Use API controller for webhooks

excid3 · excid3 · commit cd8ebc516fb7 · 2025-12-23T10:27:35.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### 11.4.2
 
+* Use `ActionController::API` as base for webhooks. This removes the need to skip forgery protection and improves performance.
 * Use `inheritance_column` instead of hardcoded `type` column in case users modify migrations
 * Use `attr_reader :support_email` since we define a customer setter
 * Use `skip_forgery_protection` to be more compatible with Rails 8.2+
diff --git a/app/controllers/pay/webhooks/braintree_controller.rb b/app/controllers/pay/webhooks/braintree_controller.rb
@@ -1,8 +1,6 @@
 module Pay
   module Webhooks
-    class BraintreeController < Pay::ApplicationController
-      skip_forgery_protection if Rails.application.config.action_controller.default_protect_from_forgery
-
+    class BraintreeController < ActionController::API
       def create
         queue_event(verified_event)
         head :ok
diff --git a/app/controllers/pay/webhooks/lemon_squeezy_controller.rb b/app/controllers/pay/webhooks/lemon_squeezy_controller.rb
@@ -1,8 +1,6 @@
 module Pay
   module Webhooks
-    class LemonSqueezyController < Pay::ApplicationController
-      skip_forgery_protection if Rails.application.config.action_controller.default_protect_from_forgery
-
+    class LemonSqueezyController < ActionController::API
       def create
         if valid_signature?(request.headers["X-Signature"])
           queue_event(verify_params.as_json)
diff --git a/app/controllers/pay/webhooks/paddle_billing_controller.rb b/app/controllers/pay/webhooks/paddle_billing_controller.rb
@@ -1,8 +1,6 @@
 module Pay
   module Webhooks
-    class PaddleBillingController < Pay::ApplicationController
-      skip_forgery_protection if Rails.application.config.action_controller.default_protect_from_forgery
-
+    class PaddleBillingController < ActionController::API
       def create
         if valid_signature?(request.headers["Paddle-Signature"])
           queue_event(verify_params.as_json)
diff --git a/app/controllers/pay/webhooks/paddle_classic_controller.rb b/app/controllers/pay/webhooks/paddle_classic_controller.rb
@@ -1,8 +1,6 @@
 module Pay
   module Webhooks
-    class PaddleClassicController < Pay::ApplicationController
-      skip_forgery_protection if Rails.application.config.action_controller.default_protect_from_forgery
-
+    class PaddleClassicController < ActionController::API
       def create
         queue_event(verified_event)
         head :ok
diff --git a/app/controllers/pay/webhooks/stripe_controller.rb b/app/controllers/pay/webhooks/stripe_controller.rb
@@ -1,6 +1,6 @@
 module Pay
   module Webhooks
-    class StripeController < Pay::ApplicationController
+    class StripeController < ActionController::API
       skip_forgery_protection if Rails.application.config.action_controller.default_protect_from_forgery
 
       def create
