Webhook signature verification

5966 views

                  module Webhooks
  class StripeController < ApplicationController
    skip_before_action :verify_authenticity_token

    def create
      payload = request.body.read
      sig_header = request.env['HTTP_STRIPE_SIGNATURE']

      begin
        event = Stripe::Webhook.construct_event(
          payload, sig_header, Rails.application.credentials.stripe[:webhook_secret]
        )
      rescue Stripe::SignatureVerificationError => e
        Rails.logger.warn("Webhook signature verification failed: #{e.message}")
        return render json: { error: 'INVALID_SIGNATURE' }, status: :unauthorized
      end

      # Process the verified event
      case event.type
      when 'payment_intent.succeeded'
        ProcessPaymentSuccessWorker.perform_async(event.data.object.id)
      when 'customer.subscription.deleted'
        ProcessSubscriptionCancelledWorker.perform_async(event.data.object.id)
      end

      render json: { received: true }, status: :ok
    end
  end
end

When receiving webhooks from external services, signature verification ensures the payload comes from the claimed sender and hasn't been tampered with. Services like Stripe and GitHub include an HMAC signature in headers computed from the request body and a shared secret. I recompute the HMAC on the received body using the same secret and compare it to the provided signature using constant-time comparison to prevent timing attacks. The raw request body must be used for signature verification, not the parsed version, which is why I sometimes need to read request.body.read before Rails parses it. Failed verification should return 401 immediately without processing the payload to avoid acting on forged requests.

Alex Kumar

More from Alex Kumar

Webhook signature verification

0 Comments

More from Alex Kumar