-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Disable verifying event with stripe #112
Comments
Could you please define exactly what you mean by "developing locally." Are you referring to automated tests (RACK_ENV=test) or manual testing via web interface, postman, etc (RACK_ENV=development)? For manual testing, I use the Stripe sandbox in combination with ultrahook: http://www.ultrahook.com/ But I do understand your point. |
Manual testing (we typically just use curl with fixtures taken from stripe's example test events, etc) under We have ngrok configured as well and use that with stripe's sandbox. However, that's a really slow feedback loop when we're debugging something or experimenting with our code. (For many operations, that requires hitting stripe's api to mutate some customer/subscription/etc, which then triggers the webhook.) We originally attempted monkey-patching the webhook controller to redefine the Our current approach is to create our own controller, extending |
My hack for this in case anyone else stumbles across this. borrowed some from the testing recommendation: # in config/environments/development.rb
config.to_prepare do
Stripe::Webhook.class_eval do
def self.construct_event(payload, _sig_header, _secret, tolerance: nil)
Stripe::Event.construct_from JSON.parse(payload, symbolize_names: true)
end
end
end |
We are using the following which was recommended by @rmm5t at #67 (comment) # Skip event verification while in test mode
# see https://github.com/integrallis/stripe_event/pull/67#issuecomment-202162534
if Rails.env.test? || Rails.env.development?
StripeEvent.configure do |events|
events.event_retriever = lambda { |params| Stripe::Event.construct_from(params.deep_symbolize_keys) }
end
end |
@wojtha Are you still using that config with the latest version of this gem? |
@chrismanderson we are still at |
While I understand the temptation to be prescriptive, I would argue that allowing the developer to disable signature verification would make upgrading easier in most cases, and possible in some. In our case, we do not control the configuration - our users can set up an integration with stripe by providing credentials. It so happens that users on older versions of the API were not required to provide a signing secret. Upgrading to 2.x therefore breaks these implementations. |
Another option: Event event = isLocalDevelopment ?
ApiResource.GSON.fromJson(payload, Event.class) : // no check signature
Webhook.constructEvent(payload, sigHeader, webhookSecret); // check signature |
"re-request" of #4
It's quite frustrating to need properly signed events when developing locally. I'd expect some way to disable the signature check in development so one could send arbitrary POST messages using curl or something.
The text was updated successfully, but these errors were encountered: