Sultan
/
invoiceninja
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add webhook secret and signature verification 

Added webhook secret property and validation for Stripe webhook requests.

Signed-off-by: TechNoNerd87 <113461509+TechNoNerd87@users.noreply.github.com>
This commit is contained in:
TechNoNerd87 2025-11-23 14:42:53 -06:00 committed by GitHub
parent 3b4d108160
commit 7468762079
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
app/PaymentDrivers/StripePaymentDriver.php
View File

@ -85,6 +85,8 @@ class StripePaymentDriver extends BaseDriver implements SupportsHeadlessInterfac
public $stripe_connect_auth = []; public $stripe_connect_auth = [];
public $webhook_secret = "";
public static $methods = [ public static $methods = [
GatewayType::CREDIT_CARD => CreditCard::class, GatewayType::CREDIT_CARD => CreditCard::class,
GatewayType::BANK_TRANSFER => ACH::class, GatewayType::BANK_TRANSFER => ACH::class,
@ -122,6 +124,8 @@ class StripePaymentDriver extends BaseDriver implements SupportsHeadlessInterfac
throw new StripeConnectFailure('Stripe Connect has not been configured'); throw new StripeConnectFailure('Stripe Connect has not been configured');
} }
} else { } else {
$this->webhook_secret = $this->company_gateway->getConfigField('webhookSecret');
$this->stripe = new StripeClient( $this->stripe = new StripeClient(
$this->company_gateway->getConfigField('apiKey') $this->company_gateway->getConfigField('apiKey')
); );
@ -700,6 +704,27 @@ class StripePaymentDriver extends BaseDriver implements SupportsHeadlessInterfac
public function processWebhookRequest(PaymentWebhookRequest $request) public function processWebhookRequest(PaymentWebhookRequest $request)
{ {
// Validate webhook signature if webhook_secret is configured
if ($this->webhook_secret) {
$sig_header = $_SERVER["HTTP_STRIPE_SIGNATURE"] ?? $request->header('Stripe-Signature');
if (!$sig_header) {
nlog("Stripe webhook signature verification failed: No signature header");
return response()->json(['error' => 'No signature header'], 403);
}
try {
\Stripe\Webhook::constructEvent(
$request->getContent(),
$sig_header,
$this->webhook_secret
);
} catch (\Stripe\Exception\SignatureVerificationException $e) {
nlog("Stripe webhook signature verification failed: " . $e->getMessage());
return response()->json(['error' => 'Invalid signature'], 403);
}
}
nlog($request->all()); nlog($request->all());
if ($request->type === 'customer.source.updated') { if ($request->type === 'customer.source.updated') {