From 074e2aa3651b9cdba0ce5a4e53dfdf4bd02f951a Mon Sep 17 00:00:00 2001
From: Olivier Bellone <ob@stripe.com>
Date: Thu, 30 May 2019 22:09:04 -0700
Subject: [PATCH] Verify signature before deserializing event

---
 stripe/webhook.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/stripe/webhook.py b/stripe/webhook.py
index f4d4e4f62..8f43f6ed6 100644
--- a/stripe/webhook.py
+++ b/stripe/webhook.py
@@ -18,13 +18,12 @@ def construct_event(
     ):
         if hasattr(payload, "decode"):
             payload = payload.decode("utf-8")
-        if api_key is None:
-            api_key = stripe.api_key
-        data = json.loads(payload)
-        event = stripe.Event.construct_from(data, api_key)
 
         WebhookSignature.verify_header(payload, sig_header, secret, tolerance)
 
+        data = json.loads(payload)
+        event = stripe.Event.construct_from(data, api_key or stripe.api_key)
+
         return event