search

stripe / stripe-cli

A command-line tool for Stripe
https://stripe.com/docs/stripe-cli
Apache License 2.0
1.6k stars 374 forks source link

`events resend --live` and webhook signature #420

Open fabswt opened 4 years ago

fabswt commented 4 years ago

Hi!

I'm playing with Stripe CLI to try and make testing easier. e.g.: yesterday, I upgraded from an old version of the API and later realized I'd missed a bug due to the API change. In such a situation, the ability to replay events from the live server on the local development codebase proves super handy.

I created a gist to sum up what I learned:
https://gist.github.com/fabswt/415e4f05fb1015b72105627e86de5280

However, I have a couple of questions:

  1. If I got this right, the webhook signature is meant to check the notification did come from Stripe. However, \Stripe\Webhook::constructEvent keeps failing when used with events resend --live (saying the signature is invalid)… so I actually had to disable the signature check (see gist.) How come?

  2. Yesterday, before I figured how to replay live events locally, I fixed the bug by testing the fix on our production server directly (it worked.) My question is: what would have happened if my local development codebase had handled the notification instead?

    • i.e.: when an event fails, Stripe keeps retrying, and when it finally succeeds it stops. If local dev (via Stripe CLI's resend --live) is the first to successfully response to the event, what happens next? Will Stripe resend the event to the production webhook or not? Or will I have to resend it?

  3. How safe (or not) is it to give a Restricted Key (generated by Stripe CLI) write rights on Webhook Endpoints?

Thanks for the clarifications!

tomer-stripe commented 4 years ago

Hey @fabswt! Let me look into 1 and 2, I don't remember offhand how resend hooks into our normal pipeline.

For 3: it should be safe for the CLI key to have write access to webhook endpoints.

ob-stripe commented 4 years ago

Hey @fabswt, sorry for the late reply.

I spent some time trying to reproduce this issue and came up empty. stripe events resend will resend the event with a new signature, because the signed payload includes a timestamp and the timestamp would of course not be the same. But the signing secret is the same and there's no reason the signature verification would fail on your end, especially if it succeeded when the original event was received.

Can you share the exception message when a SignatureVerificationException is raised?