Support to verify Webhook signatures

willock-stripe · willock-stripe · commit 5c5b5766220e · 2019-07-30T16:19:10.000+01:00
- Add `signingSecret` configuration to `config.sample.js`
- Add verification path to Webhooks express server to verify
  signatures
- Add documentation for `signingSecret`
- Update some outdated, vulnerable dependencies
diff --git a/README.md b/README.md
@@ -31,6 +31,11 @@ Webhooks require a public URL that Stripe will ping to notify the monitor of new
 
 If you have a [__Basic__](https://ngrok.com/pricing) ngrok subscription, you can specify a custom subdomain that will stay reserved for your account.
 
+#### Optional: Verify Webhooks are signed
+[Stripe can optionally sign Webhook events to your endpoints](https://stripe.com/docs/webhooks/signatures). If you'd like the Webhook Monitor to verify these for you, simply modify the `signingSecret` value in `config.js` with the endpoint-specific signing secret key found at the bottom of the Webhook details page.
+
+Unverified Webhooks will return a `400` response to Stripe, and log an error to your console.
+
 ### Start receiving changes
 
 To start the monitor:
diff --git a/config.sample.js b/config.sample.js
@@ -4,7 +4,8 @@ module.exports = {
   port: 4000,
   stripe: {
     // Include your Stripe secret key here
-    secretKey: 'YOUR_STRIPE_SECRET_KEY'
+    secretKey: 'YOUR_STRIPE_SECRET_KEY',
+    signingSecret: null
   },
   /*
      Stripe needs a public URL for our server that it can ping with new events.
diff --git a/package-lock.json b/package-lock.json
diff --git a/server.js b/server.js
@@ -49,14 +49,32 @@ monitor.get("/recent-events", async (req, res) => {
 const webhooks = express();
 const webhooksPort = config.port + 1;
 
-webhooks.use(bodyParser.json());
 webhooks.listen(webhooksPort, () => {
   console.log(`Listening for webhooks: http://localhost:${webhooksPort}`);
 });
 
 // Provides an endpoint to receive webhooks
-webhooks.post("/", async (req, res) => {
-  let event = req.body;
+webhooks.post("/", bodyParser.raw({ type: "application/json" }), async (req, res) => {
+  let event;
+
+  // Check if signing secret has been set
+  if (config.stripe.signingSecret) {
+    const sig = req.headers['stripe-signature'];
+  
+    try {
+      event = stripe.webhooks.constructEvent(req.body, sig, config.stripe.signingSecret);
+    } catch (err) {
+      console.log(
+        chalk.red(`Failed to verify webhook signature: ${err.message}`)
+      );
+      res.sendStatus(400);
+      return;
+    }
+  } else {
+    // Signing secret is not set, just pass through
+    event = req.body;
+  }
+
   // Send a notification that we have a new event
   // Here we're using Socket.io, but server-sent events or another mechanism can be used.
   io.emit("event", event);
