Closed peterkeen closed 9 years ago
Why raise an error instead of just returning from each webhook subscription?
Also, wouldn't it be much better to centralize this and short-circuit everything in the event_retriever
instead of the individual webhook subscriptions? The event_retriever would be better at sniffing for replay attacks or deactivated accounts anyway. It separates concerns much better than making every webhook subscription handle those cases.
In other words, I don't think the WebhookController
should know anything about this special case.
Perhaps the implementation could be even simpler too. If the event_retriever
returns nil
instead of an event object, ignore the event, don't fire callbacks on the event subscriptions, and just let the WebhookController
naturally return :ok
.
The only thing we'd have to add is a conditional check (if event
) when calling backend.instrument
. For example:
backend.instrument(namespace.call(event[:type]), event) if event
Thoughts?
Having event_retriever
throw the exception was actually my intent but the test doesn't show that at all. I like your design better, but for some reason it seemed more awkward to test at the time. I'll implement the change.
Whoops. It looks like we criss-crossed some pull-requests. I just submitted #38. Same implementation, but we went about testing it in a different way. I wanted to also test and ensure that a 200 response code was still getting returned to stripe for these ignored events.
No worries. As long as it gets implemented somehow I'm happy :)
On Fri, Jul 11, 2014 at 9:28 AM, Ryan McGeary notifications@github.com wrote:
Whoops. It looks like we criss-crossed some pull-requests. I just submitted #38 https://github.com/integrallis/stripe_event/pull/38. Same implemetation, but we went about testing it in a different way. I wanted to also test and ensure that a 200 response code was still getting returned to stripe for these ignored events.
— Reply to this email directly or view it on GitHub https://github.com/integrallis/stripe_event/pull/36#issuecomment-48729721 .
Thanks @peterkeen. Glad to have your input on this gem!
This adds the ability to selectively reject an event. For example, if you want to prevent replay attacks you would set up your event retriever to record every event id that comes in and reject duplicates. Or, if you are still receiving events for connected Stripe accounts that are deactivated in your system, you could drop their events on the floor.