Stripe Signature Verification for Webhook urls using Spring

|
| By Webner

Stripe payment gateway provides different webhook events like customer_created, customer_source_updated, customer_deleted and so on. By setting up our webhook urls to the events provided by Stripe, we can capture the Stripe event requests and can write our own customer code. Now there is a problem with security. If our url is accessible to some unauthorized person, then he can execute malicious operations again and again. So there is a need to validate each webhook request before doing any operation.

Here is when the Stripe Signature comes into play:

When Stripe fires an event, it will sign that request with a specific signing secret key. That key is different for each stripe account in Stripe dashboard. Using Stripe signature we can verify that whether the request coming to us is valid or not. To achieve this you can use Stripe api built-in library. As I am building my code using maven, I have added below dependency to the code to get Stripe api library:

<dependency>
<groupId>com.stripe</groupId>
<artifactId>stripe-java</artifactId>
<version>4.6.0</version>
</dependency>

Note: Signature Authentication is the new security feature added by Stripe. So all the versions below 4.6.0 do not support this feature. So first you need to upgrade your stripe api version to use Stripe Verification process.

Steps to achieve Signature Verification Using Spring:

1. Make a spring controller and add specified parameters:

@RequestMapping( value ="captureStripeEvent" ,method = RequestMethod.POST ,produces = "application/json") 
public   @ResponseBody Response webhook(@RequestBody(required=true)String  request,  @RequestHeader HttpHeaders headers) {
//header will contain the stripe-signature attribute which you need to use for verification.
//request attribute contains the event fired by stripe in json format.
}

2. Extract Signature header added by stripe from your request headers:

String signature = headersMap.get("Stripe-Signature");

Stripe-Signature is the key coming in your headers list.

3. Construct the complete stripe event using the stripe signature and the signing secret:

event = Webhook.constructEvent(request, signature, "add your signing secret here");
//no exception will be there if event constructed successfully.
//set your response status to 200(success)	
} catch (JsonSyntaxException e) {
// set response status to 400 ( not found)					
} catch (SignatureVerificationException e) {
// set response status to 400 ( not found)
}

If the event has constructed successfully then it is a valid request. However, you will get SignatureVerificationException if the request is not valid or coming from some malicious source.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *