Closed beccadax closed 9 years ago
This is a great start! Thanks for putting it together.
@rmm5t @peterkeen what do you think about specifying a secret vs. authenticate_with_http_basic
?
@rmm5t @peterkeen what do you think about specifying a secret vs. authenticate_with_http_basic?
Good question. authenticate_with_http_basic
certainly gives more flexibility, but I'm not sure what flexibility buys us here. Let's go for simplicity instead and take an opinionated approach about how the replay attack prevention should be handled. SSL/TLS + BasicAuth-Secret == Secure
If we don't keep this simple, it's less likely that people will implement this protective feature. I think that's more important.
Afterall, if we realize this a limitation, it's easier to add more flexibility and maintain the simpler backwards compatibility than remove it later.
@rmm5t very good point about simplicity for the end user. Let's proceed with the authentication_secret
approach. Things are coming together!
I think we're close enough to get this merged in. Any objections?
Looks good to me. Thank you @brentdax @rmm5t! @rmm5t I'd also like to add you as an author in the gemspec, sound good?
Sweet. Merging in 3...2...1
Great work @brentdax! Thanks for taking the lead on getting this PR going.
@invisiblefunnel Sure thing. I'm glad to handle the version bump and release too if you want to grant gem push
rights. My rubygems email is the same as on my github profile. I'll be securing my webhook endpoints to use the new auth secret soon after.
Sorry I totally dropped off this thread, but I think this is a great addition to the project. Thanks @brentdax, @rmm5t, and @invisiblefunnel
@rmm5t you're all set.
Thanks again everyone!
v1.5.0 is in the wild. :beers:
Cheers!
Yeah, I had to update my Gemfile twice in the span of a couple hours as the pull request was merged and then released. Thanks for working with me on this!
Pursuant to #53, this branch adds basic authentication support to StripeEvent.
Basic authentication is supported in the simplest way possible:
StripeEvent.authentication_secret
attribute to their desired password.authentication_secret
is set, a newbefore_action
inWebhookController
ensures that the request is appropriately authenticated, and returns a 401 otherwise.authentication_secret
is not set, the module behaves as it does currently. All previously-existing tests pass unmodified.This branch does not add a default way to determine the secret, a deprecation warning if the user doesn't specify a secret, or anything else of that sort. I'm by no means opposed to such things, but since this is my first pull request, I don't feel qualified to make those sorts of design decisions. It does, however, include new tests to ensure this feature is working as intended and a section in the README explaining how to enable it.
Suggestions welcome.