Basic authentication support #55
Conversation
2 similar comments
| StripeEvent.authentication_secret.nil? or \ | ||
| authenticate_or_request_with_http_basic do |username, password| | ||
| password == StripeEvent.authentication_secret | ||
| end |
There was a problem hiding this comment.
Overall, decent looking pull-request, but could we move this portion to more idiomatic ruby?
Either:
authenticate_or_request_with_http_basic do |username, password|
password == StripeEvent.authentication_secret
end if StripeEvent.authentication_secretOR
if StripeEvent.authentication_secret
authenticate_or_request_with_http_basic do |username, password|
password == StripeEvent.authentication_secret
end
end
| context "with an authentication secret" do | ||
| def webhook(secret, params) | ||
| if secret | ||
| request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('user', secret) |
There was a problem hiding this comment.
Overriding webhook in this context reduces duplication but makes the tests a bit harder to reason about. I'd rather repeat request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('user', secret) in each test for clarity.
There was a problem hiding this comment.
If overriding webhook is a concern, we could always rename the override to webhook_with_secret or even have a separate set_secret call.
There was a problem hiding this comment.
I agree with @invisiblefunnel here. A webhook_with_secret should suffice and add clarity.
|
This is a great start! Thanks for putting it together. @rmm5t @peterkeen what do you think about specifying a secret vs. |
Good question. If we don't keep this simple, it's less likely that people will implement this protective feature. I think that's more important. Afterall, if we realize this a limitation, it's easier to add more flexibility and maintain the simpler backwards compatibility than remove it later. |
|
@rmm5t very good point about simplicity for the end user. Let's proceed with the |
Instead, add a webhook_with_secret() method.
1 similar comment
|
I think we're close enough to get this merged in. Any objections? |
|
Sweet. Merging in 3...2...1 Great work @brentdax! Thanks for taking the lead on getting this PR going. @invisiblefunnel Sure thing. I'm glad to handle the version bump and release too if you want to grant |
|
Sorry I totally dropped off this thread, but I think this is a great addition to the project. Thanks @brentdax, @rmm5t, and @invisiblefunnel |
|
@rmm5t you're all set. Thanks again everyone! |
|
v1.5.0 is in the wild. 🍻 |
|
Cheers! |
|
Yeah, I had to update my Gemfile twice in the span of a couple hours as the pull request was merged and then released. Thanks for working with me on this! |
Pursuant to #53, this branch adds basic authentication support to StripeEvent.
Basic authentication is supported in the simplest way possible:
StripeEvent.authentication_secretattribute to their desired password.authentication_secretis set, a newbefore_actioninWebhookControllerensures that the request is appropriately authenticated, and returns a 401 otherwise.authentication_secretis not set, the module behaves as it does currently. All previously-existing tests pass unmodified.This branch does not add a default way to determine the secret, a deprecation warning if the user doesn't specify a secret, or anything else of that sort. I'm by no means opposed to such things, but since this is my first pull request, I don't feel qualified to make those sorts of design decisions. It does, however, include new tests to ensure this feature is working as intended and a section in the README explaining how to enable it.
Suggestions welcome.