search

integrallis / stripe_event

Stripe webhook integration for Rails applications.
https://rubygems.org/gems/stripe_event
MIT License
844 stars 104 forks source link

protect from forgery #77

Closed peco8 closed 7 years ago

peco8 commented 7 years ago

This is not an issue or a problem, however I want to get some advice. With stripe-event, Should I apply null-session for protect_from_forgery.

I've just heard as a default, stripe-webhook events can't be heard without turning off the CSRF protection. Should I do something like below, or protect_from_forgery with: :exception following the default setting?

class ApplicationController < ActionController::Base
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :null_session
end

I just only listen to Stripe Webhook.

joedelia commented 7 years ago

The easiest thing would be to add skip_before_action :verify_authenticity_token to your controller I believe!

invisiblefunnel commented 7 years ago

StripeEvent::WebhookController doesn't inherit from ApplicationController, so this change won't apply to the webhook requests from Stripe. Can you provide more detail about your problem?

rmm5t commented 7 years ago

With stripe_event, Should I apply ...

I think it's worth noting for @peco8's benefit that _if you're using stripe_event_, you're not responsible for the Controller that responds to the actual stripe wehooks. That's all handled for you and abstracted away.

peco8 commented 7 years ago

@invisiblefunnel

StripeEvent::WebhookController doesn't inherit from ApplicationController, so this change won't apply to the webhook requests from Stripe.

@rmm5t

you're not responsible for the Controller that responds to the actual stripe wehooks. That's all handled for you and abstracted away.

Now it's clear. It does not really matter if I apply :null-session or :exception for protect_from_forgery, and we still can listen to the webhooks events from stripe.

Thanks for the answer.