Created
March 10, 2024 14:06
-
-
Save tempelmann/8e95ebf3164dc6fa1bb1c8af613aba67 to your computer and use it in GitHub Desktop.
Paddle.com webhook verification (PHP)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// https://developer.paddle.com/webhooks/signature-verification shows code using a `Verifier` class | |
// to check that the message from Paddle is authentic. | |
// Sadly, it doesn't explain where the value for the `$request` variable comes from. It seems you need to use | |
// the PSR framework for that, but I was unable to find a way to use it for getting the data for the POST | |
// I am handling in my webhook handler. | |
// Fortunately, I was able to resolve this by looking into the code of the Verifier class from the SDK. | |
// Here's a version that does not rely on PSR. You still haveo to install Paddle's PHP SDK, though, | |
// see https://github.com/PaddleHQ/paddle-php-sdk/ | |
require_once 'vendor/autoload.php'; // the path to your vendor dir created with "composer" tool | |
use Paddle\SDK\Notifications\Secret; | |
use Paddle\SDK\Notifications\PaddleSignature; | |
$secrets = array(); | |
$secrets[] = new Secret("pdl_nt…"); // sandbox key | |
$secrets[] = new Secret("pdl_nt……"); // production key | |
$signatureData = $_SERVER['HTTP_PADDLE_SIGNATURE']; | |
$signature = PaddleSignature::parse($signatureData); | |
if (\time() > $signature->timestamp + 6) { | |
die(1); | |
} | |
$rawinput = file_get_contents('php://input'); | |
$valid = $signature->verify($rawinput, ...$secrets); | |
if ($valid !== true) { | |
die(1); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment