Merge pull request #323 from spatie/fix/paddle-webhook-validation

Add Paddle webhook validation

app/Http/Controllers/WebhookController.php

@@ -2,7 +2,11 @@
 
 namespace App\Http\Controllers;
 
+use App\Models\User;
 use App\Support\Paddle\ProcessPaymentSucceededJob;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\Relation;
+use Laravel\Paddle\Exceptions\InvalidPassthroughPayload;
 use Laravel\Paddle\Http\Controllers\WebhookController as CashierWebhookController;
 
 class WebhookController extends CashierWebhookController
@@ -18,4 +22,18 @@ public function handlePaymentSucceeded($payload): void
 
         dispatch(new ProcessPaymentSucceededJob($payload));
     }
+
+    protected function findOrCreateCustomer(string $passthrough)
+    {
+        $passthrough = json_decode($passthrough, true);
+
+        $morphAlias = Relation::getMorphAlias(User::class);
+
+        // The passthrough data comes from the shop front-end. We cannot trust it.
+        if (! is_array($passthrough) || $passthrough['billable_type'] !== $morphAlias) {
+            throw new InvalidPassthroughPayload;
+        }
+
+        return parent::findOrCreateCustomer($passthrough);
+    }
 }

app/Support/Paddle/ProcessPaymentSucceededJob.php

@@ -3,7 +3,6 @@
 namespace App\Support\Paddle;
 
 use App\Domain\Shop\Actions\HandlePurchaseAction;
-use App\Domain\Shop\Exceptions\CouldNotHandlePaymentSucceeded;
 use App\Domain\Shop\Models\Bundle;
 use App\Domain\Shop\Models\Purchasable;
 use App\Domain\Shop\Models\Purchase;
@@ -50,9 +49,7 @@ public function handle()
             return;
         }
 
-        if (! $user = (new $passthrough['billable_type']())->find($passthrough['billable_id'])) {
-            throw CouldNotHandlePaymentSucceeded::userNotFound($this->payload);
-        }
+        $user = $receipt->billable;
 
         if ($purchasable) {
             $purchaseForPurchasable = Purchase::where('user_id', $user->id)