TrimStrings middleware breaks signature verification - Part 3 #173
Comments
|
It should not be possible to trigger this as these strings are trimmed before the paylink is generated: https://github.com/laravel/cashier-paddle/blob/1.x/src/Concerns/PerformsCharges.php#L77 I disagree that this is a Cashier issue. Clearly, as Paddle indicates themselves this is a Paddle issue. It's up to Paddle to make sure that whitespace does not matter here like other payment providers do (Stripe for example). |
|
Hey Dries, totally understand that and i know it's not normal to get a field with additional whitespaces. I just sent the passthrough parameter manually and build it like Cashier does build it. So this issue is not related to generated paylinks from Cashier in any way. But long story short, i just "fixed" it like @BKirev described in #152 by adding Thanks! |
|
@goeki85 ah that's actually a good solution that I hadn't thought of. Thanks for sharing 👍 |
|
Whoa thanks, it was an annoying issue for me, but adding |
|
Thanks @goeki85 and to those in part 1 and part 2. This one had me stumped. For those on Laravel 11: // bootstrap/app.php
->withMiddleware(function (Middleware $middleware) {
$middleware->trimStrings(except: ['customer_name']);
}) |
Paddle verifies the signature based on the input as they have it on their end. If Cashier receives strings that have been trimmed the signature verification fails. The fields need to stay as they are. laravel#120 laravel#152 laravel#173
Description:
This issue is already described in #120 and #152
Cashier responds with a 403 error to the webhook subscription_payment_succeeded from Paddle if the field customer_name inside the webhook payload has any whitespaces before or after the given string ( John Doe) or (John Doe ).
I got lots of conversations about this with the paddle support. Here are the important parts:
I also think that this would be the solution. So in the first step, Cashier should ignore the payload and only check if the signature is correct. Then, if the signature is correct the whitespaces can be trimmed and manipulated in step 2.
So during the validation (Step 1), Cashier should not sanitize the incoming data. It should accept it as it comes from Paddle. After the validation took place, the spaces can be trimmed.
The text was updated successfully, but these errors were encountered: