shivam
shivam

Reputation: 16506

Stripe webhook authentication - Ruby

My ruby-on-rails application uses stripe for card payments. Stripe has a provision of webhooks through which it contacts back to my application and gives details about every transactions - succeeded or failed.

For this, I have in my controller something like this:

class StripeController < ApplicationController
  def webhook
    data_json = JSON.parse request.body.read
    p data_json['data']['object']['customer']
  end

My question is how can I validate the authenticity of this webhook? To my knowledge and understanding one can easily imitate this (man-in-the-middle attack).

Upvotes: 8

Views: 6580

Answers (3)

Kirill Kulakov
Kirill Kulakov

Reputation: 10255

You can enable basic http authentication for the stripe webhook events by setting the webhook to the following url

https://username:[email protected]/my-webhook-path

This will result in a Authorization header with the value of

Basic encode64(username:password)

for instance by setting the webhook to the following url

https://admin:[email protected]/my-webhook-path

you will get this header in the inbound request

Basic YWRtaW46MTIzNDU2

Upvotes: 8

Sagar Ranglani
Sagar Ranglani

Reputation: 5691

The gem stripe_event has it covered in a different way.

Securing your webhook endpoint is done through Basic HTTP Authentication in stripe_event gem.

If only Stripe knows the basic authentication password, this ensures that the request really comes from Stripe. Here's what you do:

  1. Arrange for a secret key to be available in your application's environment variables or secrets.yml file.

  2. Configure StripeEvent to require that secret be used as a basic authentication password, using code along the lines:

    StripeEvent.authentication_secret = ENV['STRIPE_WEBHOOK_SECRET']

  3. When you specify your webhook's URL in Stripe's settings, include the secret as a password in the URL, along with any username:

    https://stripe:[email protected]/my-webhook-path

This is only truly secure if your webhook endpoint is accessed over SSL, which Stripe strongly recommends anyway.

Upvotes: 10

Substantial
Substantial

Reputation: 6682

From Stripe's webhooks documentation:

If security is a concern, or if it's important to confirm that Stripe sent the webhook, you should only use the ID sent in your webhook and should request the remaining details from the Stripe API directly.

Upvotes: 10

Related Questions