Build a Pay Once For Access App

Sign in Get started

This episode is for members only

Sign up to access "Build a Pay Once For Access App" right now.

Already a member? Sign in to continue

Playing

14. Securing the Stripe webhook with a signature

Episodes

0%

Your progress

Total: 1h 11m
Played: 0m
Remaining: 1h 11m

Join or sign in to track your progress

01. Introduction and demo

02. Setting up Laravel and Breeze

03. Protected member area

04. Setting up the Stripe library

05. Creating a payment intent

06. Creating the Stripe card form

07. Confirming the card payment

08. Handling card errors

09. Redirecting after successful payment

10. Creating a Stripe webhook

11. Handling a successful payment intent

12. Updating a user member status

13. Protecting the payment page with middleware

14. Securing the Stripe webhook with a signature

15. Preventing duplicate Payment Intents

Transcript

00:00

So, at the moment, our Stripe webhook route is pretty open to anyone sending a request through to this. Now, we can demonstrate this by coming over and using a client like Postman or similar and sending a request through to this and you can see, although we get an error here

00:18

because we don't technically have a user ID, we're not passing any payload through to this, this can be accessed. Now, we're not going to worry too much about this just yet because we know that within the Stripe payload, that user ID is always going to be set.

00:31

We could handle that in a different way if we wanted to. But really, what we want to do is deny access to anyone just posting through to here because technically what they could then do is upgrade themselves via this route. Now, all of this starts over on Stripe itself, over in our developers section, under the

00:51

webhook that we've created and we have this signing secret. Now, we're going to go ahead and reveal this. We're going to copy this and paste this over into our EMV and we're going to set this under Stripe webhook secret.

01:07

And what we're going to do is verify that when we send a request, this is actually coming from Stripe. Stripe will send this value in a header and we can kind of compare these two values. So we're going to add this to our Stripe config.

01:22

So let's call this webhook underscore secret and let's use EMV and paste that in. Okay. So now that we've got this value in here, how are we going to do this? Are we going to do this in an if statement inside of invoke?

01:43

Probably not. It would be much better if we put this into middleware. So let's go ahead and create some middleware out for this. Let's make our middleware in here.

01:53

And let's go ahead and call this verify Stripe webhook secret just so it's really clear. And let's open that up. Stripe webhook secret. And we'll fill this in in a minute, but let's apply this to this route.

02:11

Let's create a constructor in here and say this middleware and verify Stripe webhook secret. There we go. So we've got our middleware in there now.

02:22

Now what are we going to do in this middleware? Well within the Stripe SDK, we have this webhook signature functionality. And what we can do is we can verify this via our header. So we're going to go ahead and do a try catch on this.

02:40

If this fails, we're going to go ahead and do something. The exception that we're capturing is again from the Stripe library and that is signature verification exception. And we're going to go ahead and call that E. And then we're going to do something in

02:54

there to sort of relay this in a more Laravel friendly way. So inside of verify header, this accepts the content of the request. So we're going to say get content. It then accepts the value from the header.

03:08

So we're going to say request header. And this gets sent as Stripe dash signature. And the third argument is going to be our signing key. So config, Stripe, and we call that webhook secret.

03:25

And that's pretty much all we need to do. So if this does throw an exception, e.g. the signature doesn't match, we're going to go ahead and throw a new exception in here. And that's going to be an access denied HTTP exception.

03:38

And we're just going to relay from this the message that we get. And we're going to pass through the exception to this as well. So that's just going to handle that in a much nicer way for us. So now that we've got this applied, let's go back over to Postman and send this across.

03:54

And you can see here that sure enough, we get a nice Laravel forbidden error in here. So now no one can really just send any kind of data through. Now this is a very specific error from Stripe, which doesn't really matter too much. It just means that it doesn't have enough information here.

04:11

But unless someone knows our signing secret, they're not going to be able to send a request through to this URL. What we do need to make sure though is we can still actually make a payment. So let's go back over to our database, set member explicitly back to false, go back over

04:29

to our payments page, and see if this still works. So again, let's just enter all of our card details in here. And of course, that signature is going to be sent down. It's going to be verified.

04:44

Let's just check out our payments tab. That should go to complete if we just wait for that. There we go. So we've got a successful payment.

04:51

And of course, we should, with that verification, now be upgraded. So a request from Stripe is now working. But of course, if we just send this across from Postman or any other client, it's not going to work unless we know that signing secret.

Episode summary

In this episode, we focus on making our Stripe webhook route much more secure. Up until now, anyone (and anything) could send requests to our webhook endpoint—definitely not ideal! First, we use Postman to show how the route can currently be hit without much restriction, even though without a proper payload it still errors out. But the main issue is that, theoretically, someone could trigger actions (like upgrading themselves!) by hitting this unprotected endpoint.

To fix this, we take advantage of Stripe's webhook signing secret. We go over to Stripe's dashboard, reveal that secret, and add it to our environment config. Instead of just handling the security check in the controller, we clean this up and put our verification logic in middleware for better separation of concerns.

With the Stripe SDK, we implement signature verification in our new middleware. If the signature doesn't match, we respond with a forbidden error, shutting down bad actors without leaking extra details. After setting this up, we test in Postman again—and now, unauthorized requests are blocked!

Finally, to make sure things haven't broken, we run through an actual payment in the app. The payment goes through, and Stripe's legitimate webhook is received and verified with the signing key—proving that real Stripe webhooks still work, while random requests are safely denied. This episode is all about locking down the webhook route so only Stripe can call it.

Episode discussion

No comments, yet. Be the first!