-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multi tenant secrets #139
Comments
I'm considering using the gem so I haven't tested it myself yet but from what I understand it depends what we call "multi tenant environment". In the gem, you'll need to set ALL the signing keys in the configuration StripeEvent.signing_secrets = [
ENV['STRIPE_LEGACY_ACCOUNT_SIGNING_SECRET'],
ENV['STRIPE_ACCOUNT_2_SIGNING_SECRET'],
ENV['STRIPE_ACCOUNT_3_SIGNING_SECRET'],
] The gem will test all secrets when receiving a webhook. stripe_event/app/controllers/stripe_event/webhook_controller.rb Lines 22 to 29 in 9601d96
1️⃣ It's great if "multi tenant" means:
2️⃣ It's definitely not suitable if multi tenant means "I have thousands of users and they all use THEIR Stripe accounts". For performance for sure but it could even be a security issue 🤔 My understanding is that you need the second case but this gems only support the first one. |
Should this be closed? I would assume that this is a non-standard practice. |
This chapter https://github.com/integrallis/stripe_event#configuration reads like if there is a possibility to configure secrets in a multi tenant environment.
However
stripe_event/app/controllers/stripe_event/webhook_controller.rb
Line 33 in 9601d96
stripe_event/lib/stripe_event.rb
Line 8 in 9601d96
pretty much look like a static interface for the secret configuration.
Is such an interface like:
a valid user story for the gem?
Otherwise I see no other chance than overwriting the
stripe_event/app/controllers/stripe_event/webhook_controller.rb
Line 32 in 9601d96
The text was updated successfully, but these errors were encountered: