Validate PayPal webhooks using Python

October 01, 2024503 words, posted in django and python

One of my clients uses PayPal to accept payments for their webshop, and we wanted to implement PayPal’s webhooks to automatically deal with reversed payments, among other things.

Paypal’s documentation is pretty good: there’s the Overview of how to subscribe to webhooks, and the Integration guide explains how to validate that the request really comes from PayPal. Sadly the only example they’ve given uses JavaScript, and of course we’re interested in a Python version.

Below you can find a basic webhook view which handles the validation using the self-verification method rather than the postback method (which needs to make an extra request on every received webhook event, no thanks). This example is written for Django, but the validation logic is of course completely independent from Django and can be used anywhere.

import base64
import zlib

import requests
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from django.conf import settings
from rest_framework import status
from rest_framework.response import Response
from rest_framework.views import APIView

from .models import KeyValueCache


class PayPalWebhookView(APIView):
    def get_certificate(self, url):
        try:
            cache = KeyValueCache.objects.get(key=url)
            return cache.value
        except KeyValueCache.DoesNotExist:
            r = requests.get(url)
            KeyValueCache.objects.create(key=url, value=r.text)
            return r.text

    def post(self, request, *args, **kwargs):
        body = request.body

        # Create the validation message
        transmission_id = request.headers.get("paypal-transmission-id")
        timestamp = request.headers.get("paypal-transmission-time")
        crc = zlib.crc32(body)
        webhook_id = settings.PAYPAL_WEBHOOK_ID
        message = f"{transmission_id}|{timestamp}|{webhook_id}|{crc}"

        # Decode the base64-encoded signature from the header
        signature = base64.b64decode(request.headers.get("paypal-transmission-sig"))

        # Load the certificate and extract the public key
        certificate = self.get_certificate(request.headers.get("paypal-cert-url"))
        cert = x509.load_pem_x509_certificate(certificate.encode("utf-8"), default_backend())
        public_key = cert.public_key()

        # Validate the message using the signature
        try:
            public_key.verify(signature, message.encode("utf-8"), padding.PKCS1v15(), hashes.SHA256())
        except Exception:
            # Validation failed, exit
            return Response(status=status.HTTP_400_BAD_REQUEST)

        # Validation succeeded! 
        # Now you can inspect the webhook payload (request.data)
        # and handle each event (request.data.get("event_type"))

        return Response(status=status.HTTP_200_OK)

The webhook ID (settings.PAYPAL_WEBHOOK_ID) you get when you edit your PayPal app and add the webhook URL. It’s not part of the webhook payload. I store mine in an .env file which I read in my settings.py file.

I also use an extremely simple cache model to store the certificate:

class KeyValueCache(models.Model):
    key = models.CharField(max_length=255, unique=True)
    value = models.TextField()

It just makes sure that we don’t download the certificate file with every webhook event. You could use Redis or write it to disk or whatever else you want, but I chose a simple Django model.