Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[9.0] Encourage usage of VerifyWebhookSignature middleware #591

Merged
merged 1 commit into from Dec 12, 2018

Conversation

@driesvints
Copy link
Member

commented Dec 11, 2018

This PR changes the way we check for events. It removes the API calls to Stripe for checking if an event exists and encourages the usage of the VerifyWebhookSignature middleware.

Verifying incoming webhook events by their signature is the recommended way by Stripe for making sure the event is legit. Making an API call to Stripe like we do now is a bit irrelevant as we can totally verify the legitemacy of the event by the signature alone. This saves us extra API calls to Stripe and should actually speed up webhooks.

This also solves the problem of the CASHIER_ENV env variable. Now that the middleware is only set on the controller when the webhook secret is filled in you have total control of turning it on and off for your use case.

The docs should be updated a little bit to encourage people setting the webhook secret immediately when working with webhooks. It's also not recommended anymore to set the middleware on the route as it's already been set on the controller itself.

All in all this commit simplifies things a lot and solves quite a few things together. It's breaking so I'm targeting master. I'll update the change log as soon as this gets merged. We should encourage people to read it before upgrading.

Fixes #537

Encourage usage of VerifyWebhookSignature middleware
This PR changes the way we check for events. It removes the API calls to Stripe for checking if an event exists and encourages the usage of the VerifyWebhookSignature middleware.

Verifying incoming webhook events by their signature is the recommended way by Stripe for making sure the event is legit. Making an API call to Stripe like we do now is a bit irrelevant as we can totally verify the legitemacy of the event by the signature alone. This saves us extra API calls to Stripe and should actually speed up webhooks.

This also solves the problem of the CASHIER_ENV env variable. Now that the middleware is only set on the controller when the webhook secret is filled in you have total control of turning it on and off for your use case.

The docs should be updated a little bit to encourage people setting the webhook secret immediately when working with webhooks. It's also not recommended anymore to set the middleware on the route as it's already been set on the controller itself.

@driesvints driesvints changed the title [9.0 Encourage usage of VerifyWebhookSignature middleware [9.0] Encourage usage of VerifyWebhookSignature middleware Dec 11, 2018

@taylorotwell taylorotwell merged commit a292fdc into master Dec 12, 2018

3 checks passed

continuous-integration/styleci/pr The analysis has passed
Details
continuous-integration/styleci/push The analysis has passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@taylorotwell

This comment has been minimized.

Copy link
Member

commented Dec 12, 2018

Thanks - send over the change log updates with upgrade instructions when you get a chance.

@driesvints driesvints deleted the remove-event-checks branch Dec 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.