This episode is for members only

Sign up to access "Build a File Marketplace with Laravel" right now.

Get started
Already a member? Sign in to continue
Playing
30. Securing Stripe webhooks

Episodes

0%
Your progress
  • Total: 3h 32m
  • Played: 0m
  • Remaining: 3h 32m
Join or sign in to track your progress

Transcript

00:00
If you're following along and you want to come back to this later, that's absolutely fine. We don't need this for the webhook to actually work or work in any different way. But it's really important that we do come back to this to secure this. Otherwise, we can potentially have anyone sending requests to our webhooks,
00:17
which is not a great idea. OK, so the way that this works is if we head over to our webhook section on Stripe, we have this signing secret just here that we can go ahead and reveal. What we do with this is store this over on our app somewhere.
00:30
And then when Stripe actually sends the webhook, it will send this value along. And that means that we can verify that it actually came from Stripe. So we're going to go over to our EMV file and just underneath our Stripe secret, we're going to go ahead and add in our Stripe webhook secret.
00:48
So we're going to go ahead and add this over to our Stripe config here. So let's create out a new array called webhooks. And let's go ahead and add this secret in here. So that's EMV and this here.
01:05
Now what we can do is go ahead and create some middleware that we're going to add to this controller. And this middleware will verify that this webhook contains this secret and it matches, which is really important.
01:17
So we could write all the code out in the constructor here, but it's a lot tidier just to put this away in some middleware. So let's go ahead and create some middleware out called verify. Stripe webhook secret.
01:33
Or let's say signature, because that's what we actually get back from Stripe. So we can now go ahead and add this middleware to here. So verify Stripe webhook signature. And that's great.
01:46
So we can head over to this middleware now and start to fill this out. So all of this is in the Stripe docs. What we're going to do is create a try catch out in here. We're going to use the Stripe webhook signature object here to verify this header.
02:04
And what this is going to do is taking the header in, match it up to the value we have on our app. It's going to throw an exception if this fails, and then we can do something under catch here and fail this request.
02:19
So verify header takes in the entire contents as the first argument. So we're just going to say request get content. The second thing that we want to pass in is the actual header itself, which comes from Stripe.
02:34
So that is Stripe hyphen signature. And next up, we want to go ahead and pass in the actual webhook secret that we have stored in our app so we can use our config helper for that. We put that under webhook.
02:48
Let's just double check that we call this webhooks. So let's just do webhook for now and secret. And we're pretty much done. So like I said, this is going to throw an exception if this doesn't match.
02:59
And the exception is going to be a signature verification exception, again, from the Stripe library. And let's go ahead and call that exception. What do we want to do in here?
03:09
Well, we can just go ahead and throw a new exception in here. Let's say an access denied exception or access denied HTTP exception. And let's go ahead and pass in the exception message. And we'll pass through the exception so that can chain on.
03:26
So that's basically it. Just verify that these two things match. Go ahead and catch the exception thrown by this verify header method and then go ahead and throw a new exception.
03:37
So whoever is trying to access this webhook endpoint knows that they do not have access. So let's go ahead and try this out. The best way, of course, to do this is just to go through the entire flow again.
03:47
And we should see the new request pull in here. So let's go back to where we have our product page. Click on Buy Now. And let's see if this works.
03:57
OK, once again, let's go ahead and hit Pay with the details that we have in here. And we should see this sale nicely roll in. We'll keep an eye on our webhook section here, because if this does get denied for any reason, we'll see an error.
04:10
And sure enough, it looks like that worked. If we head over to our emails, we get a new email. So obviously, we know that this is now working. The signature has been verified against the secret that we've stored in our app.
04:22
And the sale is being created. And the email is being sent. So we've now secured our Stripe webhook. So we know that the requests only come from Stripe.
34 episodes3 hrs 32 mins

Overview

Build a marketplace where sellers can list and sell files, while we take a cut of each sale using Stripe Connect.

We'll cover onboarding users with Stripe Connect, creating products and uploading files, payments, and delivering purchased files to your customers.

Here's everything we'll cover:

  • The Stripe Connect onboarding flow
  • Effortlessly creating products (and uploading files) with Livewire forms
  • Subdomains for your user's marketplace
  • Stripe Checkout for a beautiful, secure payment flow
  • Securely delivering files with Signed URLs in Laravel
  • Showing sales stats on a dashboard
Alex Garrett-Smith
Alex Garrett-Smith
Hey, I'm the founder of Codecourse!

Episode discussion

No comments, yet. Be the first!