I have been some problems making webhooks of Stripe works with my application.
So after being able to create, update, delete, resume subscriptions, and create my endpoint to my domain:
www.domain.com
I always recieve 419 http code when a user interact with my application.
Why does it happen?
I write this in case helps someone:
My problem was I hadn't included a route for stripe in my web.php, like this:
Route::post(
'stripe/webhook',
'\Laravel\Cashier\Http\Controllers\WebhookController#handleWebhook'
);
and you can't forget to include stripe in your verifycsrftoken middleware, like this:
protected $except = [
'stripe/*',
];
and once you have done it, you have to configure your endpoint in stripe dashboard to call to the previous route:
www.domain.com/stripe/webhook
and include all the events you want to listen to.
To test it in local you can use stripe cli, that works perfectly:
https://stripe.com/docs/stripe-cli
Related
I have Laravel application with VUEJS as front-end,
I am getting data by creating API Routes.
So for example the route for getting posts data will be http://localhost/api/posts
What is the best way to protect my routes?
I saw on laravel documentation that there is:
API athentication https://laravel.com/docs/5.8/api-authentication
also Passport https://laravel.com/docs/5.8/passport
For example now any user can reach to the route http://localhost/api/posts
and he will get json with all posts data.
I want protect that and allow only inner api request from my VUEJS commponent to get the data
I’m assuming you’re going to use the Laravel auth routes to do the authentication, and after the authentication, the next view you’re reaching is the one with all the Vue components.
The solution is simple, even that is on the documentation, the necessary steps should be clarified.
We need to:
Add passport composer require laravel/passport
Make the migrations php artisan migrate
Install passport php artisan passport:install
The fourth step is more complex. We need to open our User.php model file. And first we need to import the HasApiTokens and tell the model to use it.
use Laravel\Passport\HasApiTokens;
class User extends Authenticatable
{
use HasApiTokens, Notifiable;
.......
}
Then on our config/auth.php we need to modify the api array and change the driver to passport
'api' => [
//for API authentication with Passport
'driver' => 'passport',
'provider' => 'users',
],
Then on our app/Http/Kernel.php we need to add a middleware to the $middlewareGroups array in the key web.
protected $middlewareGroups = [
'web' => [
................
//for API authentication with Passport
\Laravel\Passport\Http\Middleware\CreateFreshApiToken::class,
],
Now we can use the auth:api middleware on our api routes.
Route::middleware('auth:api')->group( function(){
...your routes here
});
This is what the CSRF TOKEN doing, it's not quite the same with the API Authorization doing
CSRF Token:
To protect (inner) API or access points from cross-site accessing, See Cross-site_request_forgery
CSRF Token is expired and generated within a randomly time, which will make the program access difficulty
API Authorization:
The API is design to be used from other programs, and you'd like to protect them from non-authorized access
Since API tokens expiration and generation is handle by admin manually, since you'll need to place this API token in your HTML to get your function working, it's not what you searching for here
More details of CSRF protection in Laravel see: Laravel CSRF production document
Generally, we'll protect all the routes POST and PUT routes by default
I am integrating payment gateway in Laravel 5.6 but
The problem is sometimes call back URL from gateway page expire due to inactivity and sometimes its work perfectly.
while I have added call back URL in App\Http\Middleware; to prevent checking CSRF token.
Please help me know what i am doing wrong?
into the app/Http/Middleware/VerifyCsrfToken.php
replace
protected $except = [
'add payment url'
];
from protected $except= [];
I am currently testing Stripe webhooks using the latest Laravel Spark. I've got a Stripe account working, meaning that I can add (fake) creditcards and charge subscriptions/single payments. Next, I am using a fake hook endpoint (ultrahook.com) to retrieve webhooks requests from Stripe.
My vanilla route file is from the Spark installation:
$router->post('/webhook/stripe', 'Settings\Billing\StripeWebhookController#handleWebhook');
And should handle all the webhooks fine. To test the webhooks, I checked the StripeWebhookController object and changed a method to log some info:
protected function handleInvoicePaymentSucceeded(array $payload)
{
Log::info('This is some useful handleInvoicePaymentSucceeded.');
}
However, nothing gets logged when I call run a Stripe test webhook of type: invoice.payment_succeeded.
I do see the request coming into the ultrahook console and it gets returned a 200. I can also copy paste the JSON Stripe test webhook and paste it into Postman after which it gets send to http://localhost:80/webhook/stripe ... again a 200 response but nothing logged.
Any advice?
Laravel Cashier instructs you to exclude the webhook routes from VerifyCsrfToken middleware as stated here:
https://laravel.com/docs/5.5/billing#handling-stripe-webhooks
Spark uses Cashier, I'd imagine you need to do the same then.
Well, it appears that I needed to add
CASHIER_ENV=testing
in the env file. Nice to see that in the documentation Laravel... not
stripe webhooks don't call localhost, it should have a domain name to call.
you may use ultrahook gem for that..
it will create a temporary binding url which you can provide in stripe dashboard as callback url
like this
ultrahook stripe 80
which would give you an url that you map it in stripe dashboard
http://stripe.somename.ultrahook.com -> http://localhost:80
NOTE: You can access this url on a browser, it is just a virtual binding
I have an application in Laravel running on a live server and I am trying to consume its API with an Ionic application using Passport for the user authentication and the retrieval of the access_token.
After I have successfully retrieved the access_token making a request to the url: https://my-app.com/oauth/token, I save the access_token and I make a simple GET request to get a "hello" message that uses the "auth:api" middleware.
This GET request, when done to the live server returns a 401 status code. On the other hand, when I follow the same steps but on the localhost then it works fine.
All these steps are done on the Ionic application as well as the Postman application. And both ways yield the same results.
I really don't know what could be wrong. I have followed instruction online and on the laravel documentation.
1) First check that you added the passport middleware into your app\Http\Kernel.php > $routeMiddleware array.
2) Then protect routes with this passport middleware in app\Providers\RouteServiceProvider.php, like:
protected function mapApiRoutes()
{
Route::prefix('api')
->middleware('client_credentials')
->namespace($this->namespace)
->group(base_path('routes/api.php'));
}
For more detail, you can check this answer source.
I have a react app that fetch datas from laravel api defined like so in routes/api.php:
// this is default route provided by laravel out of the box
Route::middleware('auth:api')->get('/user', function (Request $request) {
return $request->user();
});
// ItemController provides an index methods that list items with json
Route::resource('items', 'Api\ItemController', array('except' => array('create','edit')));
// this is to store new users
Route::resource('users', 'Api\UserController', array('only' => array('store')));
for example http://example.com/api/items returns the data as intended but it's really insecure since anyone could access it through postman.
How to make those routes only accessible inside the app?
As I'm new to it I don't understand if I need to set up api_token and how?
Do I need to setup Passport?
Is is related to auth:api middleware?
It may sounds really basic but any help or tutorial suggestions would be greatly appreciated
EDIT
End up with a classic session auth. Moved routes inside web.php. Pass csrf token in ajax request. Actually i didn't need a RESTful API. You only need token auth when your API is stateless.
As you are using Laravel 5.4 you can use Passport, but I haven't implemented yet, but i implemented lucadegasperi/oauth2-server-laravel for one of my laravel projects and it was developed in Laravel 5.1
Here is the link to github repository
lucadegasperi/oauth2-server-laravel
Here is the link to the documentation Exrensive Documentation
Just add the package to the composer json and run composer update,the package will get installed to your application , once installed add the providers array class and aliases array class as mentioned in the Laravel 5 installation part of the documentation,
you have to do a small tweak in order to work perfectly cut csrf from $middleware array and paste it into $routeMiddleware array and again run php artisan vendor:publish after publishing the migrations will be created and run the migration php artisan migrate
if you only want to secure api routes for each client like ios, android and web you can implement Client Credentials Grant, or if you need to every user with oauth the you can implement Authorization Server with the Password Grant or some other.,
Never use the client id or other credentials, generating access token in the form, but add it some where in helper and attach it in the request to the api,
Hope this answer helps you.
You could use JWT it's pretty easy to get it to work. You basically generate a token by requesting Username/Password and passing that token in every request that requires authentication, your URL would look like http://example.com/api/items?token=SOME-TOKEN. without a proper token, he doesn't have access do this endpoint.
As for
How to make those routes only accessible inside the app?
If you mean only your app can use these requests, you can't. Basically the API doesn't know who is sending these requests, he can only check if what you are giving is correct and proceed with it if everything is in order. I'd suggest you to have a look at this question