This episode is for members only

Sign up to access "Laravel Subscriptions" right now.

Get started
Already a member? Sign in to continue
Playing
24. Adding a webhook secret

Transcript

00:00
We didn't do this earlier, but this is worth covering and that is securing our webhooks with a token. Now Stripe and Cachier make this incredibly easy to do. Let's talk about why we need to do this and then we'll go ahead and implement it.
00:13
So with our webhooks, we know that whenever we have some sort of action happen with over on Stripe, this goes ahead and sends a request through to our application. The only trouble is that the webhook endpoint, so I think it was under webhooks and Stripe or Stripe webhooks, is exposed to everyone on your server.
00:35
So that means that someone could potentially take a payload, send it manually through to your application and that could potentially go ahead and trick your application into thinking someone has cancelled their subscription or signed up for a subscription or any of the other actions you have enabled for webhooks.
00:52
Now that's not great. So ideally what we need is a secret key which always needs to be passed over in the payload from Stripe and checked on our backend. So let's go ahead and just remind ourselves of the config over in our Cachier section. So let's open up this and let's look for webhooks.
01:11
OK, so we have here a webhook secret. Now we didn't define that earlier, but what we can do is just very easily take this value, add it to our EMV and what that means is whenever a webhook gets sent now, this is going to take the key that we have on Stripe and compare it to the one that's in our
01:30
application. So unless someone knows this secret key, they're not going to be able to send any data through to your endpoint. Let's go back over and grab this key. You can find it under where you have created your endpoints and you can see that we've got this signing secret just here. Let's go ahead and reveal this.
01:47
We're going to copy this, go back over to our application, paste it in and with Laravel Cachier, that is all we need to do. Let's go ahead and make sure that this works. So let's go over to our application here. We currently don't have a subscription. Let's go ahead and choose a plan here,
02:03
buy one and make sure that this webhook gets sent through properly. And remember, if you are running this in your terminal, you can keep an eye on whether this works or not. So let's go ahead and sign up for a subscription and see what we get.
02:16
OK, that's just about finished and we're redirected back. And of course, we should be able to now access our protected area. Great. So we know that that is working. Let's just really quickly, if you're interested, dive into how this gets checked.
02:30
So remember, we have that webhook controller from the package. Let's open that up and see what we have in here. So we grab the payload. As we've already seen, we looked at this earlier. We handle the method. But where is this check happening in here?
02:44
It's actually checking at the middleware level. So you can see under the constructor of this controller that comes from the Cachier package is checking if we have a secret set first. Now, we didn't before. So this middleware would not have been applied to this controller.
02:58
Let's go over to this and check it out. So you can see here that this uses this webhook signature class, which comes from Stripe. And this will basically just verify the header that gets sent through from Stripe. And that will contain that key that we just copied and pasted.
03:13
And this will be under Stripe signature. It will validate the contents of the request with the Stripe signature against the secret that we have set in our application from the Cachier config, which we just looked at.
03:27
And obviously, if this fails, it's going to go ahead and throw an exception. And it won't let that webhook be sent through. So now we are fully protected against other people trying to send a payload through to our webhook endpoint.

Episode summary

In this episode, we're diving into how to properly secure your webhook endpoints using a secret key—something we should always do but sometimes forget about early on! We start with an explanation of why securing webhooks matters: basically, without some form of authentication, anyone could send fake payloads to your application and trigger unwanted actions, like canceling subscriptions or faking signups. Not ideal!

So, we walk through how Stripe (and Laravel Cashier, if you're using it) makes adding this security super simple. We show you where to find your webhook secret in the Stripe dashboard, how to add it to your application config (just a quick copy and paste!), and what that process looks like in practice when things are working correctly.

We also take a peek under the hood to see how this security check actually works in the backend. The magic happens at the middleware level, where incoming requests to your webhook endpoint are checked against the secret. If the signature from Stripe doesn't match what you've set in your environment, the request is blocked before it can do any damage.

By the end of the episode, you'll have your webhooks locked down, and you'll know exactly how and why the system is keeping you safe from rogue requests.

Episode discussion

No comments, yet. Be the first!