What’s up guys? This is gonna be a quick episode but I wanted to talk about the Stripe signing secret which is a required thing for using webhooks from Stripe now and Rails with the Stripe event gem and the reason for that is because when you receive a webhook you want to make sure that it came from Stripe and not someone else maliciously attacking your application or trying to issue themselves refunds and get your products for free or something weird like that. So what we want to do is verify that those webhooks are actually coming from Stripe. This really simple Stripe. This is really simple. Into the Stripe’s developer section, under webhooks, when you click on your endpoint you can see a signing secret. So this is pretty simple, you click to reveal the signing secret and add to your Rails application and set that in the Stripe event gem so that it can match those and make sure that they are equal and if they’re not equal it knows not to process that webhook. So it’s pretty much that simple. To set this up in our Rails app you need to go into your Stripe event code and set that up. So we have an initializer here in config/initializers/stripe.rb
We set this up in our series before and so Stripe event has a signing secret attribute here and we just need to set up equal the signing key we copied before.
StripeEvent.signing_secret = 'your signing secret key'
We could just set this string directly into the code but I would recommend actually setting this into your application secret with an environment variable or using your encrypted credentials in Rails 5.2 or higher. So let’s use Rails application secrets.
StripeEvent.signing_secret = Rails.application.secrets.stripe_signing_key
So go into your config/secrets.yml.
I put it directly into development but into production I put it as an environment variable.
developement: stripe_signing_secret: klajsdflkjasd production: stripe_signing_secret: <%= ENV['STRIPE_SIGNING_SECRET'] %>
The reason for the difference between the two is I have a separate Stripe account for development and development only so anytime I clone this repo on another computer or to someone else works with me they can actually use Stripe and just use my development account and not the production account and that’s going be nice to adding anybody to the repo so that they can fiddle with Stripe as much as they want on a test account safely and we can just hard code these keys in because it’s okey to share those. We’re not using that for anything real. So the production keys you don’t really want to have anywhere except for production and on your servers, so we have that one set up as an environment variable instead and that’s really all there is to. If we save this I’m gonna restart Rails application that will assign this variable and we’ll be able to access that as needed. Now another option here is that you can set multiple of this value so if you happen to have an application that processes multiple webhooks for different applications, different customers whatever that might be actually go here and add in in an array of those key:
StripeEvent.signing_secret = Rails.application.secrets.stirpe_signing_key StripeEvent.signing_secrets = [ Rails.application.secrets.stripe_signing_key1, Rails.application.secrets.stripe_signing_key2, Rails.application.secrets.stripe_signing_key3, Rails.application.secrets.stripe_signing_key4, Rails.application.secrets.stripe_signing_key5, Rails.application.secrets.stripe_signing_key6, ]
So you can process webhooks for various endpoints and that will treat those accordingly so you have
StripeEvent.signing_secrets it’s basically the exact same as the above (
StripeEvent.signing_secret) so this is alias for the above and that is it so that’s all you have to do: to enable this in your Rails application but it’s definitely required to make sure that you’re not going to get any malicious attacks on your Rails application so it’s important to add and really not very hard thing to either. So that’s it for this episode. I hope you enjoyed it and I’ll talk to you in the next one.