Support to verify Webhook signatures #5
Conversation
|
@mg-stripe – would you be able to take a glance at this at your leisure, please? 🙏 |
|
re pinging @mg-stripe , would love to see this included! |
|
The more I think about this PR: an alternative approach would be to create the webhook whenever the app starts up and retrieve the webhook signing secret that way. (We'd want to delete and recreate the endpoint every time the app starts up to retrieve the signing secret, since it's only issued at creation time.) Is the explicit Dashboard flow the easiest for users, or should we simply do this programmatically and implicitly? |
|
Hi @mg-stripe – thank you so much for the feedback. I think the application is significantly more user-friendly in a world where it provisions the Stripe webhook endpoint on the user's behalf. I've left in the ability to eschew the necessity to use ngrok and provide your own signing secret, too. I do have a little FUD on whether removing the endpoint on Let me know what you think! |
- Add `signingSecret` configuration to `config.sample.js` - Add verification path to Webhooks express server to verify signatures - Add documentation for `signingSecret` - Update some outdated, vulnerable dependencies
willock-stripe
force-pushed
the
willock-verify-webhook-signatures
branch
from
f7b993f to
abc0459
Compare
|
|
Not sure if this as a genuinely useful feature given this is a tool for debugging, but, I dogfooded https://stripe.com/docs/webhooks/signatures to add signature verification.
Changes
signingSecretconfiguration toconfig.sample.jssigningSecretnpm audit fix)