Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TrimStrings middleware breaks signature verification - Part 2 #152

Closed
BKirev opened this issue Jan 31, 2022 · 3 comments
Closed

TrimStrings middleware breaks signature verification - Part 2 #152

BKirev opened this issue Jan 31, 2022 · 3 comments
Labels
needs more info

Comments

@BKirev
Copy link
Contributor

BKirev commented Jan 31, 2022

  • Cashier Paddle Version: 1.4.8
  • Laravel Version: 8.49.2
  • PHP Version: 7.4.3
  • Database Driver & Version: mysql Ver 8.0.27-0ubuntu0.20.04.1 for Linux on x86_64

Description:

The issue seems to be similar to #120

I've noticed that sometimes webhooks(subscription_payment_succeeded and payment_succeeded) are failing with invalid signature exception. Upon further investigation I've discovered that the only similar thing between them is that the customers have one customer_name - eg. (whitespace)John, instead of John Doe. All such customers have this whitespace.

It looks like this:
image
(screenshot from Paddle)

I've contacted Paddle's support and reported the issue there as well, as I think it could be something on their side.

My solution:

Adding customer_name to $except in TrimStrings middleware.
@driesvints
Copy link
Member

I need code to reproduce this.

@BKirev
Copy link
Contributor Author

BKirev commented Feb 1, 2022

I believe you should be able to reproduce it like this from Paddle's webhook alert test page:

image

Here's what Paddle had to say about having one name only in the customer_name field:

image

Like mentioned in the OP, I believe the whitespace comes from them, for some reason. They said they'll look into it.

@driesvints
Copy link
Member

This is something we have no control over. For the reason above specifically, we trim each string value in the payload sent to Paddle to generate the pay link: https://github.com/laravel/cashier-paddle/blob/1.x/src/Concerns/PerformsCharges.php#L77

This is a Paddle limitation that we have no control over, sorry.

@goeki85 goeki85 mentioned this issue Nov 10, 2022
Closed
patrickomeara added a commit to patrickomeara/cashier-paddle that referenced this issue Aug 7, 2024
@patrickomeara
Don't trim the request values from Paddle
31372c6 
Paddle verifies the signature based on the input as they have it on their end. If Cashier receives strings that have been trimmed the signature verification fails. The fields need to stay as they are.

laravel#120
laravel#152
laravel#173
@patrickomeara patrickomeara mentioned this issue Aug 7, 2024
Merged
taylorotwell pushed a commit that referenced this issue Aug 8, 2024
@patrickomeara
Don't trim the request values from Paddle (#275)
c626c6e 
Paddle verifies the signature based on the input as they have it on their end. If Cashier receives strings that have been trimmed the signature verification fails. The fields need to stay as they are.

#120
#152
#173
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs more info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@driesvints @BKirev