⚠️ Throw an error when using the wrong webhook parsing method (#2190)

* Add errors when parsing the wrong kind of webhooks payload

* fix tests

Author: xavdid-stripe

src/main/java/com/stripe/model/v2/core/EventNotification.java

@@ -93,6 +93,12 @@ public static EventNotification fromJson(String payload, StripeClient client) {
     // don't love the double json parse here, but I don't think we can avoid it?
     JsonObject jsonObject = ApiResource.GSON.fromJson(payload, JsonObject.class).getAsJsonObject();
 
+    if (jsonObject.has("object") && "event".equals(jsonObject.get("object").getAsString())) {
+      throw new IllegalArgumentException(
+          "You passed a webhook payload to StripeClient.parseEventNotification, which expects an event notification."
+              + " Use StripeClient.constructEvent instead.");
+    }
+
     Class<? extends EventNotification> cls =
         EventNotificationClassLookup.eventClassLookup.get(jsonObject.get("type").getAsString());
     if (cls == null) {

src/main/java/com/stripe/net/Webhook.java

@@ -54,8 +54,8 @@ public static Event constructEvent(
 
   /**
    * Returns an Event instance using the provided JSON payload. Throws a JsonSyntaxException if the
-   * payload is not valid JSON, and a SignatureVerificationException if the signature verification
-   * fails for any reason.
+   * payload is not valid JSON, a SignatureVerificationException if the signature verification fails
+   * for any reason, and an IllegalArgumentException if you pass the wrong type of input.
    *
    * @param payload the payload sent by Stripe.
    * @param sigHeader the contents of the signature header sent by Stripe.
@@ -72,6 +72,13 @@ public static Event constructEvent(
     Event event =
         StripeObject.deserializeStripeObject(
             payload, Event.class, ApiResource.getGlobalResponseGetter());
+
+    if ("v2.core.event".equals(event.getObject())) {
+      throw new IllegalArgumentException(
+          "You passed an event notification to Webhook.constructEvent, which expects a webhook payload."
+              + " Use StripeClient.parseEventNotification instead.");
+    }
+
     Signature.verifyHeader(payload, sigHeader, secret, tolerance, clock);
     // StripeObjects source their raw JSON object from their last response, but constructed webhooks
     // don't have that

src/test/java/com/stripe/StripeClientTest.java

@@ -140,7 +140,7 @@ public void checksWebhookSignature()
     StripeClient client = new StripeClient("sk_123");
 
     String payload =
-        "{\n  \"id\": \"evt_test_webhook\",\n \"type\": \"v1.whatever\",\n  \"object\": \"event\"\n}";
+        "{\n  \"id\": \"evt_test_webhook\",\n \"type\": \"v1.whatever\",\n  \"object\": \"v2.core.event\"\n}";
     String secret = "whsec_test_secret";
 
     Map<String, Object> options = new HashMap<>();
@@ -159,7 +159,7 @@ public void failsWebhookVerification()
     StripeClient client = new StripeClient("sk_123");
 
     String payload =
-        "{\n  \"id\": \"evt_test_webhook\",\n \"type\": \"v1.whatever\",\n  \"object\": \"event\"\n}";
+        "{\n  \"id\": \"evt_test_webhook\",\n \"type\": \"v1.whatever\",\n  \"object\": \"v2.core.event\"\n}";
     String secret = "whsec_test_secret";
     String signature = "bad signature";
 
@@ -173,7 +173,7 @@ public void failsWebhookVerification()
   static final String v2EventNotificationWithRelatedObject =
       "{\n"
           + "  \"id\": \"evt_234\",\n"
-          + "  \"object\": \"event\",\n"
+          + "  \"object\": \"v2.core.event\",\n"
           + "  \"type\": \"v1.billing.meter.error_report_triggered\",\n"
           + "  \"livemode\": false,\n"
           + "  \"context\": \"org_123\",\n"
@@ -191,7 +191,7 @@ public void failsWebhookVerification()
   static final String v2EventNotificationWithoutRelatedObject =
       "{\n"
           + "  \"id\": \"evt_234\",\n"
-          + "  \"object\": \"event\",\n"
+          + "  \"object\": \"v2.core.event\",\n"
           + "  \"type\": \"v1.billing.meter.no_meter_found\",\n"
           + "  \"livemode\": false,\n"
           + "  \"created\": \"2022-02-15T00:27:45.330Z\"\n"
@@ -200,7 +200,7 @@ public void failsWebhookVerification()
   static final String v2UnknownEventNotification =
       "{\n"
           + "  \"id\": \"evt_234\",\n"
-          + "  \"object\": \"event\",\n"
+          + "  \"object\": \"v2.core.event\",\n"
           + "  \"type\": \"v1.imaginary_event\",\n"
           + "  \"livemode\": false,\n"
           + "  \"created\": \"2022-02-15T00:27:45.330Z\"\n"
@@ -417,4 +417,28 @@ public void parseEventNotificationAndPull()
       assertEquals("org_123", v.getOptions().getStripeContext());
     }
   }
+
+  @Test
+  public void parseEventNotificationRejectsV1Payload()
+      throws InvalidKeyException, NoSuchAlgorithmException {
+    StripeClient client = new StripeClient("sk_123");
+
+    String payload =
+        "{\n  \"id\": \"evt_test_webhook\",\n  \"object\": \"event\",\n  \"type\": \"charge.succeeded\"\n}";
+    String secret = "whsec_test_secret";
+
+    Map<String, Object> options = new HashMap<>();
+    options.put("payload", payload);
+    options.put("secret", secret);
+
+    String signature = WebhookTest.generateSigHeader(options);
+
+    IllegalArgumentException exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> {
+              client.parseEventNotification(payload, signature, secret);
+            });
+    assertTrue(exception.getMessage().contains("constructEvent"));
+  }
 }

src/test/java/com/stripe/net/WebhookTest.java

@@ -335,4 +335,42 @@ public void testConstructEventWithRawJson()
 
     assertNotNull(event.getRawJsonObject());
   }
+
+  @Test
+  public void testConstructEventRejectsV2Payload()
+      throws NoSuchAlgorithmException, InvalidKeyException {
+    final String v2Payload =
+        "{\n  \"id\": \"evt_test_webhook\",\n  \"object\": \"v2.core.event\"\n}";
+    final Map<String, Object> options = new HashMap<>();
+    options.put("payload", v2Payload);
+    final String sigHeader = generateSigHeader(options);
+
+    Throwable exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> {
+              Webhook.constructEvent(v2Payload, sigHeader, secret);
+            });
+    assertTrue(exception.getMessage().contains("StripeClient.parseEventNotification"));
+  }
+
+  @Test
+  public void testClientConstructEventRejectsV2Payload()
+      throws NoSuchAlgorithmException, InvalidKeyException {
+    StripeClient client = new StripeClient(new LiveStripeResponseGetter());
+
+    final String v2Payload =
+        "{\n  \"id\": \"evt_test_webhook\",\n  \"object\": \"v2.core.event\"\n}";
+    final Map<String, Object> options = new HashMap<>();
+    options.put("payload", v2Payload);
+    final String sigHeader = generateSigHeader(options);
+
+    Throwable exception =
+        assertThrows(
+            IllegalArgumentException.class,
+            () -> {
+              client.constructEvent(v2Payload, sigHeader, secret);
+            });
+    assertTrue(exception.getMessage().contains("StripeClient.parseEventNotification"));
+  }
 }