0

I have three sites setup. My local development (dev) environment, a test/qa site for broader validation of changes, and then production (prod).

For dev, the development environment is Codeigniter 4 running on a Macbook Pro and MAMP Pro. Testing Stripe here, I am using the Stripe command line and using the 'listen --forward-to' options for forward webhooks. This works just fine.

For prod, the environment is Codeigniter 4 on Linux running the LAMP stack on a cloud based virtual server. I haven't moved the Stripe code to prod yet because it isn't fully tested/validated. But I suspect it will be just fine as everything there is visible and available to all web traffic. The issue is with test....

For test, the environment is Codeigniter 4 on Linux running the LAMP stack on a cloud based virtual server. To keep prying eyes (and bots) out of the test server while we validate, I have htaccess passwords setup in the root diretory the test site resides at.

In Stripe I setup a webhook to the test server URL where the webhook code will be triggered. When I attempt to send a test webhook event from the Stripe Developer Dashboard, I am getting an error 401 returned for all events. Is the htaccess authentication preventing the webhook from being seen?

If so... what are my options?

  • Install Stripe Cmd Line on the test server and set it up to "listen --forward-to" to the correct URL?
    • If so, is there a way to set this up as a background process so it is always running? This test server should have the same uptime expectations as our prod server for validation purposes.
  • OR, is there a way to setup authentication of the webhook?
  • Others?

Any guidance is appreciated.

Opie
  • 31
  • 8
  • Have a look at this https://httpstatuses.com/401. – Grumpy Jul 04 '21 at 19:31
  • @Grumpy -- Yes...I know what a status 401 is. The jist of my question is whether the htaccess is what is causing the 401....and if so, what is the correct method to work around it. By setting up another persistent listen process or whether the authentication can be set via Stripe. – Opie Jul 04 '21 at 19:58
  • 1
    _“Is the htaccess authentication preventing the webhook from being seen?”_ - well “seen” is a weird way of phrasing it, but yes, of course it will answer the request with 401 Forbidden, if no valid credentials were passed. _“is there a way to setup authentication of the webhook?”_ - check with stripe, whether they provide any way to supply HTTP auth credentials, in the place where you configure your webhook settings. If they don’t - then you will have create an exception for this specific URL on your end, so that it is reachable _without_ credentials. – CBroe Jul 05 '21 at 08:27

1 Answers1

0

As @CBroe mentioned in a comment above, yes, the Basic Authentication is what was causing the 401 error from Stripe with all of the webhook calls to my test/validation environment.

I did some testing as to whether I could install and setup the stripe command line on the test URL to listen for webhooks and redirect them. For better or worse, my test and prod URLs are both on the same server which complicates things.

When I setup the stripe command line to listen for webhook calls and redirect them, it did so for ALL webhook calls. Including the ones that came in for the the prod environment as well. Because of that, this method wasn't going to work for me.

Additionally, I scoured through the Stripe documentation and there doesn't appear to be any way or method to allow/attach http(s) basic authentication credentials to a webhook call. Although, I think this would be a fantastic feature. I've sent Stripe a feature request....but I doubt it'll be implemented or that I'll ever hear back from them.

My last option was to see if there was a way to remove the http authentication from just one URL. I wish I would've followed this path to begin with. This ended up being the key...

This question/answer is what eventually led me down the right path to find something that worked. https://stackoverflow.com/a/41092497/9636533

A few things had to happen to allow this to work... First, I had to change AllowOverride to be "All" in apache2.conf for the root web path.

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

Then I needed to remove (or comment out) the Auth statments in the .htaccess file for the URL/Virtualhost that I was working with. This will be moved to the virtualhost conf file.

#AuthType Basic
#AuthName "Restricted Content"
#AuthUserFile /etc/passwordfile
#Require valid-user

Lastly, I had to edit the Virtual Host conf file to add back in the auth details for the site as well as the exception for the webhook endpoint. You need to be sure that the webhook endpoint URI matches exactly to what you entered in the Stripe Dashboard. Below is what my Directory section looks like.

        <Directory "/var/www/html/virtualhostpath">
                AuthType Basic
                AuthName "Restricted Content"
                AuthUserFile /etc/passwordfile
                Require valid-user

                # If the request goes to Stripe Webhook: bypass basic auth
                SetEnvIf Request_URI ^/stripe/webhookpath noauth=1
                Allow from env=REDIRECT_noauth
                Allow from env=noauth

                Order Deny,Allow
                Satisfy any
                Deny from all
        </Directory>

I hope this helps someone... I spent more hours than I'd like to admit trying all of the other options before I got to this one.

Opie
  • 31
  • 8