fix(Stripe Trigger Node): Add Stripe signature verification

packages/nodes-base/nodes/Stripe/StripeTrigger.node.ts

@@ -1,4 +1,5 @@
 /* eslint-disable n8n-nodes-base/node-param-description-excess-final-period */
+import { createHmac } from 'crypto';
 import type {
 	IDataObject,
 	IHookFunctions,
@@ -948,9 +949,46 @@ export class StripeTrigger implements INodeType {
 	async webhook(this: IWebhookFunctions): Promise<IWebhookResponseData> {
 		const bodyData = this.getBodyData();
 		const req = this.getRequestObject();
+		const headerData = this.getHeaderData();
+		const webhookData = this.getWorkflowStaticData('node');
 
-		const events = this.getNodeParameter('events', []) as string[];
+		const stripeSignature = headerData['stripe-signature'] as string | undefined;
+		if (!stripeSignature) {
+			return {};
+		}
+
+		const webhookSecret = webhookData.webhookSecret as string | undefined;
+		if (!webhookSecret) {
+			return {};
+		}
+
+		const elements = stripeSignature.split(',');
+		let timestamp: string | undefined;
+		let signature: string | undefined;
+
+		for (const element of elements) {
+			if (element.startsWith('t=')) {
+				timestamp = element.substring(2);
+			} else if (element.startsWith('v1=')) {
+				signature = element.substring(3);
+			}
+		}
 
+		if (!timestamp || !signature) {
+			return {};
+		}
+
+		const signedPayload = `${timestamp}.${req.rawBody.toString()}`;
+
+		const expectedSignature = createHmac('sha256', webhookSecret)
+			.update(signedPayload)
+			.digest('hex');
+
+		if (signature !== expectedSignature) {
+			return {};
+		}
+
+		const events = this.getNodeParameter('events', []) as string[];
 		const eventType = bodyData.type as string | undefined;
 
 		if (eventType === undefined || (!events.includes('*') && !events.includes(eventType))) {

packages/nodes-base/nodes/Stripe/__tests__/StripeTrigger.node.test.ts

@@ -1,4 +1,5 @@
-import type { IHookFunctions } from 'n8n-workflow';
+import type { IHookFunctions, IWebhookFunctions } from 'n8n-workflow';
+import { createHmac } from 'crypto';
 
 import { stripeApiRequest } from '../helpers';
 import { StripeTrigger } from '../StripeTrigger.node';
@@ -96,4 +97,170 @@ describe('Stripe Trigger Node', () => {
 		const requestBody = callArgs[2];
 		expect(requestBody).toHaveProperty('api_version', '2025-05-28.basil');
 	});
+
+	describe('webhook signature verification', () => {
+		let mockWebhookFunctions: IWebhookFunctions;
+		const webhookSecret = 'whsec_test123456789';
+		const timestamp = '1234567890';
+		const testBody = { type: 'charge.succeeded', id: 'ch_123' };
+		const rawBody = JSON.stringify(testBody);
+
+		beforeEach(() => {
+			mockWebhookFunctions = {
+				getBodyData: jest.fn().mockReturnValue(testBody),
+				getRequestObject: jest.fn().mockReturnValue({
+					rawBody: Buffer.from(rawBody),
+					body: testBody,
+				}),
+				getHeaderData: jest.fn(),
+				getWorkflowStaticData: jest.fn().mockReturnValue({
+					webhookSecret,
+				}),
+				getNodeParameter: jest.fn().mockReturnValue(['*']),
+				helpers: {
+					returnJsonArray: jest.fn().mockImplementation((data) => [data]),
+				},
+			} as unknown as IWebhookFunctions;
+		});
+
+		function generateValidSignature(timestamp: string, body: string, secret: string): string {
+			const signedPayload = `${timestamp}.${body}`;
+			const signature = createHmac('sha256', secret).update(signedPayload).digest('hex');
+			return `t=${timestamp},v1=${signature}`;
+		}
+
+		it('should process webhook with valid signature', async () => {
+			const validSignature = generateValidSignature(timestamp, rawBody, webhookSecret);
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': validSignature,
+			});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({
+				workflowData: [[testBody]],
+			});
+		});
+
+		it('should reject webhook with missing signature', async () => {
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({});
+		});
+
+		it('should reject webhook with missing webhook secret', async () => {
+			const validSignature = generateValidSignature(timestamp, rawBody, webhookSecret);
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': validSignature,
+			});
+			(mockWebhookFunctions.getWorkflowStaticData as jest.Mock).mockReturnValue({});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({});
+		});
+
+		it('should reject webhook with invalid signature format', async () => {
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': 'invalid-format',
+			});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({});
+		});
+
+		it('should reject webhook with missing timestamp in signature', async () => {
+			const signature = createHmac('sha256', webhookSecret)
+				.update(`${timestamp}.${rawBody}`)
+				.digest('hex');
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': `v1=${signature}`,
+			});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({});
+		});
+
+		it('should reject webhook with missing v1 signature', async () => {
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': `t=${timestamp}`,
+			});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({});
+		});
+
+		it('should reject webhook with incorrect signature', async () => {
+			const wrongSecret = 'wrong_secret';
+			const invalidSignature = generateValidSignature(timestamp, rawBody, wrongSecret);
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': invalidSignature,
+			});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({});
+		});
+
+		it('should reject webhook with signature for different body', async () => {
+			const differentBody = JSON.stringify({ type: 'payment_intent.succeeded' });
+			const invalidSignature = generateValidSignature(timestamp, differentBody, webhookSecret);
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': invalidSignature,
+			});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({});
+		});
+
+		it('should handle events filtering correctly', async () => {
+			const validSignature = generateValidSignature(timestamp, rawBody, webhookSecret);
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': validSignature,
+			});
+			(mockWebhookFunctions.getNodeParameter as jest.Mock).mockReturnValue([
+				'payment_intent.succeeded',
+			]);
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({});
+		});
+
+		it('should process webhook when event type matches filter', async () => {
+			const validSignature = generateValidSignature(timestamp, rawBody, webhookSecret);
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': validSignature,
+			});
+			(mockWebhookFunctions.getNodeParameter as jest.Mock).mockReturnValue(['charge.succeeded']);
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({
+				workflowData: [[testBody]],
+			});
+		});
+
+		it('should handle complex signature header with multiple elements', async () => {
+			const signature = createHmac('sha256', webhookSecret)
+				.update(`${timestamp}.${rawBody}`)
+				.digest('hex');
+			const complexHeader = `t=${timestamp},v1=${signature},v0=old_signature`;
+			(mockWebhookFunctions.getHeaderData as jest.Mock).mockReturnValue({
+				'stripe-signature': complexHeader,
+			});
+
+			const result = await node.webhook.call(mockWebhookFunctions);
+
+			expect(result).toEqual({
+				workflowData: [[testBody]],
+			});
+		});
+	});
 });