Support for Signed Web Hooks?

[stevenharman]

Stripe supports verifying Web Hook payloads via HMAC SHA-256 signatures. The stripe-ruby gem recently (on 2017-04-28) added support for verifying signatures. Now that it's available, perhaps it can be rolled into stipe_event? For example, perhaps the default retriever can first verify the signature before trying retrieve the event from Stripe?

Before I put any effort toward a PR to add this, I wanted to make sure it was something you were open to.

Thank you.

[rmm5t]

That's cool, useful feature. I wasn't aware that Stripe added it. This gem already has support for Basic Auth as a means of an exchanged secret (see #55), but a verified signature based on the Stripe credentials is even better, and can be done without requiring additional configuration.

I'd love to see a PR for this, because it's something that we could turn on by default and everyone just becomes a bit more secure without having to take any extra configuration steps.

In fact, I would also support deprecating the use of our existing StripeEvent.authentication_secret basic authentication checks in favor of this new Stripe-Signature header.

Any additional thoughts anyone?

[rmm5t]

/cc @brentdax (author of #55) to see if he has any security insights related to my comments above.

[invisiblefunnel]

Big 👍 for this feature! cc @brandur for awareness.

[brandur]

I wasn't aware that Stripe added it.

Yeah, the launch has been pretty quiet so far. We talked it over yesterday and I think we're going to do a blog post or something, if only to tell a few more people that it exists.

I'd love to see a PR for this, because it's something that we could turn on by default and everyone just becomes a bit more secure without having to take any extra configuration steps.

One thing to note here is that every webhook endpoint is assigned its own secret which is used to verify incoming sigantures, so there is a little configuration involved (it's pretty easy though).

I think support here would be great, and let me know if I can help review. There are helpers in the latest version of stripe-ruby that should help with implementation.

[beccadax]

This looks like a great new feature, and probably obviates the need to use the existing authentication_secret. The existing feature is pretty small and simple, though, so it may not be worth removing it (just de-emphasize it in the docs), or it may be best to allow a long deprecation cycle. That's more a release management question than a security one, though.

[rathboma]

Just found this library -- you rock for making this! Thanks so much

Would using the signed webhooks deprecate the need to fetch the event from the stripe API?

[brandur]

Would using the signed webhooks deprecate the need to fetch the event from the stripe API?

I'm not the author of this library, but yes, the signatures provide a secure alternative to the old method of having to verify the incoming event with an API call.

[lloydwatkin]

Was just looking to open an issue for just this :+1:

[rmm5t]

All, please take a looks at #90 by @mikeycgto. I can merge and release it later today or tomorrow if no one objects.

[rmm5t]

:tada: v1.8.0 was just released with signing_secret support :tada: