diff --git a/src/Billing/BillingSettings.cs b/src/Billing/BillingSettings.cs index fe829dc3dd..06027952cf 100644 --- a/src/Billing/BillingSettings.cs +++ b/src/Billing/BillingSettings.cs @@ -5,7 +5,7 @@ public class BillingSettings public virtual string JobsKey { get; set; } public virtual string StripeWebhookKey { get; set; } public virtual string StripeWebhookSecret { get; set; } - public virtual bool StripeEventParseThrowMismatch { get; set; } = true; + public virtual string StripeWebhookSecret20231016 { get; set; } public virtual string BitPayWebhookKey { get; set; } public virtual string AppleWebhookKey { get; set; } public virtual FreshDeskSettings FreshDesk { get; set; } = new FreshDeskSettings(); diff --git a/src/Billing/Controllers/StripeController.cs b/src/Billing/Controllers/StripeController.cs index 37378184d7..2187f98a80 100644 --- a/src/Billing/Controllers/StripeController.cs +++ b/src/Billing/Controllers/StripeController.cs @@ -1,4 +1,5 @@ using Bit.Billing.Constants; +using Bit.Billing.Models; using Bit.Billing.Services; using Bit.Core.AdminConsole.Entities; using Bit.Core.Context; @@ -19,6 +20,7 @@ using Microsoft.Extensions.Options; using Stripe; using Customer = Stripe.Customer; using Event = Stripe.Event; +using JsonSerializer = System.Text.Json.JsonSerializer; using PaymentMethod = Stripe.PaymentMethod; using Subscription = Stripe.Subscription; using Transaction = Bit.Core.Entities.Transaction; @@ -109,9 +111,27 @@ public class StripeController : Controller using (var sr = new StreamReader(HttpContext.Request.Body)) { var json = await sr.ReadToEndAsync(); + var webhookSecret = PickStripeWebhookSecret(json); + + if (string.IsNullOrEmpty(webhookSecret)) + { + return new OkResult(); + } + parsedEvent = EventUtility.ConstructEvent(json, Request.Headers["Stripe-Signature"], - _billingSettings.StripeWebhookSecret, - throwOnApiVersionMismatch: _billingSettings.StripeEventParseThrowMismatch); + webhookSecret, + throwOnApiVersionMismatch: false); + } + + if (StripeConfiguration.ApiVersion != parsedEvent.ApiVersion) + { + _logger.LogWarning( + "Stripe {WebhookType} webhook's API version ({WebhookAPIVersion}) does not match SDK API Version ({SDKAPIVersion})", + parsedEvent.Type, + parsedEvent.ApiVersion, + StripeConfiguration.ApiVersion); + + return new OkResult(); } if (string.IsNullOrWhiteSpace(parsedEvent?.Id)) @@ -872,4 +892,25 @@ public class StripeController : Controller await invoiceService.VoidInvoiceAsync(invoice.Id); } } + + private string PickStripeWebhookSecret(string webhookBody) + { + var versionContainer = JsonSerializer.Deserialize(webhookBody); + + return versionContainer.ApiVersion switch + { + "2023-10-16" => _billingSettings.StripeWebhookSecret20231016, + "2022-08-01" => _billingSettings.StripeWebhookSecret, + _ => HandleDefault(versionContainer.ApiVersion) + }; + + string HandleDefault(string version) + { + _logger.LogWarning( + "Stripe webhook contained an recognized 'api_version': {ApiVersion}", + version); + + return null; + } + } } diff --git a/src/Billing/Models/StripeWebhookVersionContainer.cs b/src/Billing/Models/StripeWebhookVersionContainer.cs new file mode 100644 index 0000000000..594a0f0ed5 --- /dev/null +++ b/src/Billing/Models/StripeWebhookVersionContainer.cs @@ -0,0 +1,9 @@ +using System.Text.Json.Serialization; + +namespace Bit.Billing.Models; + +public class StripeWebhookVersionContainer +{ + [JsonPropertyName("api_version")] + public string ApiVersion { get; set; } +} diff --git a/src/Billing/appsettings.json b/src/Billing/appsettings.json index 27a35cf1f6..93d103aa80 100644 --- a/src/Billing/appsettings.json +++ b/src/Billing/appsettings.json @@ -62,7 +62,7 @@ "jobsKey": "SECRET", "stripeWebhookKey": "SECRET", "stripeWebhookSecret": "SECRET", - "stripeEventParseThrowMismatch": true, + "stripeWebhookSecret20231016": "SECRET", "bitPayWebhookKey": "SECRET", "appleWebhookKey": "SECRET", "payPal": { diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj index f50412495b..0edcd05821 100644 --- a/src/Core/Core.csproj +++ b/src/Core/Core.csproj @@ -52,7 +52,7 @@ - + diff --git a/test/Billing.Test/Resources/Events/charge.succeeded.json b/test/Billing.Test/Resources/Events/charge.succeeded.json index e88efa4079..a5446a11d1 100644 --- a/test/Billing.Test/Resources/Events/charge.succeeded.json +++ b/test/Billing.Test/Resources/Events/charge.succeeded.json @@ -1,7 +1,7 @@ { "id": "evt_3NvKgBIGBnsLynRr0pJJqudS", "object": "event", - "api_version": "2022-08-01", + "api_version": "2023-10-16", "created": 1695909300, "data": { "object": { diff --git a/test/Billing.Test/Resources/Events/customer.subscription.updated.json b/test/Billing.Test/Resources/Events/customer.subscription.updated.json index 1a128c1508..dbd30f1c4c 100644 --- a/test/Billing.Test/Resources/Events/customer.subscription.updated.json +++ b/test/Billing.Test/Resources/Events/customer.subscription.updated.json @@ -1,7 +1,7 @@ { "id": "evt_1NvLMDIGBnsLynRr6oBxebrE", "object": "event", - "api_version": "2022-08-01", + "api_version": "2023-10-16", "created": 1695911902, "data": { "object": { diff --git a/test/Billing.Test/Resources/Events/customer.updated.json b/test/Billing.Test/Resources/Events/customer.updated.json index 323a9b9ba5..c2445c24e2 100644 --- a/test/Billing.Test/Resources/Events/customer.updated.json +++ b/test/Billing.Test/Resources/Events/customer.updated.json @@ -2,7 +2,7 @@ "id": "evt_1NvKjSIGBnsLynRrS3MTK4DZ", "object": "event", "account": "acct_19smIXIGBnsLynRr", - "api_version": "2022-08-01", + "api_version": "2023-10-16", "created": 1695909502, "data": { "object": { diff --git a/test/Billing.Test/Resources/Events/invoice.created.json b/test/Billing.Test/Resources/Events/invoice.created.json index b70442ed36..4c3c85233d 100644 --- a/test/Billing.Test/Resources/Events/invoice.created.json +++ b/test/Billing.Test/Resources/Events/invoice.created.json @@ -1,7 +1,7 @@ { "id": "evt_1NvKzfIGBnsLynRr0SkwrlkE", "object": "event", - "api_version": "2022-08-01", + "api_version": "2023-10-16", "created": 1695910506, "data": { "object": { diff --git a/test/Billing.Test/Resources/Events/invoice.upcoming.json b/test/Billing.Test/Resources/Events/invoice.upcoming.json index 7b9055d497..056f3a2d1c 100644 --- a/test/Billing.Test/Resources/Events/invoice.upcoming.json +++ b/test/Billing.Test/Resources/Events/invoice.upcoming.json @@ -1,7 +1,7 @@ { "id": "evt_1Nv0w8IGBnsLynRrZoDVI44u", "object": "event", - "api_version": "2022-08-01", + "api_version": "2023-10-16", "created": 1695833408, "data": { "object": { diff --git a/test/Billing.Test/Resources/Events/payment_method.attached.json b/test/Billing.Test/Resources/Events/payment_method.attached.json index 40e6972bdd..9b65630646 100644 --- a/test/Billing.Test/Resources/Events/payment_method.attached.json +++ b/test/Billing.Test/Resources/Events/payment_method.attached.json @@ -1,7 +1,7 @@ { "id": "evt_1NvKzcIGBnsLynRrPJ3hybkd", "object": "event", - "api_version": "2022-08-01", + "api_version": "2023-10-16", "created": 1695910504, "data": { "object": {