Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exclude webhook routes from CSRF protection #875

Merged
merged 2 commits into from
May 27, 2023
Merged

Exclude webhook routes from CSRF protection #875

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29f0c5f
Ensure gateway webhooks are excluded from CSRF protection
duncanmcclean May 27, 2023
f560746
Remove notes about CSRF rules from docs
duncanmcclean May 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions docs/payment-gateways/custom-gateways.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,14 +106,6 @@ When anything changes payment-wise on the order, the off-site gateway will send

Webhook URLs look a little something like this: `/!/simple-commerce/gateways/YOUR_GATEWAY_NAME/webhook`

And for each webhook, you'll need to add an exception to the CSRF middleware, found in `app/Http/Middleware/VerifyCsrfToken.php`.

```php
protected $except = [
'/!/simple-commerce/gateways/mollie/webhook',
];
```

:::note Note!
When you're going through the payment flow in your development environment, you will need to use something like Expose or Ngrok to proxy request to your local server. Otherwise, Mollie wouldn't be able to hit the webhook. You will also need to update the `APP_URL` in your `.env`.
:::
Expand Down
8 changes: 0 additions & 8 deletions docs/payment-gateways/mollie.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,6 @@ However, bear in mind that where-ever you use that tag, the customer will be red

The Mollie gateway has a webhook which is hit by Mollie whenever a payment is made.

Simple Commerce will configure the webhook on Mollie's end. However, you'll need to add the webhook URL to your list of CSRF exceptions, found in `app/Http/Middleware/VerifyCsrfToken.php`.

```php
protected $except = [
'/!/simple-commerce/gateways/mollie/webhook',
];
```

:::note Note!
When you're going through the payment flow in your development environment, you will need to use something like Expose or Ngrok to proxy request to your local server. Otherwise, Mollie wouldn't be able to hit the webhook. You will also need to update the `APP_URL` in your `.env`.
:::
Expand Down
8 changes: 0 additions & 8 deletions docs/payment-gateways/paypal.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,14 +104,6 @@ Unfortunatley, PayPal offers no way for Simple Commerce to configure the webhook
4. The Webhook URL should be: `https://example.com/!/simple-commerce/gateways/paypal/webhook`
5. Under 'Event types', you should select 'All events'. You can then save the webhook.

You will also need to add the webhook's URL to your list of CSRF exceptions, which can be found in `app/Http/Middleware/VerifyCsrfToken.php`.

```php
protected $except = [
'/!/simple-commerce/gateways/paypal/webhook',
];
```

:::note Note!
When you're going through the payment flow in your development environment, you will need to use something like Expose or Ngrok to proxy request to your local server. Otherwise, Mollie wouldn't be able to hit the webhook. You will also need to update the `APP_URL` in your `.env`.
:::
Expand Down
8 changes: 0 additions & 8 deletions docs/payment-gateways/stripe.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,14 +151,6 @@ You'll need to configure the webhook in the Stripe Dashboard:
- `payment_intent.failed`
- `charge.refunded`

You will also need to add the webhook's URL to your list of CSRF exceptions, which can be found in `app/Http/Middleware/VerifyCsrfToken.php`.

```php
protected $except = [
'/!/simple-commerce/gateways/stripe/webhook',
];
```

:::note Note!
When you're going through the payment flow in your development environment, you will need to use something like Expose or Ngrok to proxy request to your local server. Otherwise, Stripe wouldn't be able to hit the webhook. You will also need to update the `APP_URL` in your `.env`.
:::
Expand Down
6 changes: 5 additions & 1 deletion routes/actions.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
use DoubleThreeDigital\SimpleCommerce\Http\Controllers\GatewayCallbackController;
use DoubleThreeDigital\SimpleCommerce\Http\Controllers\GatewayWebhookController;
use DoubleThreeDigital\SimpleCommerce\Http\Middleware\EnsureFormParametersArriveIntact;
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
use Illuminate\Support\Facades\Route;

Route::namespace('\DoubleThreeDigital\SimpleCommerce\Http\Controllers\Actions')->name('simple-commerce.')->group(function () {
Expand All @@ -31,5 +32,8 @@
});

Route::get('/gateways/{gateway}/callback', [GatewayCallbackController::class, 'index'])->name('gateways.callback');
Route::post('/gateways/{gateway}/webhook', [GatewayWebhookController::class, 'index'])->name('gateways.webhook');

Route::post('/gateways/{gateway}/webhook', [GatewayWebhookController::class, 'index'])
->name('gateways.webhook')
->withoutMiddleware([VerifyCsrfToken::class]);
});