Webhook Signatures?

[thorlucas]

There's currently no way to verify webhook signatures using this package, is there? This makes webhooks practically unusable considering how unsafe it is.

[lukecurtis93]

You could make your own implementation in the mean time, this is a laravel example -laravel/cashier-stripe#437 (comment)

If you're not using laravel this is the important bits

try {
            WebhookSignature::verifyHeader(
                $request->getContent(),
                $request->header('Stripe-Signature'),
                $this->config->get('services.stripe.webhook.secret'),
                $this->config->get('services.stripe.webhook.tolerance')
            );
        } catch (SignatureVerification $exception) {
            $this->app->abort(403);
        }

You just need to use the appropriate helpers/functions from your specific framework to get these parameters

[brunogaspar]

Not entirely sure this really belongs on the library level, since the library itself is mostly to interact with the Stripe API.

On my end, with Laravel, i've created a middleware to achieve this, and on the Webhook controller i use that middleware. If needed i can share the middleware.