Webhook processing changes: fix expected request data formatting

2026-02-02 21:57:17 +00:00 · 2017-01-21 09:43:34 +00:00
parent 9ac638f8ba
commit a039286240
3 changed files with 34 additions and 16 deletions
--- a/app/controllers/admin/stripe_accounts_controller.rb
+++ b/app/controllers/admin/stripe_accounts_controller.rb
@@ -17,10 +17,11 @@ module Admin
    end

    def destroy_from_webhook
+      # Fetch the event again direct from stripe for extra security
      event = fetch_event_from_stripe(request)
-      if event["type"] == "account.application.deauthorized"
-        StripeAccount.where(stripe_user_id: event["data"]["id"]).map{ |account| account.destroy }
-        render json: nil, status: 200
+      if event.type == "account.application.deauthorized"
+        StripeAccount.where(stripe_user_id: event.user_id).map{ |account| account.destroy }
+        render text: "Account #{event.user_id} deauthorized", status: 200
      else
        render json: nil, status: 501
      end
--- a/app/helpers/admin/stripe_helper.rb
+++ b/app/helpers/admin/stripe_helper.rb
@@ -51,7 +51,8 @@ module Admin

    def fetch_event_from_stripe(request)
      event_json = JSON.parse(request.body.read)
-      JSON.parse(Stripe::Event.retrieve(event_json["id"]))
+      acct_param = event_json["user_id"] ? {"Stripe-Account" => event_json["user_id"]} : nil
+      Stripe::Event.retrieve(event_json["id"],acct_param)
    end

    def deauthorize_request_for_stripe_id(id)
--- a/spec/controllers/admin/stripe_account_controller_spec.rb
+++ b/spec/controllers/admin/stripe_account_controller_spec.rb
@@ -5,19 +5,35 @@ describe Admin::StripeAccountsController, type: :controller do
  it "deletes Stripe accounts in response to a webhook" do
    # https://stripe.com/docs/api#retrieve_event
    allow(controller).to receive(:fetch_event_from_stripe)
-      .and_return({
-      "id" => "evt_18zt9YFBE7f7kItLg9f343bn",
-      "object" => "event",
-      "created" => 1475350088,
-      "data" => {
-          "id" => "webhook_id",
-          "name" => "OFN",
-          "object" => "application"
-      },
-      "type" => "account.application.deauthorized"
-    })
+      .and_return(Stripe::Event.construct_from({"id"=>"evt_wrfwg4323fw",
+                   "object"=>"event",
+                   "api_version"=>nil,
+                   "created"=>1484870684,
+                   "data"=>
+                    {"object"=>
+                      {"id"=>"application_id",
+                       "object"=>"application",
+                       "name"=>"Open Food Network UK"}},
+                   "livemode"=>false,
+                   "pending_webhooks"=>1,
+                   "request"=>nil,
+                   "type"=>"account.application.deauthorized",
+                   "user_id"=>"webhook_id"}))
    account = create(:stripe_account, stripe_user_id: "webhook_id")
-    post 'destroy_from_webhook'
+    post 'destroy_from_webhook', {"id"=>"evt_wrfwg4323fw",
+                                   "object"=>"event",
+                                   "api_version"=>nil,
+                                   "created"=>1484870684,
+                                   "data"=>
+                                    {"object"=>
+                                      {"id"=>"ca_9ByaSyyyXj5O73DWisU0KLluf0870Vro",
+                                       "object"=>"application",
+                                       "name"=>"Open Food Network UK"}},
+                                   "livemode"=>false,
+                                   "pending_webhooks"=>1,
+                                   "request"=>nil,
+                                   "type"=>"account.application.deauthorized",
+                                   "user_id"=>"webhook_id"}
    expect(StripeAccount.all).not_to include account

  end