This episode is for members only
Sign up to access "Laravel Subscriptions" right now.
Get started
Already a member? Sign in to continue
Playing
24. Adding a webhook secret
Episodes
01. Introduction and demo
3m
0%
02. Setting up
2m 57s
0%
03. Adjusting Laravel Breeze
6m 36s
0%
04. Creating and storing plans
4m 44s
0%
05. Displaying plans
6m 21s
0%
06. Installing and configuring Cashier
5m 28s
0%
07. Creating a checkout session
7m 15s
0%
08. Validating plans on checkout
1m 59s
0%
09. Allowing promo codes
3m 32s
0%
10. Configuring webhooks
7m 39s
0%
11. Checking if a customer is subscribed
3m 36s
0%
12. Protecting routes
4m 37s
0%
13. Redirecting to the billing portal
8m 54s
0%
14. Displaying plan details
10m 20s
0%
15. Showing renewal date and next charge
4m 19s
0%
16. Cancelling and resuming subscriptions
9m 53s
0%
17. Syncing customer details
3m 21s
0%
18. Displaying invoices
4m
0%
19. Downloading invoices
2m 52s
0%
20. Custom webhook events
4m 48s
0%
21. Sending an email when a subscription ends
6m 2s
0%
22. Subscription trials
5m 20s
0%
23. Non-subscriber and other middleware
10m 12s
0%
24. Adding a webhook secret
3m 40s
0%
25. Dealing with past due payments
6m 46s
0%
26. Adding lifetime memberships
20m 8s
0%
Transcript
00:00
We didn't do this earlier, but this is worth covering and that is securing our webhooks with a token. Now Stripe and Cachier make this incredibly easy to do. Let's talk about why we need to do this and then we'll go ahead and implement it.
00:13
So with our webhooks, we know that whenever we have some sort of action happen with over on Stripe, this goes ahead and sends a request through to our application. The only trouble is that the webhook endpoint, so I think it was under webhooks and Stripe or Stripe webhooks, is exposed to everyone on your server.
00:35
So that means that someone could potentially take a payload, send it manually through to your application and that could potentially go ahead and trick your application into thinking someone has cancelled their subscription or signed up for a subscription or any of the other actions you have enabled for webhooks.
00:52
Now that's not great. So ideally what we need is a secret key which always needs to be passed over in the payload from Stripe and checked on our backend. So let's go ahead and just remind ourselves of the config over in our Cachier section. So let's open up this and let's look for webhooks.
01:11
OK, so we have here a webhook secret. Now we didn't define that earlier, but what we can do is just very easily take this value, add it to our EMV and what that means is whenever a webhook gets sent now, this is going to take the key that we have on Stripe and compare it to the one that's in our
01:30
application. So unless someone knows this secret key, they're not going to be able to send any data through to your endpoint. Let's go back over and grab this key. You can find it under where you have created your endpoints and you can see that we've got this signing secret just here. Let's go ahead and reveal this.
01:47
We're going to copy this, go back over to our application, paste it in and with Laravel Cachier, that is all we need to do. Let's go ahead and make sure that this works. So let's go over to our application here. We currently don't have a subscription. Let's go ahead and choose a plan here,
02:03
buy one and make sure that this webhook gets sent through properly. And remember, if you are running this in your terminal, you can keep an eye on whether this works or not. So let's go ahead and sign up for a subscription and see what we get.
02:16
OK, that's just about finished and we're redirected back. And of course, we should be able to now access our protected area. Great. So we know that that is working. Let's just really quickly, if you're interested, dive into how this gets checked.
02:30
So remember, we have that webhook controller from the package. Let's open that up and see what we have in here. So we grab the payload. As we've already seen, we looked at this earlier. We handle the method. But where is this check happening in here?
02:44
It's actually checking at the middleware level. So you can see under the constructor of this controller that comes from the Cachier package is checking if we have a secret set first. Now, we didn't before. So this middleware would not have been applied to this controller.
02:58
Let's go over to this and check it out. So you can see here that this uses this webhook signature class, which comes from Stripe. And this will basically just verify the header that gets sent through from Stripe. And that will contain that key that we just copied and pasted.
03:13
And this will be under Stripe signature. It will validate the contents of the request with the Stripe signature against the secret that we have set in our application from the Cachier config, which we just looked at.
03:27
And obviously, if this fails, it's going to go ahead and throw an exception. And it won't let that webhook be sent through. So now we are fully protected against other people trying to send a payload through to our webhook endpoint.
26 episodes•2 hrs 38 mins•7 months ago
Overview
Learn to start accepting subscriptions with Laravel and build a solid foundation for your next application. In fact, it’s exactly how we do things here on Codecourse!
Even if you’re completely new to Laravel, by the end of this course you’ll have a platform where customers can purchase subscriptions and gain access to restricted areas of your application.
We’ll also cover managing subscriptions, cancellations, invoices, giving customers trial periods — and more.
Alex Garrett-Smith
Hey, I'm the founder of Codecourse!
Episode discussion
No comments, yet. Be the first!