php - 为什么Stripe的webhooks不需要验证签名？

Question

文档 ( https://stripe.com/docs/webhooks ) 和 SDK(stripe-php) 都没有使用任何签名方法。所以我怀疑，如果有人冒充官方 webhook 发件人怎么办？

在SDK中，只有成功检索事件id才算一个好的webhook，我认为这太冒险了，不是吗？

Answer 1

Stripe 确实为 Web hook 提供了签名。看看这里:https://stripe.com/docs/webhooks#signatures

您还可以看看这篇文章:https://www.truespotmedia.com/testing-webhooks-in-stripe-with-php/

这里是一些示例代码:

// Set your secret key: remember to change this to your live secret key in production
// See your keys here: https://dashboard.stripe.com/account/apikeys
\Stripe\Stripe::setApiKey("your secret api key");

// You can find your endpoint's secret in your webhook settings
$endpoint_secret = "whsec_...";

$payload = @file_get_contents("php://input");
$sig_header = $_SERVER["HTTP_STRIPE_SIGNATURE"];
$event = null;

try {
  $event = \Stripe\Webhook::constructEvent(
    $payload, $sig_header, $endpoint_secret
  );
} catch(\UnexpectedValueException $e) {
  // Invalid payload
  http_response_code(400); // PHP 5.4 or greater
  exit();
} catch(\Stripe\Error\SignatureVerification $e) {
  // Invalid signature
  http_response_code(400); // PHP 5.4 or greater
  exit();
}

// Do something with $event

http_response_code(200); // PHP 5.4 or greater