Stripe event handling doesn't verify the source - Githubissues

django / djangoproject.com

Source code to djangoproject.com

https://www.djangoproject.com/

BSD 3-Clause "New" or "Revised" License

1.89k stars 954 forks source link

Stripe event handling doesn't verify the source #1765

Open alexgmin opened 2 days ago

alexgmin commented 2 days ago

https://github.com/django/djangoproject.com/blob/5537f965ece29b766efe17c1d2137c3d2037811c/fundraising/views.py#L196-L201 Instead of calling Stripe with the event id it should verify the source of the event and prevent replay attacks as indicated here https://docs.stripe.com/webhooks#verify-events

The Stripe library already has a method to do this https://docs.stripe.com/webhooks?lang=python#verify-webhook-signatures-with-official-libraries

bmispelon commented 1 day ago

@alexgmin I've opened a PR for this: #1770

Does that seem ok to you?