From ae8da03c3c1d1a8f603c43b50f980cdc2712565b Mon Sep 17 00:00:00 2001
From: Mark Veidemanis <m@zm.is>
Date: Thu, 21 Jul 2022 13:48:56 +0100
Subject: [PATCH] Verify Stripe callbacks

---
 core/views.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/core/views.py b/core/views.py
index e4d3d83..cb3e573 100644
--- a/core/views.py
+++ b/core/views.py
@@ -4,10 +4,11 @@ from datetime import datetime
 import stripe
 from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
-from django.http import JsonResponse
+from django.http import HttpResponse, JsonResponse
 from django.shortcuts import redirect, render
 from django.urls import reverse, reverse_lazy
 from django.views import View
+from django.views.decorators.csrf import csrf_exempt
 from django.views.generic.edit import CreateView
 from rest_framework.parsers import JSONParser
 from rest_framework.views import APIView
@@ -74,7 +75,22 @@ class Portal(LoginRequiredMixin, View):
 class Callback(APIView):
     parser_classes = [JSONParser]
 
+    @csrf_exempt
     def post(self, request):
+        payload = request.body
+        sig_header = request.META["HTTP_STRIPE_SIGNATURE"]
+
+        try:
+            stripe.Webhook.construct_event(
+                payload, sig_header, settings.STRIPE_ENDPOINT_SECRET
+            )
+        except ValueError:
+            # Invalid payload
+            return HttpResponse(status=400)
+        except stripe.error.SignatureVerificationError:
+            # Invalid signature
+            return HttpResponse(status=400)
+
         pp.pprint(request.data)
         if request.data is None:
             return JsonResponse({"success": False}, status=500)