feat: verify signature on webhook (#21872)

erpnext/non_profit/doctype/membership/membership.py

@@ -64,9 +64,21 @@ def get_member_based_on_subscription(subscription_id, email):
 				}, order_by="creation desc")
 	return frappe.get_doc("Member", members[0]['name'])
 
+def verify_signature(data):
+	signature = frappe.request.headers.get('X-Razorpay-Signature')
+
+	settings = frappe.get_doc("Membership Settings")
+	key = settings.get_webhook_secret()
+
+	controller = frappe.get_doc("Razorpay Settings")
+
+	controller.verify_signature(data, signature, key)
+
+
 @frappe.whitelist(allow_guest=True)
 def trigger_razorpay_subscription(*args, **kwargs):
 	data = frappe.request.get_data()
+	verify_signature(data):
 
 	if isinstance(data, six.string_types):
 		data = json.loads(data)
@@ -113,7 +125,6 @@ def trigger_razorpay_subscription(*args, **kwargs):
 	return True
 
 
-
 def notify_failure(log):
 	try:
 		content = """Dear System Manager,

erpnext/non_profit/doctype/membership_settings/membership_settings.js

@@ -1,8 +1,30 @@
 // Copyright (c) 2020, Frappe Technologies Pvt. Ltd. and contributors
 // For license information, please see license.txt
 
-frappe.ui.form.on('Membership Settings', {
+frappe.ui.form.on("Membership Settings", {
 	refresh: function(frm) {
+		if (frm.doc.webhook_secret) {
+			frm.add_custom_button(__("Revoke <Key></Key>"), () => {
+				frm.call("revoke_key").then(() => {
+					frm.refresh();
+				})
+			});
+		}
+		frm.trigger("add_generate_button");
+	},
 
-	}
+	add_generate_button: function(frm) {
+		let label;
+
+		if (frm.doc.webhook_secret) {
+			label = __("Regenerate Webhook Secret");
+		} else {
+			label = __("Generate Webhook Secret");
+		}
+		frm.add_custom_button(label, () => {
+			frm.call("generate_webhook_key").then(() => {
+				frm.refresh();
+			});
+		});
+	},
 });

erpnext/non_profit/doctype/membership_settings/membership_settings.json

@@ -8,7 +8,8 @@
   "enable_razorpay",
   "razorpay_settings_section",
   "billing_cycle",
-  "billing_frequency"
+  "billing_frequency",
+  "webhook_secret"
  ],
  "fields": [
   {
@@ -34,11 +35,17 @@
    "fieldname": "billing_frequency",
    "fieldtype": "Int",
    "label": "Billing Frequency"
+  },
+  {
+   "fieldname": "webhook_secret",
+   "fieldtype": "Password",
+   "label": "Webhook Secret",
+   "read_only": 1
   }
  ],
  "issingle": 1,
  "links": [],
- "modified": "2020-04-07 18:42:51.496807",
+ "modified": "2020-05-22 12:38:27.103759",
  "modified_by": "Administrator",
  "module": "Non Profit",
  "name": "Membership Settings",

erpnext/non_profit/doctype/membership_settings/membership_settings.py

@@ -4,11 +4,27 @@
 
 from __future__ import unicode_literals
 import frappe
+from frappe import _
 from frappe.integrations.utils import get_payment_gateway_controller
 from frappe.model.document import Document
 
 class MembershipSettings(Document):
-	pass
+	def generate_webhook_key(self):
+		key = frappe.generate_hash(length=20)
+		self.webhook_secret = key
+		self.save()
+
+		frappe.msgprint(
+			_("Here is your webhook secret, this will be shown to you only once.") + "<br><br>" + key,
+			_("Webhook Secret")
+		);
+
+	def revoke_key(self):
+		self.webhook_secret = None;
+		self.save()
+
+	def get_webhook_secret(self):
+		return self.get_password(fieldname="webhook_secret", raise_exception=False)
 
 @frappe.whitelist()
 def get_plans_for_membership(*args, **kwargs):