From c2df445ac25dcfe1ad85405cb0ed1cf99d008955 Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Sat, 12 Aug 2017 22:30:44 -0400
Subject: [PATCH] added stripe webhook signature checking

---
 src/Billing/BillingSettings.cs              |  1 +
 src/Billing/Controllers/StripeController.cs | 14 +++++++++++---
 src/Billing/Startup.cs                      |  1 -
 src/Billing/settings.json                   |  3 ++-
 4 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/Billing/BillingSettings.cs b/src/Billing/BillingSettings.cs
index 25b4e3cb40..358a1c807b 100644
--- a/src/Billing/BillingSettings.cs
+++ b/src/Billing/BillingSettings.cs
@@ -3,5 +3,6 @@
     public class BillingSettings
     {
         public virtual string StripeWebhookKey { get; set; }
+        public virtual string StripeWebhookSecret { get; set; }
     }
 }
diff --git a/src/Billing/Controllers/StripeController.cs b/src/Billing/Controllers/StripeController.cs
index 092cc93335..d8cd23f276 100644
--- a/src/Billing/Controllers/StripeController.cs
+++ b/src/Billing/Controllers/StripeController.cs
@@ -5,6 +5,7 @@ using Microsoft.Extensions.Options;
 using Stripe;
 using System;
 using System.Collections.Generic;
+using System.IO;
 using System.Threading.Tasks;
 
 namespace Bit.Billing.Controllers
@@ -30,14 +31,21 @@ namespace Bit.Billing.Controllers
         }
 
         [HttpPost("webhook")]
-        public async Task<IActionResult> PostWebhook([FromBody]dynamic body, [FromQuery] string key)
+        public async Task<IActionResult> PostWebhook([FromQuery] string key)
         {
-            if(body == null || key != _billingSettings.StripeWebhookKey)
+            if(key != _billingSettings.StripeWebhookKey)
             {
                 return new BadRequestResult();
             }
 
-            StripeEvent parsedEvent = StripeEventUtility.ParseEventDataItem<StripeEvent>(body);
+            StripeEvent parsedEvent;
+            using(var sr = new StreamReader(HttpContext.Request.Body))
+            {
+                var json = await sr.ReadToEndAsync();
+                parsedEvent = StripeEventUtility.ConstructEvent(json, Request.Headers["Stripe-Signature"],
+                    _billingSettings.StripeWebhookSecret);
+            }
+
             if(string.IsNullOrWhiteSpace(parsedEvent?.Id))
             {
                 return new BadRequestResult();
diff --git a/src/Billing/Startup.cs b/src/Billing/Startup.cs
index e384955ca4..a3fd900876 100644
--- a/src/Billing/Startup.cs
+++ b/src/Billing/Startup.cs
@@ -10,7 +10,6 @@ using Bit.Core.Utilities;
 using Serilog.Events;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection.Extensions;
-using Microsoft.AspNetCore.HttpOverrides;
 
 namespace Bit.Billing
 {
diff --git a/src/Billing/settings.json b/src/Billing/settings.json
index eac966c20a..935233c0df 100644
--- a/src/Billing/settings.json
+++ b/src/Billing/settings.json
@@ -36,7 +36,8 @@
     }
   },
   "billingSettings": {
-    "stripeWebhookKey": "SECRET"
+    "stripeWebhookKey": "SECRET",
+    "stripeWebhookSecret": "SECRET"
   },
   "braintree": {
     "production": false,