feat: Stripe webhook signing secret (#21)

* refactor: Add stripe-client * feat: Add middleware to handle Stripe webhook signing
hygraph · Mar 18, 2021 · a75467e · a75467e · vercel · Mar 18, 2021
1 parent 8b3ba42
commit a75467e
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 12 deletions.
diff --git a/.env.sample b/.env.sample
@@ -2,4 +2,5 @@ GRAPHCMS_MUTATION_TOKEN=
 NEXT_PUBLIC_GRAPHCMS_TOKEN=
 NEXT_PUBLIC_GRAPHCMS_URL=
 NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=
-STRIPE_SECRET_KEY=
+STRIPE_SECRET_KEY=
+STRIPE_WEBHOOK_SIGNING_SECRET=
diff --git a/lib/create-order.js b/lib/create-order.js
@@ -1,5 +1,5 @@
 import graphcmsMutationClient, { gql } from '@/lib/graphcms-mutation-client'
-import Stripe from 'stripe'
+import stripe from '@/lib/stripe-client'
 
 export const createOrderMutation = gql`
   mutation CreateOrderMutation($order: OrderCreateInput!) {
@@ -9,8 +9,6 @@ export const createOrderMutation = gql`
   }
 `
 
-const stripe = new Stripe(process.env.STRIPE_SECRET_KEY)
-
 async function createOrder({ sessionId }) {
   const {
     customer,

diff --git a/lib/stripe-client.js b/lib/stripe-client.js
@@ -0,0 +1,3 @@
+import Stripe from 'stripe'
+
+export default new Stripe(process.env.STRIPE_SECRET_KEY)
diff --git a/lib/stripe-signing-secret.js b/lib/stripe-signing-secret.js
@@ -0,0 +1,25 @@
+import stripe from '@/lib/stripe-client'
+
+const stripeSigningSecret = (handler) => async (req, res) => {
+  const chunks = []
+
+  for await (const chunk of req) {
+    chunks.push(typeof chunk === 'string' ? Buffer.from(chunk) : chunk)
+  }
+
+  let event
+
+  try {
+    event = stripe.webhooks.constructEvent(
+      Buffer.concat(chunks),
+      req.headers['stripe-signature'],
+      process.env.STRIPE_WEBHOOK_SIGNING_SECRET
+    )
+  } catch (err) {
+    return res.status(400).json({ message: err.message })
+  }
+
+  return handler(req, res, event)
+}
+
+export default stripeSigningSecret
diff --git a/pages/api/stripe/create-checkout-session.js b/pages/api/stripe/create-checkout-session.js
@@ -1,9 +1,7 @@
-import Stripe from 'stripe'
-
 import graphcmsClient, { gql } from '@/lib/graphcms-client'
+import stripe from '@/lib/stripe-client'
 
 export default async (req, res) => {
-  const stripe = new Stripe(process.env.STRIPE_SECRET_KEY)
   try {
     const { currency, items, locale, success_url, ...rest } = req.body
 

diff --git a/pages/api/stripe/webhook.js b/pages/api/stripe/webhook.js
@@ -1,17 +1,24 @@
 import createOrder from '@/lib/create-order'
+import stripeSigningSecret from '@/lib/stripe-signing-secret'
 
-export default async (req, res) => {
+export const config = {
+  api: {
+    bodyParser: false
+  }
+}
+
+const handler = async (req, res, event) => {
   const permittedEvents = ['checkout.session.completed']
 
   if (req.method === 'POST') {
-    if (permittedEvents.includes(req.body.type)) {
+    if (permittedEvents.includes(event.type)) {
       try {
-        switch (req.body.type) {
+        switch (event.type) {
           case 'checkout.session.completed':
-            await createOrder({ sessionId: req.body.data.object.id })
+            await createOrder({ sessionId: event.data.object.id })
             break
           default:
-            throw new Error(`Unhandled event: ${req.body.type}`)
+            throw new Error(`Unhandled event: ${event.type}`)
         }
       } catch (error) {
         res.status(500).json({ message: 'Unknown event' })
@@ -23,3 +30,5 @@ export default async (req, res) => {
     res.status(405).json({ message: 'Method not allowed' })
   }
 }
+
+export default stripeSigningSecret(handler)