Edit File by line

<?php

[0] Fix | Delete

[1] Fix | Delete

namespace WPForms\Vendor\Stripe;

[2] Fix | Delete

[3] Fix | Delete

abstract class WebhookSignature

[4] Fix | Delete

{

[5] Fix | Delete

const EXPECTED_SCHEME = 'v1';

[6] Fix | Delete

/**

[7] Fix | Delete

* Verifies the signature header sent by Stripe. Throws an

[8] Fix | Delete

* Exception\SignatureVerificationException exception if the verification fails for

[9] Fix | Delete

* any reason.

[10] Fix | Delete

[11] Fix | Delete

* @param string $payload the payload sent by Stripe

[12] Fix | Delete

* @param string $header the contents of the signature header sent by

[13] Fix | Delete

* Stripe

[14] Fix | Delete

* @param string $secret secret used to generate the signature

[15] Fix | Delete

* @param int $tolerance maximum difference allowed between the header's

[16] Fix | Delete

* timestamp and the current time

[17] Fix | Delete

[18] Fix | Delete

* @throws Exception\SignatureVerificationException if the verification fails

[19] Fix | Delete

[20] Fix | Delete

* @return bool

[21] Fix | Delete

[22] Fix | Delete

public static function verifyHeader($payload, $header, $secret, $tolerance = null)

[23] Fix | Delete

{

[24] Fix | Delete

// Extract timestamp and signatures from header

[25] Fix | Delete

$timestamp = self::getTimestamp($header);

[26] Fix | Delete

$signatures = self::getSignatures($header, self::EXPECTED_SCHEME);

[27] Fix | Delete

if (-1 === $timestamp) {

[28] Fix | Delete

throw Exception\SignatureVerificationException::factory('Unable to extract timestamp and signatures from header', $payload, $header);

[29] Fix | Delete

}

[30] Fix | Delete

if (empty($signatures)) {

[31] Fix | Delete

throw Exception\SignatureVerificationException::factory('No signatures found with expected scheme', $payload, $header);

[32] Fix | Delete

}

[33] Fix | Delete

// Check if expected signature is found in list of signatures from

[34] Fix | Delete

// header

[35] Fix | Delete

$signedPayload = "{$timestamp}.{$payload}";

[36] Fix | Delete

$expectedSignature = self::computeSignature($signedPayload, $secret);

[37] Fix | Delete

$signatureFound = \false;

[38] Fix | Delete

foreach ($signatures as $signature) {

[39] Fix | Delete

if (Util\Util::secureCompare($expectedSignature, $signature)) {

[40] Fix | Delete

$signatureFound = \true;

[41] Fix | Delete

break;

[42] Fix | Delete

}

[43] Fix | Delete

}

[44] Fix | Delete

if (!$signatureFound) {

[45] Fix | Delete

throw Exception\SignatureVerificationException::factory('No signatures found matching the expected signature for payload', $payload, $header);

[46] Fix | Delete

}

[47] Fix | Delete

// Check if timestamp is within tolerance

[48] Fix | Delete

if ($tolerance > 0 && \abs(\time() - $timestamp) > $tolerance) {

[49] Fix | Delete

throw Exception\SignatureVerificationException::factory('Timestamp outside the tolerance zone', $payload, $header);

[50] Fix | Delete

}

[51] Fix | Delete

return \true;

[52] Fix | Delete

}

[53] Fix | Delete

/**

[54] Fix | Delete

* Extracts the timestamp in a signature header.

[55] Fix | Delete

[56] Fix | Delete

* @param string $header the signature header

[57] Fix | Delete

[58] Fix | Delete

* @return int the timestamp contained in the header, or -1 if no valid

[59] Fix | Delete

* timestamp is found

[60] Fix | Delete

[61] Fix | Delete

private static function getTimestamp($header)

[62] Fix | Delete

{

[63] Fix | Delete

$items = \explode(',', $header);

[64] Fix | Delete

foreach ($items as $item) {

[65] Fix | Delete

$itemParts = \explode('=', $item, 2);

[66] Fix | Delete

if ('t' === $itemParts[0]) {

[67] Fix | Delete

if (!\is_numeric($itemParts[1])) {

[68] Fix | Delete

return -1;

[69] Fix | Delete

}

[70] Fix | Delete

return (int) $itemParts[1];

[71] Fix | Delete

}

[72] Fix | Delete

}

[73] Fix | Delete

return -1;

[74] Fix | Delete

}

[75] Fix | Delete

/**

[76] Fix | Delete

* Extracts the signatures matching a given scheme in a signature header.

[77] Fix | Delete

[78] Fix | Delete

* @param string $header the signature header

[79] Fix | Delete

* @param string $scheme the signature scheme to look for

[80] Fix | Delete

[81] Fix | Delete

* @return array the list of signatures matching the provided scheme

[82] Fix | Delete

[83] Fix | Delete

private static function getSignatures($header, $scheme)

[84] Fix | Delete

{

[85] Fix | Delete

$signatures = [];

[86] Fix | Delete

$items = \explode(',', $header);

[87] Fix | Delete

foreach ($items as $item) {

[88] Fix | Delete

$itemParts = \explode('=', $item, 2);

[89] Fix | Delete

if (\trim($itemParts[0]) === $scheme) {

[90] Fix | Delete

$signatures[] = $itemParts[1];

[91] Fix | Delete

}

[92] Fix | Delete

}

[93] Fix | Delete

return $signatures;

[94] Fix | Delete

}

[95] Fix | Delete

/**

[96] Fix | Delete

* Computes the signature for a given payload and secret.

[97] Fix | Delete

[98] Fix | Delete

* The current scheme used by Stripe ("v1") is HMAC/SHA-256.

[99] Fix | Delete

[100] Fix | Delete

* @param string $payload the payload to sign

[101] Fix | Delete

* @param string $secret the secret used to generate the signature

[102] Fix | Delete

[103] Fix | Delete

* @return string the signature as a string

[104] Fix | Delete

[105] Fix | Delete

private static function computeSignature($payload, $secret)

[106] Fix | Delete

{

[107] Fix | Delete

return \hash_hmac('sha256', $payload, $secret);

[108] Fix | Delete

}

[109] Fix | Delete

}

[110] Fix | Delete

[111] Fix | Delete