=evt_charge_succeeded'
-      timestamp = Time.now.to_i
-      signature = Stripe::Webhook::Signature.send(:compute_signature, "#{timestamp}.#{payload}", secret)
+      webhook_with_signature charge_succeeded
 
-      "t=#{timestamp},v1=#{signature}"
+      expect(response.code).to eq '200'
+      expect(count).to eq 0
     end
 
-    let(:shared_secret) { 'secret' }
+    it "ensures user-generated Stripe exceptions pass through" do
+      StripeEvent.subscribe('charge.succeeded') { |evt| raise Stripe::StripeError, "testing" }
 
-    before(:each) { StripeEvent.signing_secret = shared_secret }
-    after(:each) { StripeEvent.signing_secret = nil }
+      expect { webhook_with_signature(charge_succeeded) }.to raise_error(Stripe::StripeError, /testing/)
+    end
+  end
 
-    it "rejects missing signature" do
-      webhook id: 'evt_charge_succeeded'
+  context "with multiple signing secrets" do
+    before(:each) { StripeEvent.signing_secrets = [secret1, secret2] }
 
+    it "denies missing signature" do
+      webhook nil, charge_succeeded
       expect(response.code).to eq '400'
     end
 
-    it "rejects invalid signature" do
-      webhook_with_signature "invalid signature", id: 'evt_charge_succeeded'
-
+    it "denies invalid signature" do
+      webhook "invalid signature", charge_succeeded
       expect(response.code).to eq '400'
     end
 
-    it "accepts valid signature" do
-      stub_event 'evt_charge_succeeded'
+    it "denies signature from wrong secret" do
+      webhook_with_signature charge_succeeded, 'bogus'
+      expect(response.code).to eq '400'
+    end
 
-      webhook_with_signature generate_signature(shared_secret), id: 'evt_charge_succeeded'
+    it "succeeds with valid signature from first secret" do
+      webhook_with_signature charge_succeeded, secret1
+      expect(response.code).to eq '200'
+    end
 
+    it "succeeds with valid signature from second secret" do
+      webhook_with_signature charge_succeeded, secret2
       expect(response.code).to eq '200'
     end
   end

data/spec/lib/stripe_event_spec.rb

@@ -3,8 +3,10 @@ require 'spec_helper'
 describe StripeEvent do
   let(:events) { [] }
   let(:subscriber) { ->(evt){ events << evt } }
-  let(:charge_succeeded) { double('charge succeeded') }
-  let(:charge_failed) { double('charge failed') }
+  let(:charge_succeeded) { Stripe::Event.construct_from(id: 'evt_charge_succeeded', type: 'charge.succeeded') }
+  let(:charge_failed) { Stripe::Event.construct_from(id: 'evt_charge_failed', type: 'charge.failed') }
+  let(:card_created) { Stripe::Event.construct_from(id: 'event_card_created', type: 'customer.card.created') }
+  let(:card_updated) { Stripe::Event.construct_from(id: 'event_card_updated', type: 'customer.card.updated') }
 
   describe ".configure" do
     it "yields itself to the block" do
@@ -27,16 +29,11 @@ describe StripeEvent do
   end
 
   describe "subscribing to a specific event type" do
-    before do
-      expect(charge_succeeded).to receive(:[]).with(:type).and_return('charge.succeeded')
-      expect(Stripe::Event).to receive(:retrieve).with('evt_charge_succeeded').and_return(charge_succeeded)
-    end
-
     context "with a block subscriber" do
       it "calls the subscriber with the retrieved event" do
         StripeEvent.subscribe('charge.succeeded', &subscriber)
 
-        StripeEvent.instrument(id: 'evt_charge_succeeded', type: 'charge.succeeded')
+        StripeEvent.instrument(charge_succeeded)
 
         expect(events).to eq [charge_succeeded]
       end
@@ -46,81 +43,20 @@ describe StripeEvent do
       it "calls the subscriber with the retrieved event" do
         StripeEvent.subscribe('charge.succeeded', subscriber)
 
-        StripeEvent.instrument(id: 'evt_charge_succeeded', type: 'charge.succeeded')
+        StripeEvent.instrument(charge_succeeded)
 
         expect(events).to eq [charge_succeeded]
       end
     end
   end
 
-  describe "subscribing to the 'account.application.deauthorized' event type" do
-    before do
-      expect(Stripe::Event).to receive(:retrieve).with('evt_account_application_deauthorized').and_raise(Stripe::AuthenticationError)
-    end
-
-    context "with a subscriber params with symbolized keys" do
-      it "calls the subscriber with the retrieved event" do
-        StripeEvent.subscribe('account.application.deauthorized', subscriber)
-
-        StripeEvent.instrument(id: 'evt_account_application_deauthorized', type: 'account.application.deauthorized')
-
-        expect(events.first.type).to    eq 'account.application.deauthorized'
-        expect(events.first[:type]).to  eq 'account.application.deauthorized'
-      end
-    end
-
-    # The Stripe api expects params to be passed into their StripeObject's
-    # with symbolized keys, but the params that we pass through from a
-    # accont.application.deauthorized webhook are a HashWithIndifferentAccess
-    # (keys stored as strings always.
-    context "with a subscriber params with indifferent access (stringified keys)" do
-      it "calls the subscriber with the retrieved event" do
-        StripeEvent.subscribe('account.application.deauthorized', subscriber)
-
-        StripeEvent.instrument({ id: 'evt_account_application_deauthorized', type: 'account.application.deauthorized' }.with_indifferent_access)
-
-        expect(events.first.type).to    eq 'account.application.deauthorized'
-        expect(events.first[:type]).to  eq 'account.application.deauthorized'
-      end
-    end
-
-    # Rails 5.1 uses ActionController::Parameters which is not inherited from
-    # ActiveSupport::HashWithIndifferentAccess anymore
-    if Rails::VERSION::MAJOR > 3
-      context "with a subscriber params with indifferent access (controller params)" do
-        it "calls the subscriber with the retrieved event" do
-          StripeEvent.subscribe('account.application.deauthorized', subscriber)
-
-          StripeEvent.instrument(ActionController::Parameters.new(
-            id: 'evt_account_application_deauthorized',
-            type: 'account.application.deauthorized'
-          ))
-
-          expect(events.first.type).to    eq 'account.application.deauthorized'
-          expect(events.first[:type]).to  eq 'account.application.deauthorized'
-        end
-      end
-    end
-  end
-
   describe "subscribing to a namespace of event types" do
-    let(:card_created) { double('card created') }
-    let(:card_updated) { double('card updated') }
-
-    before do
-      expect(card_created).to receive(:[]).with(:type).and_return('customer.card.created')
-      expect(Stripe::Event).to receive(:retrieve).with('evt_card_created').and_return(card_created)
-
-      expect(card_updated).to receive(:[]).with(:type).and_return('customer.card.updated')
-      expect(Stripe::Event).to receive(:retrieve).with('evt_card_updated').and_return(card_updated)
-    end
-
     context "with a block subscriber" do
       it "calls the subscriber with any events in the namespace" do
         StripeEvent.subscribe('customer.card', &subscriber)
 
-        StripeEvent.instrument(id: 'evt_card_created', type: 'customer.card.created')
-        StripeEvent.instrument(id: 'evt_card_updated', type: 'customer.card.updated')
+        StripeEvent.instrument(card_created)
+        StripeEvent.instrument(card_updated)
 
         expect(events).to eq [card_created, card_updated]
       end
@@ -130,8 +66,8 @@ describe StripeEvent do
       it "calls the subscriber with any events in the namespace" do
         StripeEvent.subscribe('customer.card.', subscriber)
 
-        StripeEvent.instrument(id: 'evt_card_updated', type: 'customer.card.updated')
-        StripeEvent.instrument(id: 'evt_card_created', type: 'customer.card.created')
+        StripeEvent.instrument(card_updated)
+        StripeEvent.instrument(card_created)
 
         expect(events).to eq [card_updated, card_created]
       end
@@ -139,20 +75,12 @@ describe StripeEvent do
   end
 
   describe "subscribing to all event types" do
-    before do
-      expect(charge_succeeded).to receive(:[]).with(:type).and_return('charge.succeeded')
-      expect(Stripe::Event).to receive(:retrieve).with('evt_charge_succeeded').and_return(charge_succeeded)
-
-      expect(charge_failed).to receive(:[]).with(:type).and_return('charge.failed')
-      expect(Stripe::Event).to receive(:retrieve).with('evt_charge_failed').and_return(charge_failed)
-    end
-
     context "with a block subscriber" do
       it "calls the subscriber with all retrieved events" do
         StripeEvent.all(&subscriber)
 
-        StripeEvent.instrument(id: 'evt_charge_succeeded', type: 'charge.succeeded')
-        StripeEvent.instrument(id: 'evt_charge_failed', type: 'charge.failed')
+        StripeEvent.instrument(charge_succeeded)
+        StripeEvent.instrument(charge_failed)
 
         expect(events).to eq [charge_succeeded, charge_failed]
       end
@@ -162,8 +90,8 @@ describe StripeEvent do
       it "calls the subscriber with all retrieved events" do
         StripeEvent.all(subscriber)
 
-        StripeEvent.instrument(id: 'evt_charge_succeeded', type: 'charge.succeeded')
-        StripeEvent.instrument(id: 'evt_charge_failed', type: 'charge.failed')
+        StripeEvent.instrument(charge_succeeded)
+        StripeEvent.instrument(charge_failed)
 
         expect(events).to eq [charge_succeeded, charge_failed]
       end

data/spec/spec_helper.rb

@@ -13,13 +13,15 @@ RSpec.configure do |config|
   end
 
   config.before do
-    @event_retriever = StripeEvent.event_retriever
+    @signing_secrets = StripeEvent.signing_secrets
+    @event_filter = StripeEvent.event_filter
     @notifier = StripeEvent.backend.notifier
     StripeEvent.backend.notifier = @notifier.class.new
   end
 
   config.after do
-    StripeEvent.event_retriever = @event_retriever
+    StripeEvent.signing_secrets = @signing_secrets
+    StripeEvent.event_filter = @event_filter
     StripeEvent.backend.notifier = @notifier
   end
 end

data/stripe_event.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |s|
   s.test_files  = `git ls-files -- Appraisals {spec,gemfiles}/*`.split("\n")
 
   s.add_dependency "activesupport", ">= 3.1"
-  s.add_dependency "stripe", [">= 1.6", "< 4.0"]
+  s.add_dependency "stripe", [">= 2.8", "< 4.0"]
 
   s.add_development_dependency "rails", [">= 3.1"]
   s.add_development_dependency "rake", "< 11.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stripe_event
 version: !ruby/object:Gem::Version
-  version: 1.9.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Danny Whalen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-05 00:00:00.000000000 Z
+date: 2017-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -30,7 +30,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.8'
     - - "<"
       - !ruby/object:Gem::Version
         version: '4.0'
@@ -40,7 +40,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.8'
     - - "<"
       - !ruby/object:Gem::Version
         version: '4.0'
@@ -190,7 +190,6 @@ files:
 - spec/rails_helper.rb
 - spec/spec_helper.rb
 - spec/support/fixtures/evt_charge_succeeded.json
-- spec/support/fixtures/evt_invalid_id.json
 - stripe_event.gemspec
 homepage: https://github.com/integrallis/stripe_event
 licenses:
@@ -259,4 +258,3 @@ test_files:
 - spec/rails_helper.rb
 - spec/spec_helper.rb
 - spec/support/fixtures/evt_charge_succeeded.json
-- spec/support/fixtures/evt_invalid_id.json

data/spec/support/fixtures/evt_invalid_id.json

@@ -1,7 +0,0 @@
-{
-  "error": {
-    "message": "No such notification: invalid-id",
-    "param": "id",
-    "type": "invalid_request_error"
-  }
-}