Skip to content

Automated Payment Events: Stripe #5908

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
simon-id wants to merge 55 commits into
base: main
Choose a base branch
from
Open

Automated Payment Events: Stripe #5908

simon-id wants to merge 55 commits into from

Conversation

@simon-id
Copy link
Member

@simon-id simon-id commented Dec 23, 2025
edited
Loading

Add tests for the new Automated Payment Events feature for the Stripe SDK. Added on the RASP scenario because it needs to mock the Stripe API, and i'm reusing the internal_server container as a mock. It also includes hardcoded rules copied from this PR: https://github.com/DataDog/appsec-event-rules/pull/264
Also includes the Node.js weblog update.
[RFC link]

@simon-id simon-id self-assigned this Dec 23, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 23, 2025
edited
Loading

CODEOWNERS have been resolved as:

tests/appsec/test_automated_payment_events.py                           @DataDog/asm-libraries @DataDog/system-tests-core
utils/build/docker/nodejs/express/stripe.js                             @DataDog/dd-trace-js @DataDog/system-tests-core
docs/weblog/README.md                                                   @DataDog/system-tests-core
manifests/cpp_nginx.yml                                                 @DataDog/system-tests-core
manifests/dotnet.yml                                                    @DataDog/apm-dotnet @DataDog/asm-dotnet
manifests/golang.yml                                                    @DataDog/dd-trace-go-guild
manifests/java.yml                                                      @DataDog/asm-java @DataDog/apm-java
manifests/nodejs.yml                                                    @DataDog/dd-trace-js
manifests/php.yml                                                       @DataDog/apm-php @DataDog/asm-php
manifests/python.yml                                                    @DataDog/apm-python @DataDog/asm-python
manifests/ruby.yml                                                      @DataDog/ruby-guild @DataDog/asm-ruby
tests/appsec/rasp/rasp_ruleset.json                                     @DataDog/asm-libraries @DataDog/system-tests-core
utils/_features.py                                                      @DataDog/system-tests-core
utils/build/docker/internal_server/app.py                               @DataDog/system-tests-core
utils/build/docker/nodejs/express/app.js                                @DataDog/dd-trace-js @DataDog/system-tests-core
utils/build/docker/nodejs/express/package-lock.json                     @DataDog/dd-trace-js @DataDog/system-tests-core
utils/build/docker/nodejs/express/package.json                          @DataDog/dd-trace-js @DataDog/system-tests-core

simon-id
simon-id commented Dec 28, 2025
View reviewed changes
@simon-id simon-id changed the title Stripe Payment Events tests Automated Payment Events: Stripe Dec 29, 2025
@simon-id simon-id changed the title Automated Payment Events: Stripe test: Automated Payment Events: Stripe Dec 29, 2025
@simon-id simon-id marked this pull request as ready for review January 2, 2026 09:30
@simon-id simon-id requested review from a team as code owners January 2, 2026 09:30
@simon-id simon-id requested review from claponcet, mabdinur, manuel-alvarez-alvarez and wantsui and removed request for a team January 2, 2026 09:30
cbeauchesne
cbeauchesne reviewed Jan 5, 2026
View reviewed changes
tests/appsec/test_automated_payment_events.py Outdated


def make_webhook_request(data: dict, secret: bytes = WEBHOOK_SECRET):
timestamp = int(time.time())
Copy link
Collaborator

@cbeauchesne cbeauchesne Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you need a mutable value for this ? If it's only about getting different payload, would it be possible to use an incrementor instead ?

Copy link
Member Author

@simon-id simon-id Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you mean for the time ? it's how the Stripe API signs its webhook payloads, it's made so you can't replay an event in the future, the signed payload is only valid around the time it was signed. This is how the Stripe API behave, I just mirrored the logic, and I think we should keep it.
If you worry it will be flaky, we can always adjust the time offset tolerance config in the libraries

Copy link
Collaborator

@cbeauchesne cbeauchesne Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nah, that's fine. We'll consider that iif it turns out to be flaky.

Do you mind just adding a small comment explaining this ?

Copy link
Member Author

@simon-id simon-id Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
timestamp = int(time.time())
timestamp = int(time.time()) # the stripe backend signs the payload with a timestamp for security reasons

Copy link
Member Author

@simon-id simon-id Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like that ? 39a766d (#5908)

cbeauchesne
cbeauchesne approved these changes Jan 5, 2026
View reviewed changes
Copy link
Collaborator

@cbeauchesne cbeauchesne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a small non blocking comment, the rest is AGTM !

@cbeauchesne
Copy link
Collaborator

cbeauchesne commented Jan 7, 2026

Updating the PR to fix CI issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cbeauchesne cbeauchesne cbeauchesne approved these changes

@florentinl florentinl florentinl approved these changes

@wantsui wantsui Awaiting requested review from wantsui wantsui is a code owner automatically assigned from DataDog/apm-python

@mabdinur mabdinur Awaiting requested review from mabdinur mabdinur is a code owner automatically assigned from DataDog/apm-python

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@claponcet claponcet Awaiting requested review from claponcet claponcet is a code owner automatically assigned from DataDog/asm-java

Assignees

@simon-id simon-id

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@simon-id @cbeauchesne @florentinl