Skip to content
Snippets Groups Projects
Commit 8db3a32a authored by Pelle Koster's avatar Pelle Koster
Browse files

whitelist only stripe ips for webhook endpoint

parent 6144e4a0
Branches
Tags
No related merge requests found
......@@ -136,3 +136,5 @@ LOGGING = {
"level": "INFO",
},
}
STRIPE_WEBHOOK_ALLOWED_IPS = ["*"]
......@@ -30,3 +30,18 @@ STATIC_URL = os.getenv("STATIC_URL", "/static/") # noqa: F405
STATIC_ROOT = os.getenv("STATIC_ROOT", "staticfiles/") # noqa: F405
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
STRIPE_WEBHOOK_ALLOWED_IPS = [
"3.18.12.63",
"3.130.192.231",
"13.235.14.237",
"13.235.122.149",
"18.211.135.69",
"35.154.171.200",
"52.15.183.38",
"54.88.130.119",
"54.88.130.237",
"54.187.174.169",
"54.187.205.235",
"54.187.216.72",
]
import logging
from typing import Union
import requests
from django import forms
from django.http import Http404, HttpResponse
from django.shortcuts import redirect, render
from django.views.decorators.http import require_POST, require_http_methods, require_GET
from django.views.decorators.csrf import csrf_exempt
import requests
from django.views.decorators.http import require_GET, require_http_methods, require_POST
from stripe_checkout.stripe_checkout.shopping_cart import ShoppingCart
from .models import Event, ExchangeRate
from . import stripe
from .models import Event, ExchangeRate
from .shopping_cart import ShoppingCart
from .utils import whitelist_ips
from .visit import VisitorAPI
logger = logging.getLogger(__name__)
......@@ -67,7 +68,7 @@ def create_invoice(visitor, data):
customer,
purchase_order=data["purchase_order"],
vat_number=data["vat_number"],
gbp_exchange_rate=exchange_rate
gbp_exchange_rate=exchange_rate,
)
......@@ -88,6 +89,7 @@ def checkout_success(request, visitor_id):
@csrf_exempt
@require_POST
@whitelist_ips(by_setting="STRIPE_WEBHOOK_ALLOWED_IPS")
def stripe_event(request):
try:
event = stripe.read_event(request.body, request.headers.get("Stripe-Signature"))
......
......@@ -43,7 +43,7 @@ def test_exchange_rate(client, default_exchange_rate, visitor_id):
call_args = stripe.Invoice.create.call_args[1]
assert call_args["custom_fields"][0] == {
"name": "GBP VAT Rate",
"value": "GBP 1.60 (0.8000)" ,
"value": "GBP 1.60 (0.8000)",
}
......@@ -62,3 +62,23 @@ def test_event_webhook(client):
)
assert rv.status_code == 200
assert Event.objects.exists()
@responses.activate
@pytest.mark.django_db
def test_event_webhook_disallowed_when_not_whitelisted(client, settings):
settings.STRIPE_WEBHOOK_ALLOWED_IPS = ["1.1.1.1"]
with patch(
"stripe.Webhook.construct_event", side_effect=lambda b, *_: json.loads(b)
):
rv = client.post(
"/stripe-event-webhook/",
json.dumps(
{
"type": "invoice.paid",
"data": {"object": {"id": "stripe-invoice"}},
}
),
content_type="application/json",
)
assert rv.status_code == 403
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment