Build a File Marketplace with Laravel
This episode is for members only

Sign up to access "Build a File Marketplace with Laravel" right now.

Get started
Already a member? Sign in to continue
Playing
30. Securing Stripe webhooks

Episodes

0%
Your progress
  • Total: 3h 32m
  • Played: 0m
  • Remaining: 3h 32m
Join or sign in to track your progress
01. Introduction and setting up
01. Introduction and demo
5m 51s
0%
02. A fresh project with Laravel Breeze
4m 29s
0%
02. Onboarding with Stripe
03. The onboarding screen
7m 17s
0%
04. Registering the Stripe PHP library
3m 43s
0%
05. Automatically creating Stripe accounts for your users
3m 11s
0%
06. Forwarding users to Stripe Connect
4m 36s
0%
07. Verifying if payouts are enabled
2m 24s
0%
03. Creating products
08. Setting up and listing products
10m 54s
0%
09. Installing Livewire
2m 49s
0%
10. Building the product creation form
15m 1s
0%
11. Automatically generating the slug from the product title
1m 28s
0%
12. Validating and creating a product
6m 23s
0%
13. Handling product file uploads
8m 14s
0%
14. Attaching files to a product
6m 45s
0%
04. Editing products
15. Creating the product edit form
5m 4s
0%
16. Reviving product state
5m 21s
0%
17. Showing and modifying existing files
7m 55s
0%
18. Pulling together the product update process
4m 20s
0%
19. Flashing an update message
4m 57s
0%
05. User subdomains
20. Adding a user subdomain on registration
10m 54s
0%
21. Subdomain routing basics
6m 47s
0%
22. Adding a string macro to properly display the user's name
3m 32s
0%
23. Listing the user's live products
3m 49s
0%
06. Product checkout
24. Showing the product page
10m 35s
0%
25. Creating the checkout success page
3m 57s
0%
26. Starting the checkout flow
9m 22s
0%
07. Storing sales
27. Handling Stripe webhooks
12m 1s
0%
28. Storing product sales
10m 15s
0%
29. Sending a confirmation email to customers
4m 30s
0%
30. Securing Stripe webhooks
4m 32s
0%
08. Accessing purchased files
31. Creating and validating the product download page
3m 54s
0%
32. Displaying and downloading files
4m 50s
0%
09. Sales dashboard
33. Calculating and displaying download stats
6m 6s
0%
34. Listing through sales
7m 3s
0%

Transcript

00:00
If you're following along and you want to come back to this later, that's absolutely fine. We don't need this for the webhook to actually work or work in any different way. But it's really important that we do come back to this to secure this. Otherwise, we can potentially have anyone sending requests to our webhooks,
00:17
which is not a great idea. OK, so the way that this works is if we head over to our webhook section on Stripe, we have this signing secret just here that we can go ahead and reveal. What we do with this is store this over on our app somewhere.
00:30
And then when Stripe actually sends the webhook, it will send this value along. And that means that we can verify that it actually came from Stripe. So we're going to go over to our EMV file and just underneath our Stripe secret, we're going to go ahead and add in our Stripe webhook secret.
00:48
So we're going to go ahead and add this over to our Stripe config here. So let's create out a new array called webhooks. And let's go ahead and add this secret in here. So that's EMV and this here.
01:05
Now what we can do is go ahead and create some middleware that we're going to add to this controller. And this middleware will verify that this webhook contains this secret and it matches, which is really important.
01:17
So we could write all the code out in the constructor here, but it's a lot tidier just to put this away in some middleware. So let's go ahead and create some middleware out called verify. Stripe webhook secret.
01:33
Or let's say signature, because that's what we actually get back from Stripe. So we can now go ahead and add this middleware to here. So verify Stripe webhook signature. And that's great.
01:46
So we can head over to this middleware now and start to fill this out. So all of this is in the Stripe docs. What we're going to do is create a try catch out in here. We're going to use the Stripe webhook signature object here to verify this header.
02:04
And what this is going to do is taking the header in, match it up to the value we have on our app. It's going to throw an exception if this fails, and then we can do something under catch here and fail this request.
02:19
So verify header takes in the entire contents as the first argument. So we're just going to say request get content. The second thing that we want to pass in is the actual header itself, which comes from Stripe.
02:34
So that is Stripe hyphen signature. And next up, we want to go ahead and pass in the actual webhook secret that we have stored in our app so we can use our config helper for that. We put that under webhook.
02:48
Let's just double check that we call this webhooks. So let's just do webhook for now and secret. And we're pretty much done. So like I said, this is going to throw an exception if this doesn't match.
02:59
And the exception is going to be a signature verification exception, again, from the Stripe library. And let's go ahead and call that exception. What do we want to do in here?
03:09
Well, we can just go ahead and throw a new exception in here. Let's say an access denied exception or access denied HTTP exception. And let's go ahead and pass in the exception message. And we'll pass through the exception so that can chain on.
03:26
So that's basically it. Just verify that these two things match. Go ahead and catch the exception thrown by this verify header method and then go ahead and throw a new exception.
03:37
So whoever is trying to access this webhook endpoint knows that they do not have access. So let's go ahead and try this out. The best way, of course, to do this is just to go through the entire flow again.
03:47
And we should see the new request pull in here. So let's go back to where we have our product page. Click on Buy Now. And let's see if this works.
03:57
OK, once again, let's go ahead and hit Pay with the details that we have in here. And we should see this sale nicely roll in. We'll keep an eye on our webhook section here, because if this does get denied for any reason, we'll see an error.
04:10
And sure enough, it looks like that worked. If we head over to our emails, we get a new email. So obviously, we know that this is now working. The signature has been verified against the secret that we've stored in our app.
04:22
And the sale is being created. And the email is being sent. So we've now secured our Stripe webhook. So we know that the requests only come from Stripe.

Episode summary

In this episode, we tackle a really important part of working with Stripe webhooks: securing them so that only Stripe can trigger them. We start by talking about the risks—if you don't secure your webhook endpoints, technically anyone could try to send data to them, which obviously isn't ideal!

To solve this, we jump into Stripe's dashboard and grab the webhook signing secret. We then store this secret in our app's .env file, right below our existing Stripe secret. Next, it's time to wire this up in our Stripe config so that our app knows what secret to expect.

Instead of dumping this logic directly into our controller, we keep things neat and organized by writing a custom middleware called VerifyStripeWebhookSignature. The magic happens in this middleware: whenever a request comes in, our code tries to verify the signature using Stripe's SDK and our stored secret. If anything's fishy, we throw an access denied exception and the request is stopped.

Once our middleware is hooked up, we test out the whole payment flow again. After going through the purchase process, we watch for Stripe's webhook hitting our endpoint, and sure enough, everything just works—emails get sent, sales are created, and most importantly, only Stripe can successfully trigger our webhook. Secure and sound!

If you're following along, you can now breathe easy knowing your Stripe webhook endpoint isn't open to everyone on the internet.

Episode discussion

No comments, yet. Be the first!