Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[10.x] Refactor handling of invalid webhook signatures #791

Merged
merged 1 commit into from
Sep 27, 2019
Merged

[10.x] Refactor handling of invalid webhook signatures #791

merged 1 commit into from
Sep 27, 2019

Conversation

sebdesign
Copy link
Contributor

We can rid of the \Illuminate\Contracts\Foundation\Application dependency in the VerifyWebhookSignature constructor, by manually throwing a 403 exception.

This simplifies both the implementation and the tests, and it allows us to pass the message and the original exception to the exception handler.

@sebdesign
Refactor handling of invalid webhook signatures
6ce9d8a 
We can rid of the `\Illuminate\Contracts\Foundation\Application` dependency in the `VerifyWebhookSignature` constructor, by manually throwing a 403 exception.

This simplifies both the implementation and the tests, and it allows us to pass the message and the original exception to the exception handler.
@sebdesign sebdesign force-pushed the feature/invalid-webhook-signatures branch from 799aea0 to 6ce9d8a Compare September 26, 2019 18:25
@driesvints driesvints changed the title Refactor handling of invalid webhook signatures [10.x] Refactor handling of invalid webhook signatures Sep 27, 2019
driesvints
driesvints approved these changes Sep 27, 2019
View reviewed changes
Copy link
Member

@driesvints driesvints left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, wauw. Very cool. Thanks! :)

@driesvints
Copy link
Member

On thing on my mind is people extending the class and using the app property but that seems very unlikely tbh.

@sebdesign
Copy link
Contributor Author

Yeah I doubt people would want to extend this middleware. :)

@taylorotwell taylorotwell merged commit 060fff8 into laravel:10.0 Sep 27, 2019
@sebdesign
Copy link
Contributor Author

@driesvints should we remove the config repository dependency as well? We are using config('cashier...) everywhere except from this class.

@driesvints
Copy link
Member

@sebdesign I think that was still needed for the tests but if you can simplify it then go for it.

@sebdesign
Copy link
Contributor Author

@driesvints I'll do it tonight! The goal is to simplify tests as well.

sebdesign added a commit to sebdesign/cashier that referenced this pull request Sep 30, 2019
@sebdesign
Remove config repository dependency from webhook middleware
d2570e6 
Similarly to laravel#791, we can remove the `\Illuminate\Contracts\Config\Repository` in the `VerifyWebhookSignature`'s constructor. For consistency, the configuration is accessed with the `config()` helper like the rest of the code.

Since we don't need to mock the configuration repository anymore, the test has been moved to the integration suite, because we need to bootstrap the framework.

As a bonus, I have added tests for checking [replay attacks](https://stripe.com/docs/webhooks/signatures#replay-attacks) against the tolerance configuration setting.
@sebdesign sebdesign mentioned this pull request Sep 30, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@driesvints driesvints driesvints approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sebdesign @driesvints @taylorotwell