Chapters
35 Chapters
|
3:22:53
|
This course is archived!
This tutorial uses an older version of Symfony of the stripe-php SDK. The majority of the concepts are still valid, though there *are* differences. We've done our best to add notes & comments that describe these changes.
Login to bookmark this video
-
Course Code
Subscribe to download the code!Compatible PHP versions: >=5.5.9, <7.4
Subscribe to download the code!Compatible PHP versions: >=5.5.9, <7.4
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
22.
Webhooks: Preventing Replay Attacks
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
This tutorial uses an older version of Symfony of the stripe-php SDK. The majority of the concepts are still valid, though there *are* differences. We've done our best to add notes & comments that describe these changes.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": ">=5.5.9, <7.4",
"symfony/symfony": "3.1.*", // v3.1.10
"doctrine/orm": "^2.5", // v2.7.2
"doctrine/doctrine-bundle": "^1.6", // 1.6.8
"doctrine/doctrine-cache-bundle": "^1.2", // 1.3.0
"symfony/swiftmailer-bundle": "^2.3", // v2.6.2
"symfony/monolog-bundle": "^2.8", // v2.12.1
"symfony/polyfill-apcu": "^1.0", // v1.3.0
"sensio/distribution-bundle": "^5.0", // v5.0.22
"sensio/framework-extra-bundle": "^3.0.2", // v3.0.26
"incenteev/composer-parameter-handler": "^2.0", // v2.1.2
"friendsofsymfony/user-bundle": "~2.0.1", // v2.0.1
"stof/doctrine-extensions-bundle": "^1.2", // v1.2.2
"stripe/stripe-php": "^3.15", // v3.23.0
"doctrine/doctrine-migrations-bundle": "^1.1", // v1.2.1
"phpunit/phpunit": "^5.5", // 5.7.20
"composer/package-versions-deprecated": "^1.11" // 1.11.99
},
"require-dev": {
"sensio/generator-bundle": "^3.0", // v3.1.4
"symfony/phpunit-bridge": "^3.0", // v3.3.0
"hautelook/alice-bundle": "^1.3", // v1.4.1
"doctrine/data-fixtures": "^1.2" // v1.2.2
}
}
2 Comments
Hi ! I don't know if this was already possible at the time you did the tutorial, but I changed the way of "checking" an event based on the documentation: https://stripe.com/docs/webhooks/signatures
I adapted this for Symfony, while keeping some of what we did in the training, which would look something like this:
There you go, I don't know if it's more secure, less secure, or if it's the same thing. But I hope it can help more than one person!
Hey Kiuega!
This is awesome - thanks for sharing! Indeed, because they put a timestamp in their signature, this prevents replay attacks also (unless they attacker is able to intercept the webhook and use it within 5 minutes... but that doesn't leave an attacker much room to do this :) ).
You've also kept the StripeEventLog, which I like. Even if you've mitigated reply attacks, you still want to make sure that you don't handle a webhook multiple times. This can happen (in the wild) if, for some reason, Stripe sends you a webhook, you handle it, but you fail to respond successfully (so Stripe tries the webhook again later).
Cheers!
"Houston: no signs of life"
Start the conversation!