[AC-1980] Upgrade Stripe.net (#3596)

* Upgrade Stripe.net * Don't process mismatched version webhooks * Manually handle API mismatch in Stripe webhook * Pivot webhook secret off webhook version
2025-07-04 01:22:50 -05:00 · 2024-01-31 08:19:29 -05:00
parent 02b10abaf8
commit 2ad4bb8a79
11 changed files with 61 additions and 11 deletions
--- a/src/Billing/Controllers/StripeController.cs
+++ b/src/Billing/Controllers/StripeController.cs
@ -1,4 +1,5 @@
 using Bit.Billing.Constants;
+using Bit.Billing.Models;
 using Bit.Billing.Services;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Context;
@ -19,6 +20,7 @@ using Microsoft.Extensions.Options;
 using Stripe;
 using Customer = Stripe.Customer;
 using Event = Stripe.Event;
+using JsonSerializer = System.Text.Json.JsonSerializer;
 using PaymentMethod = Stripe.PaymentMethod;
 using Subscription = Stripe.Subscription;
 using Transaction = Bit.Core.Entities.Transaction;
@ -109,9 +111,27 @@ public class StripeController : Controller
        using (var sr = new StreamReader(HttpContext.Request.Body))
        {
            var json = await sr.ReadToEndAsync();
+            var webhookSecret = PickStripeWebhookSecret(json);
+
+            if (string.IsNullOrEmpty(webhookSecret))
+            {
+                return new OkResult();
+            }
+
            parsedEvent = EventUtility.ConstructEvent(json, Request.Headers["Stripe-Signature"],
-                _billingSettings.StripeWebhookSecret,
-                throwOnApiVersionMismatch: _billingSettings.StripeEventParseThrowMismatch);
+                webhookSecret,
+                throwOnApiVersionMismatch: false);
+        }
+
+        if (StripeConfiguration.ApiVersion != parsedEvent.ApiVersion)
+        {
+            _logger.LogWarning(
+                "Stripe {WebhookType} webhook's API version ({WebhookAPIVersion}) does not match SDK API Version ({SDKAPIVersion})",
+                parsedEvent.Type,
+                parsedEvent.ApiVersion,
+                StripeConfiguration.ApiVersion);
+
+            return new OkResult();
        }

        if (string.IsNullOrWhiteSpace(parsedEvent?.Id))
@ -872,4 +892,25 @@ public class StripeController : Controller
            await invoiceService.VoidInvoiceAsync(invoice.Id);
        }
    }
+
+    private string PickStripeWebhookSecret(string webhookBody)
+    {
+        var versionContainer = JsonSerializer.Deserialize<StripeWebhookVersionContainer>(webhookBody);
+
+        return versionContainer.ApiVersion switch
+        {
+            "2023-10-16" => _billingSettings.StripeWebhookSecret20231016,
+            "2022-08-01" => _billingSettings.StripeWebhookSecret,
+            _ => HandleDefault(versionContainer.ApiVersion)
+        };
+
+        string HandleDefault(string version)
+        {
+            _logger.LogWarning(
+                "Stripe webhook contained an recognized 'api_version': {ApiVersion}",
+                version);
+
+            return null;
+        }
+    }
 }