Fixed Verify webhook with signing secret is required, but UI implies it is optional

Xon · May 12, 2019

If the "Verify webhook with signing secret" option for a stripe profile is not filled enabled and filled in, then any webhook will be rejected with; "Webhook received from Stripe could not be verified as being valid"

The wording and UX behaviour implies this would be optional, instead it causes the webhook to always fail verification.

Chris D · Jun 27, 2019

Oops

PHP:

if (empty($paymentProfile->options['signing_secret']) || empty($state->signature))
{
   return false;
}

Changing to:

PHP:

if (empty($paymentProfile->options['signing_secret']))
{
   return true; // not enabled so pass
}

if (empty($state->signature))
{
   return false; // enabled but signature missing so fail
}

XF Bug Bot · Jun 27, 2019

Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.3).

Change log:

If a webhook signing signature is not entered, skip verifying the provided signature.

Any changes made as a result of this issue being resolved may not be rolled out here until later.

Fixed Verify webhook with signing secret is required, but UI implies it is optional

Xon

Well-known member

Chris D

XenForo developer

XF Bug Bot

XenForo bug fixer bot

We value your privacy