This episode is for members only

Sign up to access "Build a Pay Once For Access App" right now.

Get started
Already a member? Sign in to continue
Playing
14. Securing the Stripe webhook with a signature

Transcript

00:00
So, at the moment, our Stripe webhook route is pretty open to anyone sending a request through to this. Now, we can demonstrate this by coming over and using a client like Postman or similar and sending a request through to this and you can see, although we get an error here
00:18
because we don't technically have a user ID, we're not passing any payload through to this, this can be accessed. Now, we're not going to worry too much about this just yet because we know that within the Stripe payload, that user ID is always going to be set.
00:31
We could handle that in a different way if we wanted to. But really, what we want to do is deny access to anyone just posting through to here because technically what they could then do is upgrade themselves via this route. Now, all of this starts over on Stripe itself, over in our developers section, under the
00:51
webhook that we've created and we have this signing secret. Now, we're going to go ahead and reveal this. We're going to copy this and paste this over into our EMV and we're going to set this under Stripe webhook secret.
01:07
And what we're going to do is verify that when we send a request, this is actually coming from Stripe. Stripe will send this value in a header and we can kind of compare these two values. So we're going to add this to our Stripe config.
01:22
So let's call this webhook underscore secret and let's use EMV and paste that in. Okay. So now that we've got this value in here, how are we going to do this? Are we going to do this in an if statement inside of invoke?
01:43
Probably not. It would be much better if we put this into middleware. So let's go ahead and create some middleware out for this. Let's make our middleware in here.
01:53
And let's go ahead and call this verify Stripe webhook secret just so it's really clear. And let's open that up. Stripe webhook secret. And we'll fill this in in a minute, but let's apply this to this route.
02:11
Let's create a constructor in here and say this middleware and verify Stripe webhook secret. There we go. So we've got our middleware in there now.
02:22
Now what are we going to do in this middleware? Well within the Stripe SDK, we have this webhook signature functionality. And what we can do is we can verify this via our header. So we're going to go ahead and do a try catch on this.
02:40
If this fails, we're going to go ahead and do something. The exception that we're capturing is again from the Stripe library and that is signature verification exception. And we're going to go ahead and call that E. And then we're going to do something in
02:54
there to sort of relay this in a more Laravel friendly way. So inside of verify header, this accepts the content of the request. So we're going to say get content. It then accepts the value from the header.
03:08
So we're going to say request header. And this gets sent as Stripe dash signature. And the third argument is going to be our signing key. So config, Stripe, and we call that webhook secret.
03:25
And that's pretty much all we need to do. So if this does throw an exception, e.g. the signature doesn't match, we're going to go ahead and throw a new exception in here. And that's going to be an access denied HTTP exception.
03:38
And we're just going to relay from this the message that we get. And we're going to pass through the exception to this as well. So that's just going to handle that in a much nicer way for us. So now that we've got this applied, let's go back over to Postman and send this across.
03:54
And you can see here that sure enough, we get a nice Laravel forbidden error in here. So now no one can really just send any kind of data through. Now this is a very specific error from Stripe, which doesn't really matter too much. It just means that it doesn't have enough information here.
04:11
But unless someone knows our signing secret, they're not going to be able to send a request through to this URL. What we do need to make sure though is we can still actually make a payment. So let's go back over to our database, set member explicitly back to false, go back over
04:29
to our payments page, and see if this still works. So again, let's just enter all of our card details in here. And of course, that signature is going to be sent down. It's going to be verified.
04:44
Let's just check out our payments tab. That should go to complete if we just wait for that. There we go. So we've got a successful payment.
04:51
And of course, we should, with that verification, now be upgraded. So a request from Stripe is now working. But of course, if we just send this across from Postman or any other client, it's not going to work unless we know that signing secret.
15 episodes1 hr 11 mins

Overview

Let's do payments right with the Stripe Payment Intent API, and build an app where customers can pay to access a members area.

We'll cover setting up a Payment Intent, process payments correctly with authorization, handle declines, and securely respond to a Stripe webhook to upgrade a member.

This course is for you if:

  • You want to process payments to upgrade customers for access
  • You need to learn how to properly process one-off payments with Stripe
  • You need a refresher on the Payment Intents API
Alex Garrett-Smith
Alex Garrett-Smith
Hey, I'm the founder of Codecourse!

Episode discussion

No comments, yet. Be the first!