Pho*_*nix 2 php stripe-payments
doc ( https://stripe.com/docs/webhooks ) 和 SDK(stripe-php) 都不使用任何签名方法。所以我怀疑,如果有人冒充官方 webhook 发件人怎么办?
在SDK中,只有成功检索到事件id才会认为是一个好的webhook,我觉得风险太大了,不是吗?
Stripe 确实为网络钩子提供了签名。看看这里:https : //stripe.com/docs/webhooks#signatures
你也可以看看这篇文章:https : //www.truespotmedia.com/testing-webhooks-in-stripe-with-php/
下面是一些示例代码:
// Set your secret key: remember to change this to your live secret key in production
// See your keys here: https://dashboard.stripe.com/account/apikeys
\Stripe\Stripe::setApiKey("your secret api key");
// You can find your endpoint's secret in your webhook settings
$endpoint_secret = "whsec_...";
$payload = @file_get_contents("php://input");
$sig_header = $_SERVER["HTTP_STRIPE_SIGNATURE"];
$event = null;
try {
$event = \Stripe\Webhook::constructEvent(
$payload, $sig_header, $endpoint_secret
);
} catch(\UnexpectedValueException $e) {
// Invalid payload
http_response_code(400); // PHP 5.4 or greater
exit();
} catch(\Stripe\Error\SignatureVerification $e) {
// Invalid signature
http_response_code(400); // PHP 5.4 or greater
exit();
}
// Do something with $event
http_response_code(200); // PHP 5.4 or greater