StripeManaged.Webhook (StripeManaged v0.1.0)

Webhook signature verification and event construction.

Stripe signs webhook payloads with HMAC-SHA256. Always verify signatures before processing events.

Phoenix integration

# In your endpoint.ex, add a raw body parser for the webhook route:
plug Plug.Parsers,
  parsers: [:urlencoded, :multipart, :json],
  pass: ["*/*"],
  body_reader: {CacheBodyReader, :read_body, []},
  json_decoder: Jason

# In your controller:
def webhook(conn, _params) do
  payload = conn.assigns.raw_body
  signature = get_req_header(conn, "stripe-signature") |> List.first()

  case StripeManaged.Webhook.construct_event(payload, signature) do
    {:ok, event} -> handle_event(event)
    {:error, msg} -> send_resp(conn, 400, msg)
  end
end

Summary

Functions

construct_event(payload, signature, opts \\ [])

Verifies the webhook signature and parses the event payload.

verify(payload, signature, opts \\ [])

Verifies a webhook signature without parsing the payload. Returns :ok or {:error, reason}.

Functions

construct_event(payload, signature, opts \\ [])

@spec construct_event(String.t(), String.t(), keyword()) ::
  {:ok, map()} | {:error, String.t()}

Verifies the webhook signature and parses the event payload.

Returns {:ok, event_map} or {:error, reason}.

Options:

:webhook_secret - override the configured secret
:tolerance - max age in seconds (default: 300)

verify(payload, signature, opts \\ [])

@spec verify(String.t(), String.t(), keyword()) :: :ok | {:error, String.t()}

Verifies a webhook signature without parsing the payload. Returns :ok or {:error, reason}.