[9.0] Encourage usage of VerifyWebhookSignature middleware #591
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR changes the way we check for events. It removes the API calls to Stripe for checking if an event exists and encourages the usage of the VerifyWebhookSignature middleware.
Verifying incoming webhook events by their signature is the recommended way by Stripe for making sure the event is legit. Making an API call to Stripe like we do now is a bit irrelevant as we can totally verify the legitemacy of the event by the signature alone. This saves us extra API calls to Stripe and should actually speed up webhooks.
This also solves the problem of the CASHIER_ENV env variable. Now that the middleware is only set on the controller when the webhook secret is filled in you have total control of turning it on and off for your use case.
The docs should be updated a little bit to encourage people setting the webhook secret immediately when working with webhooks. It's also not recommended anymore to set the middleware on the route as it's already been set on the controller itself.
All in all this commit simplifies things a lot and solves quite a few things together. It's breaking so I'm targeting master. I'll update the change log as soon as this gets merged. We should encourage people to read it before upgrading.
Fixes #537