Feature Request: Disable verifying event with stripe

[jasonkarns]

"re-request" of #4

It's quite frustrating to need properly signed events when developing locally. I'd expect some way to disable the signature check in development so one could send arbitrary POST messages using curl or something.

[rmm5t]

Could you please define exactly what you mean by "developing locally." Are you referring to automated tests (RACK_ENV=test) or manual testing via web interface, postman, etc (RACK_ENV=development)?

For manual testing, I use the Stripe sandbox in combination with ultrahook: http://www.ultrahook.com/

But I do understand your point.

[jasonkarns]

Manual testing (we typically just use curl with fixtures taken from stripe's example test events, etc) under RACK_ENV=development

We have ngrok configured as well and use that with stripe's sandbox. However, that's a really slow feedback loop when we're debugging something or experimenting with our code. (For many operations, that requires hitting stripe's api to mutate some customer/subscription/etc, which then triggers the webhook.)

We originally attempted monkey-patching the webhook controller to redefine the verified_event method (to simply construct the Stripe::Event without signature verification). However, that has issues with Rails autoloading and re-loading as it loses our monkey patch frequently.

Our current approach is to create our own controller, extending StripeEvent::WebhookController (which redefines verified_event as above) and then we mount that at a separate endpoint in development. This works well, but is an awful lot of setup just to disable signature verification. It would be nice if it could be disabled via configuration.

[thejchap]

My hack for this in case anyone else stumbles across this. borrowed some from the testing recommendation:

# in config/environments/development.rb

config.to_prepare do
  Stripe::Webhook.class_eval do
    def self.construct_event(payload, _sig_header, _secret, tolerance: nil)
      Stripe::Event.construct_from JSON.parse(payload, symbolize_names: true)
    end
  end
end

[wojtha]

We are using the following which was recommended by @rmm5t at #67 (comment)

# Skip event verification while in test mode
# see https://github.com/integrallis/stripe_event/pull/67#issuecomment-202162534
if Rails.env.test? || Rails.env.development?
  StripeEvent.configure do |events|
    events.event_retriever = lambda { |params| Stripe::Event.construct_from(params.deep_symbolize_keys) }
  end
end

[chrismanderson]

@wojtha Are you still using that config with the latest version of this gem? event_retriever was removed, and I can't figure out how to use this snippet with the replacement event_filter.

[wojtha]

@chrismanderson we are still at v1.9.0 so the solution above still works...

[luis-ca]

While I understand the temptation to be prescriptive, I would argue that allowing the developer to disable signature verification would make upgrading easier in most cases, and possible in some.

In our case, we do not control the configuration - our users can set up an integration with stripe by providing credentials. It so happens that users on older versions of the API were not required to provide a signing secret. Upgrading to 2.x therefore breaks these implementations.

[mauriziopinotti]

Another option:

        Event event = isLocalDevelopment ?
            ApiResource.GSON.fromJson(payload, Event.class) : // no check signature
            Webhook.constructEvent(payload, sigHeader, webhookSecret); // check signature