TrimStrings middleware breaks signature verification - Part 2

Question

TrimStrings middleware breaks signature verification - Part 2

BKirev opened this issue 2 years ago · comments

Cashier Paddle Version: 1.4.8
Laravel Version: 8.49.2
PHP Version: 7.4.3
Database Driver & Version: mysql Ver 8.0.27-0ubuntu0.20.04.1 for Linux on x86_64

Description:

The issue seems to be similar to #120

I've noticed that sometimes webhooks(subscription_payment_succeeded and payment_succeeded) are failing with invalid signature exception. Upon further investigation I've discovered that the only similar thing between them is that the customers have one customer_name - eg. (whitespace)John, instead of John Doe. All such customers have this whitespace.

It looks like this:

(screenshot from Paddle)

I've contacted Paddle's support and reported the issue there as well, as I think it could be something on their side.

My solution:

Adding customer_name to $except in TrimStrings middleware.

Dries Vints · Answer 1 · Tue Feb 01 2022 16:12:24 GMT+0800 (China Standard Time)

I need code to reproduce this.

Bozhidar Kirev · Answer 2 · Tue Feb 01 2022 21:15:26 GMT+0800 (China Standard Time)

I believe you should be able to reproduce it like this from Paddle's webhook alert test page:

Here's what Paddle had to say about having one name only in the customer_name field:

Like mentioned in the OP, I believe the whitespace comes from them, for some reason. They said they'll look into it.

Dries Vints · Answer 3 · Tue Feb 01 2022 22:24:07 GMT+0800 (China Standard Time)

This is something we have no control over. For the reason above specifically, we trim each string value in the payload sent to Paddle to generate the pay link: https://github.com/laravel/cashier-paddle/blob/1.x/src/Concerns/PerformsCharges.php#L77

This is a Paddle limitation that we have no control over, sorry.