Startseite Erkunden Hilfe
Registrieren Anmelden
URBANMS
/
EXCELIA_DBARR
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Branch: master
Branches Tags
EXCELIA_DBARR
/
includes
/
stripe
/
stripe-php
/
lib
/
WebhookSignature.php

WebhookSignature.php 4.3 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 
  1. <?php
    2. 

  2. 

  3. namespace Stripe;
    4. 

  4. 

  5. abstract class WebhookSignature
    6. 

  6. {
    7. 

  7.     const EXPECTED_SCHEME = 'v1';
    8. 

  8. 

  9.     /**
    10. 

  10.      * Verifies the signature header sent by Stripe. Throws an
    11. 

  11.      * Exception\SignatureVerificationException exception if the verification fails for
    12. 

  12.      * any reason.
    13. 

  13.      *
    14. 

  14.      * @param string $payload the payload sent by Stripe
    15. 

  15.      * @param string $header the contents of the signature header sent by
    16. 

  16.      *  Stripe
    17. 

  17.      * @param string $secret secret used to generate the signature
    18. 

  18.      * @param int $tolerance maximum difference allowed between the header's
    19. 

  19.      *  timestamp and the current time
    20. 

  20.      *
    21. 

  21.      * @throws Exception\SignatureVerificationException if the verification fails
    22. 

  22.      *
    23. 

  23.      * @return bool
    24. 

  24.      */
    25. 

  25.     public static function verifyHeader($payload, $header, $secret, $tolerance = null)
    26. 

  26.     {
    27. 

  27.         // Extract timestamp and signatures from header
    28. 

  28.         $timestamp = self::getTimestamp($header);
    29. 

  29.         $signatures = self::getSignatures($header, self::EXPECTED_SCHEME);
    30. 

  30.         if (-1 === $timestamp) {
    31. 

  31.             throw Exception\SignatureVerificationException::factory(
    32. 

  32.                 'Unable to extract timestamp and signatures from header',
    33. 

  33.                 $payload,
    34. 

  34.                 $header
    35. 

  35.             );
    36. 

  36.         }
    37. 

  37.         if (empty($signatures)) {
    38. 

  38.             throw Exception\SignatureVerificationException::factory(
    39. 

  39.                 'No signatures found with expected scheme',
    40. 

  40.                 $payload,
    41. 

  41.                 $header
    42. 

  42.             );
    43. 

  43.         }
    44. 

  44. 

  45.         // Check if expected signature is found in list of signatures from
    46. 

  46.         // header
    47. 

  47.         $signedPayload = "{$timestamp}.{$payload}";
    48. 

  48.         $expectedSignature = self::computeSignature($signedPayload, $secret);
    49. 

  49.         $signatureFound = false;
    50. 

  50.         foreach ($signatures as $signature) {
    51. 

  51.             if (Util\Util::secureCompare($expectedSignature, $signature)) {
    52. 

  52.                 $signatureFound = true;
    53. 

  53. 

  54.                 break;
    55. 

  55.             }
    56. 

  56.         }
    57. 

  57.         if (!$signatureFound) {
    58. 

  58.             throw Exception\SignatureVerificationException::factory(
    59. 

  59.                 'No signatures found matching the expected signature for payload',
    60. 

  60.                 $payload,
    61. 

  61.                 $header
    62. 

  62.             );
    63. 

  63.         }
    64. 

  64. 

  65.         // Check if timestamp is within tolerance
    66. 

  66.         if (($tolerance > 0) && (\abs(\time() - $timestamp) > $tolerance)) {
    67. 

  67.             throw Exception\SignatureVerificationException::factory(
    68. 

  68.                 'Timestamp outside the tolerance zone',
    69. 

  69.                 $payload,
    70. 

  70.                 $header
    71. 

  71.             );
    72. 

  72.         }
    73. 

  73. 

  74.         return true;
    75. 

  75.     }
    76. 

  76. 

  77.     /**
    78. 

  78.      * Extracts the timestamp in a signature header.
    79. 

  79.      *
    80. 

  80.      * @param string $header the signature header
    81. 

  81.      *
    82. 

  82.      * @return int the timestamp contained in the header, or -1 if no valid
    83. 

  83.      *  timestamp is found
    84. 

  84.      */
    85. 

  85.     private static function getTimestamp($header)
    86. 

  86.     {
    87. 

  87.         $items = \explode(',', $header);
    88. 

  88. 

  89.         foreach ($items as $item) {
    90. 

  90.             $itemParts = \explode('=', $item, 2);
    91. 

  91.             if ('t' === $itemParts[0]) {
    92. 

  92.                 if (!\is_numeric($itemParts[1])) {
    93. 

  93.                     return -1;
    94. 

  94.                 }
    95. 

  95. 

  96.                 return (int) ($itemParts[1]);
    97. 

  97.             }
    98. 

  98.         }
    99. 

  99. 

  100.         return -1;
    101. 

  101.     }
    102. 

  102. 

  103.     /**
    104. 

  104.      * Extracts the signatures matching a given scheme in a signature header.
    105. 

  105.      *
    106. 

  106.      * @param string $header the signature header
    107. 

  107.      * @param string $scheme the signature scheme to look for
    108. 

  108.      *
    109. 

  109.      * @return array the list of signatures matching the provided scheme
    110. 

  110.      */
    111. 

  111.     private static function getSignatures($header, $scheme)
    112. 

  112.     {
    113. 

  113.         $signatures = [];
    114. 

  114.         $items = \explode(',', $header);
    115. 

  115. 

  116.         foreach ($items as $item) {
    117. 

  117.             $itemParts = \explode('=', $item, 2);
    118. 

  118.             if (\trim($itemParts[0]) === $scheme) {
    119. 

  119.                 $signatures[] = $itemParts[1];
    120. 

  120.             }
    121. 

  121.         }
    122. 

  122. 

  123.         return $signatures;
    124. 

  124.     }
    125. 

  125. 

  126.     /**
    127. 

  127.      * Computes the signature for a given payload and secret.
    128. 

  128.      *
    129. 

  129.      * The current scheme used by Stripe ("v1") is HMAC/SHA-256.
    130. 

  130.      *
    131. 

  131.      * @param string $payload the payload to sign
    132. 

  132.      * @param string $secret the secret used to generate the signature
    133. 

  133.      *
    134. 

  134.      * @return string the signature as a string
    135. 

  135.      */
    136. 

  136.     private static function computeSignature($payload, $secret)
    137. 

  137.     {
    138. 

  138.         return \hash_hmac('sha256', $payload, $secret);
    139. 

  139.     }
    140. 

  140. }
    141.