Laravel Subscriptions

Sign in Get started

This episode is for members only

Sign up to access "Laravel Subscriptions" right now.

Already a member? Sign in to continue

Playing

08. Validating plans on checkout

Episodes

0%

Your progress

Total: 2h 38m
Played: 0m
Remaining: 2h 38m

Join or sign in to track your progress

01. Introduction and demo

03. Adjusting Laravel Breeze

04. Creating and storing plans

05. Displaying plans

06. Installing and configuring Cashier

07. Creating a checkout session

08. Validating plans on checkout

09. Allowing promo codes

10. Configuring webhooks

11. Checking if a customer is subscribed

12. Protecting routes

13. Redirecting to the billing portal

14. Displaying plan details

15. Showing renewal date and next charge

16. Cancelling and resuming subscriptions

17. Syncing customer details

18. Displaying invoices

19. Downloading invoices

20. Custom webhook events

21. Sending an email when a subscription ends

22. Subscription trials

23. Non-subscriber and other middleware

24. Adding a webhook secret

25. Dealing with past due payments

26. Adding lifetime memberships

Transcript

00:00

One thing we're currently not doing here is validating the plan that we're passing through in the URL. So as an example, if I were to just go ahead and copy the link address for this,

00:10

paste it in, and then go ahead and change this over to any value, this gives us an error. So it's not necessarily a massive issue, but we do want to go ahead and validate this. So how do we do that? Well, there's a couple of ways, but the easiest way would be to just abort the request with say a 404 if the plan couldn't be found. To do this, we can completely wrap

00:31

the extraction of the plan out in an abort unless function call within Laravel. So let's take everything that we've done here. We're going to pass this through as the first argument to abort unless. Get will return to us null if it can't be found, because we're trying to access something on null in that error that we saw. And the second argument is the status code that we

00:54

want to send through. So in this case, we'll just say 404 and you can change that over if you want and do anything you need. So let's go over and just try this out. We'll go ahead and grab that link again and we'll paste this in and choose something else. And there we go. We get a 404 not found because, of course, this plan can't be found. Another way that you can do this if you

01:14

want to log something or redirect specifically, you could just put this in an if statement. So you could change this up to do something like the following. You could say if and you could assign the plan at the same time. And you could say, well, if it doesn't exist, so just make that falsy. Then you can return here, redirect the user somewhere to a specific route if you wanted to

01:37

maybe log something perhaps before you return anything you need to do in there. You can put that in an if statement. I prefer abort unless because it's highly unlikely that the user is going to choose the wrong plan unless they're specifically changing the URL. OK, great. So now we have protection against a plan, an invalid plan being chosen.

Episode summary

In this episode, we tackle an important security and user experience issue: validating the subscription plan during checkout. Currently, our app just grabs the plan from the URL without checking if it actually exists. This can lead to confusing errors if someone messes with the URL and enters a bogus plan ID.

We walk through how to add proper validation to handle this gracefully. The simple solution is to use Laravel's abort_unless helper. This way, if the plan can't be found, we immediately show a 404 error instead of letting the app crash. We look at how to wrap our existing code in this helper and test out what happens when an invalid plan is entered.

We also briefly discuss an alternative: using an if statement to check for the plan, which allows more flexibility—like logging or redirecting before handling the error. Ultimately, we stick with abort_unless for its simplicity, since users are unlikely to hit an invalid plan unless they're tinkering with the URL directly. By the end of the video, our checkout is much more robust!

Episode discussion

No comments, yet. Be the first!