From f837c1708e708c674b3d71185c45384f2a3b924e Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Fri, 8 Feb 2019 14:28:36 -0500
Subject: [PATCH] paypal webhook key

---
 src/Billing/BillingSettings.cs              | 1 +
 src/Billing/Controllers/PayPalController.cs | 5 +++++
 src/Billing/appsettings.json                | 3 ++-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/Billing/BillingSettings.cs b/src/Billing/BillingSettings.cs
index ed7672ed76..f072672afe 100644
--- a/src/Billing/BillingSettings.cs
+++ b/src/Billing/BillingSettings.cs
@@ -14,6 +14,7 @@
             public virtual string ClientId { get; set; }
             public virtual string ClientSecret { get; set; }
             public virtual string WebhookId { get; set; }
+            public virtual string WebhookKey { get; set; }
         }
     }
 }
diff --git a/src/Billing/Controllers/PayPalController.cs b/src/Billing/Controllers/PayPalController.cs
index c5771fa046..2f456b54ea 100644
--- a/src/Billing/Controllers/PayPalController.cs
+++ b/src/Billing/Controllers/PayPalController.cs
@@ -31,6 +31,11 @@ namespace Bit.Billing.Controllers
         [HttpPost("webhook")]
         public async Task<IActionResult> PostWebhook([FromQuery] string key)
         {
+            if(key != _billingSettings.PayPal.WebhookKey)
+            {
+                return new BadRequestResult();
+            }
+
             if(HttpContext?.Request == null)
             {
                 return new BadRequestResult();
diff --git a/src/Billing/appsettings.json b/src/Billing/appsettings.json
index b07ca558fc..ebd5714491 100644
--- a/src/Billing/appsettings.json
+++ b/src/Billing/appsettings.json
@@ -62,7 +62,8 @@
       "production": false,
       "clientId": "SECRET",
       "clientSecret": "SECRET",
-      "webhookId": "SECRET"
+      "webhookId": "SECRET",
+      "webhookKey": "SECRET"
     }
   }
 }