Adds StripeEvent.signing_secrets as a config option
Adds support for multiple signing secrets
Adds docs to README for multiple signing secret support (including possible use-case)
What else do you need to know?
When multiple signing secrets are enabled, the webhook iterates over each of them looking for one that yields a matching signature for the body payload. Once a match is found, that secret is used for the subsequent verification check while constructing the new event object.
When only one signing secret is enabled, the header verification is short-circuited (skipped) and the secret is passed directly to verification check that's done automatically when constructing a new event object.
Coverage remained the same at 100.0% when pulling 0c4063f87af69f52458a907b744572eac3549a9a on rmm5t:98-support-multiple-signing-secrets into ed518fa7adfaf822979ea720f7a6348e43bea372 on integrallis:master.
Coverage remained the same at 100.0% when pulling 0c4063f87af69f52458a907b744572eac3549a9a on rmm5t:98-support-multiple-signing-secrets into ed518fa7adfaf822979ea720f7a6348e43bea372 on integrallis:master.
Coverage remained the same at 100.0% when pulling 0c4063f87af69f52458a907b744572eac3549a9a on rmm5t:98-support-multiple-signing-secrets into ed518fa7adfaf822979ea720f7a6348e43bea372 on integrallis:master.
Coverage remained the same at 100.0% when pulling 6997993246de90f30ee95b20a3dbfd42b19a79c6 on rmm5t:98-support-multiple-signing-secrets into ed518fa7adfaf822979ea720f7a6348e43bea372 on integrallis:master.
What does it do?
StripeEvent.signing_secrets
as a config optionWhat else do you need to know?
Related Issues