Plans for Webhook Endpoints #1437
Replies: 4 comments 4 replies
-
@jleclanche fantastic writeup. This makes a lot of sense, and will be an awesome add to the library. |
Beta Was this translation helpful? Give feedback.
-
@jleclanche Great writeup! I have started work on this and have a few questions and observations.
It seems if we can come up with some sort of naming convention for each webhook, a simple function can be used to detect and override these settings in the DB directly. Something like
Please let me know what you think. |
Beta Was this translation helpful? Give feedback.
-
Hi @arnav13081994 and @jleclanche: |
Beta Was this translation helpful? Give feedback.
-
@jleclanche: by using the same webhook URL for different Stripe accounts, it’s impossible to correctly assign the event to the proper Stripe account. The dj-stripe/djstripe/models/webhooks.py Line 120 in 5ed7123 The Stripe account defined in settings is always used and for validation, which of course won’t work. Step I of your list is required: #1437 (comment) @arnav13081994: great news that you have begun tackling webhook endpoints 👏! If you need someone to test this with two different Stripe accounts, I’ll gladly help you out. |
Beta Was this translation helpful? Give feedback.
-
Moving this from an email chain to put some public eyes on it. We're revamping webhook endpoints for next release.
0. Preliminary work:
I. Dynamic URLs for webhooks
There are two issues that can be solved by the same rework. First one is that webhook URLs are publicly guessable. Usually included with a
/stripe/
or/djstripe/
prefix, you can figure out that there is a stripe webhook URL athttps://example.com/djstripe/webhook/
for example. This isn't a huge security issue but it's not great either as you can generate noise for the developers among other things.I'd like to match instead on
/<inclusion prefix>/webhook/<suffix>/
. So for example generate a uuid for each new webhook and end up with/djstripe/webhook/e1526013-6e23-4e3d-abd6-6d4879947654/
.For this the first step is to change URL matching to include webhook/ as a prefix, match on all of it, then look up the webhooks in the database. We ought to support multiple sites per installation as well so we probably want to check the host header value as well.
II. Multiple webhooks per installation
With the above, we can ensure multiple webhooks are supported per installation. Each account will have a stripe_account key and when we receive a webhook payload, we can instantly know which account this belongs to by looking at the unique key.
III. Automatic setup of webhooks
Since we control all this in the database, it should be possible to automatically set up the webhooks in Stripe from the SDK. What that means is we can generate a new URL, find the hostname via site config, figure out the prefix somehow (no idea how, yet, though -- maybe iterate on all the URLs configured and figuring out where the djstripe inclusion is); create the endpoints via the API and feed them back to the db as such.
At that point we need to seriously consider and document what the actual setup flow for webhooks is. We may need some amount of user interaction, especially if a webhook endpoint is already configured? We also need to make sure the webhook endpoint admin panel is polished.
IV. Deprecation path for old setups
I'd like to ensure a smooth transition between old setups and new ones. We need a way to detect when things are set up "the old way". We probably still need to watch over
/djstripe/webhook/
without a suffix and process according toDJSTRIPE_WEBHOOK_SECRET
then. Also need to ensure our new method handles suffixless webhook endpoints without issues. (The webhook url itself shouldn't be unique, but we may need a django check to warn if there are multiple webhook endpoints with the same URL set up? Consequence can be incorrect handling of the payload, it going to the wrong account etc).V. Check if we can still support
DJSTRIPE_WEBHOOK_URL
That setting should be deprecated as it will no longer be necessary. But I do not think we should remove it any time soon as it's a pain to update for existing users. Instead we should add a django Check with a warning explaining the deprecation (with a "removed in dj-stripe 3.0" or some such)
VI. Moving other settings to the database.
On top of webhook secrets, we also have
DJSTRIPE_WEBHOOK_VALIDATION
andDJSTRIPE_WEBHOOK_TOLERANCE
settings which could be moved to the database, as part of the webhook administration. This would allow changing those settings on a per-webhook basis. I don't think we should block the release on this if it's not done by the time the rest is ready, but we should at least add the database fields for these (djstripe_tolerance_ms
anddjstripe_validation_type
).If we have those functional, the settings should be deprecated, but they will override the value in the db if set.
Consider making the db values nullable so we can retain a default in dj-stripe. No idea if that's the right way forward or not.
VII. Documentation updates
There are several documentation pages on webhooks, we need to ensure they are up to date and reflect our changes. This all needs to be detailed in the changelog for the next release as well, including the rationale.
Beta Was this translation helpful? Give feedback.
All reactions