Address feedback from @mg-stripe

Author: willock-stripe

README.md

@@ -31,11 +31,6 @@ Webhooks require a public URL that Stripe will ping to notify the monitor of new
 
 If you have a [__Basic__](https://ngrok.com/pricing) ngrok subscription, you can specify a custom subdomain that will stay reserved for your account.
 
-#### Optional: Verify Webhooks are signed
-[Stripe can optionally sign Webhook events to your endpoints](https://stripe.com/docs/webhooks/signatures). If you'd like the Webhook Monitor to verify these for you, simply modify the `signingSecret` value in `config.js` with the endpoint-specific signing secret key found at the bottom of the Webhook details page.
-
-Unverified Webhooks will return a `400` response to Stripe, and log an error to your console.
-
 ### Start receiving changes
 
 To start the monitor:
@@ -45,17 +40,9 @@ npm install
 npm start
 ```
 
-Take note of the public URL provided by ngrok: it should be listed when the monitor starts.
-
-**Don't want to use ngrok?** As long as Stripe can reach the webhooks endpoint via a public URL, you'll receive  updates.
-
-### Subscribe to webhook notifications
-
-In your Stripe Dashboard, go to the _API_ section, then click on the _Webhooks_ tab.
-
-You should add a receiving endpoint by clicking _Add Endpoint_. Fill in the public URL provided by ngrok, or any other public URL that can reach the webhook monitor.
+A [Stripe webhook endpoint](https://stripe.com/docs/webhooks/setup) will be automatically provisioned and pointed at your ngrok tunnel, subscribed to all Stripe events.
 
-![](https://raw.githubusercontent.com/stripe/stripe-webhook-monitor/master/screenshots/setting-up-webhooks.png)
+**Don't want to use ngrok?** As long as Stripe can reach the webhooks endpoint via a public URL, you'll receive updates. Set the `webhookSigningSecret` configuration to ensure your events are signed correctly.
 
 ## Troubleshooting
 

config.sample.js

@@ -5,7 +5,8 @@ module.exports = {
   stripe: {
     // Include your Stripe secret key here
     secretKey: 'YOUR_STRIPE_SECRET_KEY',
-    signingSecret: null
+    // If not using ngrok, include your Webhook signing secret here
+    webhookSigningSecret: null
   },
   /*
      Stripe needs a public URL for our server that it can ping with new events.

package-lock.json

@@ -23,8 +23,8 @@
     "body-parser": "^1.17.2",
     "boxen": "^1.2.1",
     "express": "^4.15.3",
-    "ngrok": "^3.1.1",
+    "ngrok": "^3.2.4",
     "socket.io": "^2.2.0",
-    "stripe": "^4.23.1"
+    "stripe": "^7.5.0"
   }
 }

package.json

@@ -1,7 +1,6 @@
 "use strict";
 
 const config = require("./config.js");
-const boxen = require("boxen");
 const stripe = require("stripe")(config.stripe.secretKey);
 const express = require("express");
 const socketio = require("socket.io");
@@ -10,106 +9,126 @@ const bodyParser = require("body-parser");
 const path = require("path");
 const chalk = require("chalk");
 
-/*
-  We use two different Express servers for security reasons: our webhooks
-  endpoint needs to be publicly accessible, but we don't want our monitoring
-  dashboard to be publicly accessible since it may contain sensitive data.
-*/
-
-// The first Express server will serve Stripe Monitor (on a different port).
-const monitor = express();
-const monitorServer = http.Server(monitor);
-// We'll set up Socket.io to notify us of new events
-const io = socketio(monitorServer);
-let recentEvents = [];
-
-// Serve static files and start the server
-monitor.use(express.static(path.join(__dirname, "public")));
-monitorServer.listen(config.port, () => {
-  console.log(`Stripe Monitor is up: http://localhost:${config.port}`);
-});
-
-// Provides environment details: the Dashboard URL will vary based on whether we're in test or live mode
-monitor.get("/environment", async (req, res) => {
+(async () => {
+  const webhooksPort = config.port + 1;
+
+  let webhookSigningSecret,
+      ngrokUrl;
+
+  // Set the Stripe dashboard URL and append in testmode
   let dashboardUrl = "https://dashboard.stripe.com/";
   if (config.stripe.secretKey.startsWith("sk_test")) {
     dashboardUrl += "test/";
   }
-  res.send({ dashboardUrl });
-});
-
-// Provides the 20 most recent events (useful when the app first loads)
-monitor.get("/recent-events", async (req, res) => {
-  let response = await stripe.events.list({ limit: 20 });
-  recentEvents = response.data;
-  res.send(recentEvents);
-});
-
-// The second Express server will receive webhooks
-const webhooks = express();
-const webhooksPort = config.port + 1;
-
-webhooks.listen(webhooksPort, () => {
-  console.log(`Listening for webhooks: http://localhost:${webhooksPort}`);
-});
-
-// Provides an endpoint to receive webhooks
-webhooks.post("/", bodyParser.raw({ type: "application/json" }), async (req, res) => {
-  let event;
-
-  // Check if signing secret has been set
-  if (config.stripe.signingSecret) {
-    const sig = req.headers['stripe-signature'];
-  
-    try {
-      event = stripe.webhooks.constructEvent(req.body, sig, config.stripe.signingSecret);
-    } catch (err) {
-      console.log(
-        chalk.red(`Failed to verify webhook signature: ${err.message}`)
-      );
-      res.sendStatus(400);
-      return;
-    }
-  } else {
-    // Signing secret is not set, just pass through
-    event = req.body;
-  }
-
-  // Send a notification that we have a new event
-  // Here we're using Socket.io, but server-sent events or another mechanism can be used.
-  io.emit("event", event);
-  // Stripe needs to receive a 200 status from any webhooks endpoint
-  res.sendStatus(200);
-});
 
-// Use ngrok to provide a public URL for receiving webhooks
-if (config.ngrok.enabled) {
-  const ngrok = require("ngrok");
-  const boxen = require("boxen");
+  if (config.ngrok.enabled) {
+    const ngrok = require("ngrok");
 
-  ngrok.connect(
-    {
+    // Provision ngrok tunnel
+    ngrokUrl = await ngrok.connect({
       addr: webhooksPort,
       subdomain: config.ngrok.subdomain,
       authtoken: config.ngrok.authtoken
-    },
-    function(err, url) {
-      if (err) {
-        console.log(err);
-        if (err.code === "ECONNREFUSED") {
-          console.log(
-            chalk.red(`Connection refused at ${err.address}:${err.port}`)
-          );
-          process.exit(1);
-        }
-        console.log(chalk.yellow(`ngrok reported an error: ${err.msg}`));
+    }).catch(error => {
+      console.log("Error starting ngrok tunnel", error);
+      process.exit(1);
+    });
+
+    // Provision Stripe webhook endpoint
+    const webhookEndpoint = await stripe.webhookEndpoints.create({
+      url: ngrokUrl,
+      enabled_events: ['*']
+    }).catch(error => {
+      console.log("Error provisioning webhook endpoint", error);
+      process.exit(1);
+    });
+
+    // Save webhook signing secret key
+    webhookSigningSecret = webhookEndpoint.secret;
+
+    // Tear down Stripe webhook endpoint on CTRL+C
+    // (ngrok does this automatically)
+    process.on('SIGINT', async () => {
+      await stripe.webhookEndpoints.del(webhookEndpoint.id).catch(error => {
+        const webhookManagementUrl = `${dashboardUrl}/webhooks/${webhookEndpoint.id}`;
+        console.log(`Error deleting webhook endpoint, visit ${webhookManagementUrl}`, error);
+        process.exit(1);
+      });
+
+      process.exit(0);
+    });
+  } else  {
+    // Not using ngrok, but setting signing secret via config
+    if (config.stripe.webhookSigningSecret) {
+      webhookSigningSecret = config.stripe.webhookSigningSecret;
+    }
+  }
+
+  /*
+    We use two different Express servers for security reasons: our webhooks
+    endpoint needs to be publicly accessible, but we don't want our monitoring
+    dashboard to be publicly accessible since it may contain sensitive data.
+  */
+
+  // The first Express server will serve Stripe Monitor (on a different port).
+  const monitor = express();
+  const monitorServer = http.Server(monitor);
+  // We'll set up Socket.io to notify us of new events
+  const io = socketio(monitorServer);
+  let recentEvents = [];
+
+  // Serve static files and start the server
+  monitor.use(express.static(path.join(__dirname, "public")));
+  monitorServer.listen(config.port, () => {
+    console.log(`Stripe Monitor is up: http://localhost:${config.port}`);
+  });
+
+  // Provides environment details: the Dashboard URL will vary based on whether we're in test or live mode
+  monitor.get("/environment", async (req, res) => {
+    res.send({ dashboardUrl });
+  });
+
+  // Provides the 20 most recent events (useful when the app first loads)
+  monitor.get("/recent-events", async (req, res) => {
+    let response = await stripe.events.list({ limit: 20 });
+    recentEvents = response.data;
+    res.send(recentEvents);
+  });
+
+  // The second Express server will receive webhooks
+  const webhooks = express();
+
+  webhooks.listen(webhooksPort, () => {
+    const url = ngrokUrl ? ngrokUrl : `http://localhost:${webhooksPort}`;
+    console.log(`Listening for webhooks: ${url}`);
+  });
+
+  // Provides an endpoint to receive webhooks
+  webhooks.post("/", bodyParser.raw({ type: "application/json" }), async (req, res) => {
+    let event;
+
+    // Check if signing secret has been set
+    if (webhookSigningSecret) {
+      const sig = req.headers['stripe-signature'];
+
+      try {
+        event = stripe.webhooks.constructEvent(req.body, sig, webhookSigningSecret);
+      } catch (err) {
         console.log(
-          boxen(err.details.err.trim(), {
-            padding: { top: 0, right: 2, bottom: 0, left: 2 }
-          })
+          chalk.red(`Failed to verify webhook signature: ${err.message}`)
         );
+        res.sendStatus(400);
+        return;
       }
-      console.log(` └ Public URL for receiving Stripe webhooks: ${url}`);
+    } else {
+      // Signing secret is not set, just pass through
+      event = req.body;
     }
-  );
-}
+
+    // Send a notification that we have a new event
+    // Here we're using Socket.io, but server-sent events or another mechanism can be used.
+    io.emit("event", event);
+    // Stripe needs to receive a 200 status from any webhooks endpoint
+    res.sendStatus(200);
+  });
+})();