From fd5b4f91f93997c2246d66c07e7cf62a3f715244 Mon Sep 17 00:00:00 2001
From: Son NK <nguyenkims@hotmail.com>
Date: Sat, 14 Dec 2019 21:19:46 +0200
Subject: [PATCH] return 400 in paddle callback if verification fails

---
 server.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/server.py b/server.py
index 86e5cf1d..4a32f5c4 100644
--- a/server.py
+++ b/server.py
@@ -10,6 +10,7 @@ from flask_debugtoolbar import DebugToolbarExtension
 from flask_login import current_user
 from sentry_sdk.integrations.flask import FlaskIntegration
 
+from app import paddle_utils
 from app.admin_model import SLModelView, SLAdminIndexView
 from app.api.base import api_bp
 from app.auth.base import auth_bp
@@ -277,7 +278,13 @@ def setup_paddle_callback(app: Flask):
             request.form.get("subscription_id"),
             request.form.get("subscription_plan_id"),
         )
-        LOG.debug("paddle full request %s", request.form)
+
+        # make sure the request comes from Paddle
+        if not paddle_utils.verify_incoming_request(dict(request.form)):
+            LOG.error(
+                "request not coming from paddle. Request data:%s", dict(request.form)
+            )
+            return "KO", 400
 
         if (
             request.form.get("alert_name") == "subscription_created"