Commit e3f6f8db authored by mattwire's avatar mattwire
Browse files

Add support for webhook signing

parent f1da0fd6
......@@ -14,6 +14,7 @@ use CRM_Stripe_ExtensionUtil as E;
use Civi\Payment\PropertyBag;
use Stripe\Stripe;
use Civi\Payment\Exception\PaymentProcessorException;
use Stripe\Webhook;
/**
* Class CRM_Core_Payment_Stripe
......@@ -71,6 +72,13 @@ class CRM_Core_Payment_Stripe extends CRM_Core_Payment {
return trim($paymentProcessor['user_name'] ?? '');
}
/**
* @return string
*/
public function getWebhookSecret(): string {
return trim($this->_paymentProcessor['signature']);
}
/**
* Given a payment processor id, return the public key
*
......@@ -1185,7 +1193,32 @@ class CRM_Core_Payment_Stripe extends CRM_Core_Payment {
// We don't handle this event
return;
}
$ipnClass->setVerifyData(TRUE);
$webhookSecret = $this->getWebhookSecret();
if (!empty($webhookSecret)) {
$sigHeader = $_SERVER['HTTP_STRIPE_SIGNATURE'];
try {
Webhook::constructEvent(
$rawData, $sigHeader, $webhookSecret
);
$ipnClass->setVerifyData(FALSE);
} catch (\UnexpectedValueException $e) {
// Invalid payload
\Civi::log()->error('Stripe webhook signature validation error: ' . $e->getMessage());
http_response_code(400);
exit();
} catch (\Stripe\Exception\SignatureVerificationException $e) {
// Invalid signature
\Civi::log()->error('Stripe webhook signature validation error: ' . $e->getMessage());
http_response_code(400);
exit();
}
}
else {
$ipnClass->setVerifyData(TRUE);
}
$ipnClass->onReceiveWebhook();
}
......
# Install / Configuration
Please do help improve this documentation by submitting a PR or contacting me.
## Installation
**The [mjwshared](https://lab.civicrm.org/extensions/mjwshared) extension is required and MUST be installed.**
**If using drupal webform or other integrations that use Contribution.transact API you should install the [contributiontransactlegacy](https://github.com/mjwconsult/civicrm-contributiontransactlegacy) extension to work around issues with that API.**
The extension will show up in the extensions browser for automated installation.
Otherwise, download and install as you would for any other CiviCRM extension.
## Configuration
### Stripe
Create an API key by logging in to your Stripe dashboard and selecting [API keys](https://dashboard.stripe.com/account/apikeys) from the left navigation. You can use the standard key, or you can click "Create restricted key" to have a more limited key. Example key restrictions are listed below.
Stripe automatically provides both a live and test account for you. Toggle the "test" switch in the Stripe dashboard to switch between the two accounts.
Create API keys and a webhook secret by logging in to your Stripe dashboard and selecting
[API keys](https://dashboard.stripe.com/account/apikeys) from the menu. You can use the
standard key, or you can click "Create restricted key" to have a more limited key.
Example key restrictions are listed below.
### CiviCRM
All configuration is in the standard Payment Processors settings area in CiviCRM admin (**Administer menu > System Settings > Payment Processors**).
Add a payment processor and enter your *Publishable* and *Secret* keys given by stripe.com.
## Installation
**The [mjwshared](https://lab.civicrm.org/extensions/mjwshared) extension is required and MUST be installed.**
Configure a Stripe payment processor in the same way as you would for any other payment processor in CiviCRM.
**If using drupal webform or other integrations that use Contribution.transact API you should install the [contributiontransactlegacy](https://github.com/mjwconsult/civicrm-contributiontransactlegacy) extension to work around issues with that API.**
All configuration is in the standard Payment Processors settings area in CiviCRM admin (**Administer menu > System Settings > Payment Processors**).
The extension will show up in the extensions browser for automated installation.
Otherwise, download and install as you would for any other CiviCRM extension.
Add a payment processor, select "Stripe" as the type and enter your
*Publishable* and *Secret* keys and your *webhook secret* from the Stripe Dashboard.
## Permissions
......
......@@ -17,10 +17,9 @@ return [
'class_name' => 'Payment_Stripe',
'user_name_label' => 'Publishable key',
'password_label' => 'Secret Key',
'url_site_default' => 'https://api.stripe.com/v2',
'url_recur_default' => 'https://api.stripe.com/v2',
'url_site_test_default' => 'https://api.stripe.com/v2',
'url_recur_test_default' => 'https://api.stripe.com/v2',
'signature_label' => 'Webhook Secret',
'url_site_default' => 'http://unused.com',
'url_site_test_default' => 'http://unused.com',
'billing_mode' => 1,
'payment_type' => 1,
'is_recur' => 1,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment