DEV Community: PRADEEP KUMAR

WebHook integration with Stripe Payment Intents

PRADEEP KUMAR — Fri, 25 Feb 2022 19:42:10 +0000

WebHook integration with Stripe Payment Intents

You may have heard about Webhooks when integrating payment providers Stripe, Razorpay, Dwolla, etc in your application. I was working on one of the rails applications and had to integrate Stripe payment in that. So I read about webhook, what it does and integrated with my application.

In this blog, I am going to cover the following things:

What is a webhook?
Webhook integration with Stripe payment intent.

1. What is a WebHook?

A WebHook is an HTTP callback: an HTTP POST that occurs when something happens. With all APIs, there’s a request followed by a response. Even for webhook, the request is made by the payment provider. just the difference is here request is initiated by another server instead of a client-side browser.

2. WebHook integration with Stripe Payment Intent

To use a webhook, you’ll have to register a URL with the Payment Gateway. This URL is a place within your application that will accept the data and process it. Whenever any change to your payment application happens eg: a customer creating a transfer, adding a new bank account, withdrawing funds, etc., the Payment provider will notify your application server using this webhook endpoint present in your server. It is generally a good practice to record all requests sent to this endpoint by the payment provider and process only the topics that are of application’s interests such as you may only have to process a topic customer_bank_transfer_completed or customer_bank_transfer_failed to mark your payment record with complete / failed.

In my case, I was using the Stripe payment Intent API and integrated the webhook for it.
Here are the following steps.

Create a model called Webhook and add attributes based on your requirements (like event, event_type).
Create a controller called webhook_controllers.rb
Write an action called create.
Add route in config/routes.rb file

resources :webhooks, only :create

The migration will look like:

class CreateWebhooks < ActiveRecord::Migration[6.0]
  def change
    create_table :webhooks do |t|
      t.json :event
      t.string :event_type
      t.timestamps
    end
  end
end

Paste the following code inside webhook_controllers.rb

  def create
      payload = request.body.read
      begin
        event = Stripe::Webhook.construct_event(
          payload, signature_header, endpoint_secret
        )
      rescue JSON::ParserError => e
        # Invalid payload
        render json: {success: false, message: "Invalid payload"}, status: 400 and return
      rescue Stripe::SignatureVerificationError => e
        # Invalid signature
        render json: {success: false, message: "Invalid signature"}, status: 400 and return
      end

json_data = JSON.parse(event.to_json)
      stripe_webhook = Webhook.create!(event: json_data, event_type: json_data["type"])
      render json: {success: true, message: "successfully stored"}, status: :ok
  end

  private

  def signature_header
     request.env['HTTP_STRIPE_SIGNATURE']
  end

  def endpoint_secret
     Rails.application.credentials.stripe.dig(:webhook_endpoint_secret)
  end

You will find endpoint_secret in the stripe dashboard. First, log in to the dashboard, click on test mode then go to Developers -> Webhooks -> signing secret as shown in the image. Click to reveal.

Add your endpoint to the stripe dashboard. suppose your URL is https://mydomain.com/webhooks and select the event that you want to receive data for. You can see in the below image.

After setting up everything, you can send a test webhook and test your endpoint whether it is working perfectly or not.

Conclusion

And that’s it! Did this work for you? Please leave any questions and comments below!

Thank you for reading!

If you found this article helpful then hit the ❤️ ❤️

References:-

stripe payment intent docs.

stripe webhook

stripe payment intent webhook.

types of event in stripe API

How to buy SSL Certificate and Install on Server using Nginx on Ubuntu 14.04.

PRADEEP KUMAR — Sat, 07 Aug 2021 07:10:45 +0000

How to buy SSL Certificate and Install on Server using Nginx on Ubuntu 14.04.

When I was developing a Rails Application and deploying on DigitalOcean server, had to install SSL Certificate but I had no prior knowledge how to buy SSL and install on the server but after lots of research finally, I successfully added SSL on my server.

This guide will describe to you:

i. What are the steps you have to follow to buy SSL from the domain provider.
ii. Install SSL certificate on the server.

i. To buy SSL from the domain provider first you will have to generate Certificate Signing Request (CSR).

I am going to generate CSR using OpenSSL.

Steps to Proceed with:-

Log in to your server via terminal using ssh.

$ ssh XYZ@xx.xx.xx.xxx
1. It would be better to first create the directory inside /etc and switch into this.

suppose my working directory is “/etc/ssl/ssl-certs”.

$ cd /etc/ssl/ssl-certs

Then type the below command on the terminal and press enter.

$ openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

Note: Make sure to replace mydomain with the name of your domain like mydomain.com

You will be prompted to answer a series of questions, explained below.

Country Name — This is the two-letter abbreviation for your country. For example, the United States would be the US and Great Britain would be GB.
State or Province Name — This is the full name of the state your organization operates from. For example, this might be “California” or “Michigan”.
Locality Name — Name of the city your organization operates from. Examples might include “Lansing” or “Phoenix”. Don’t use abbreviations in this field. For example, “St. Helena” should be “Saint Helena”
Organization Name — The name of your organization. must use your legal name.
Organizational Unit Name — If applying as a business, you can enter your “Doing Business As” (DBA) name here. Alternately, you can use a department name here. For example, “IT Department” or “Web Administration”.
Common Name — The domain name that you are purchasing an SSL certificate for. This must be a fully qualified domain name (FQDN). An example might be mydomain.com.

Note:- If you are applying for a special wildcard SSL certificate, you will need to enter an asterisk for the subdomain. An example in that case might be **.mydomain.com*. Never include the “http://”, “https://”, or any other special characters in this field. Never include text after the top level domain at the end. For example, your common name should end in .com, .net, (or whatever other extension you are applying for.)

Email Address — An email address that can be used as a point of contact for your domain. Be sure the address is valid!
A challenge password — An optional password to further secure your certificate. Be sure to remember this password if you choose to use it. It must be at least 4 characters long. You can skip this step if you like.
*An optional company name *— Another optional step. Fill in your company name if you wish. This is not required for web SSL certificates.

Yeah, Your CSR file has been generated!

To find your CSR type the following command in the current working directory.

my current working directory is “/etc/ssl/ssl-certs”

$ ls

then you will get two new files ending with “.csr” and “.key” respectively.

The .key file should be kept private on your server. The .csr file is your certificate signing request and can be sent to a Certificate Authority(like GoDaddy).

Now to open the mydomain.com.csr file type the below command.

$ cat *mydomain.com.csr*

and you will get below CSR generated.

You will need to copy and paste the entire contents of the CSR file to your Certificate Authority when ordering an SSL certificate.

Note: Be sure that you include the lines that read “BEGIN CERTIFICATE REQUEST” and “END CERTIFICATE REQUEST”.

if you want to decode this you can visit this link.

Download Certificate:

After verifying to GoDaddy that you control the domain, check your email (the one that you registered with GoDaddy with) for a message that says that your SSL certificate has been issued. Open it, and follow the download certificate link (or click the Launch button next to your SSL certificate in the GoDaddy control panel).

Now click the Download button.

Select the server software that you are using from the Server type dropdown menu–if you are using Apache HTTP or Nginx, select “Nginx”–then click the Download Zip File button.

Extract the ZIP archive. It should contain two .crt files; your SSL certificate (which should have a random name like 146b99449cc43104.crt) and the GoDaddy intermediate certificate bundle (gd_bundle-g2–1.crt). Copy both two your web server.

So now my current working directory(“/etc/ssl/ssl-certs”) has four files listed below.

***146b99449cc43104.crt *gd_bundle-g2–1.crt mydomain.com.csr mydomain.com.key**

The certificate is now ready to be installed on your web server. This involves adding a few SSL-related lines to your web server software configuration.
note: If you have a firewall enabled, be sure that it allows port 443 (HTTPS)

Here I will do Nginx configurations on Ubuntu 14.04.

ii. Install Certificate on Server

you must create a single “chained” certificate file using these two files **146b99449cc43104.crt *and** gd_bundle-g2–1.crt*

$ cat 146b99459cc43104.crt gd_bundle-g2–1.crt > mydomain.chained.crt

Now go to your Nginx server block configuration directory. Assuming that is located at /etc/nginx/sites-enabled, use this command to change to it:

$ cd /etc/nginx/sites-enabled

Assuming want to add SSL to your default server block file, open the file for editing:

$ sudo vi default

Find and modify the listen directive, and modify it so it looks like this:

listen 443 ssl;

Then find the server_name directive, and make sure that its value matches the common name of your certificate. Also, add the ssl_certificate and ssl_certificate_key directives to specify the paths of your certificate and private key files

server_name mydomain.com;
ssl_certificate /etc/ssl/*ssl-certs*/mydomain.com.chained.crt;
ssl_certificate_key /etc/ssl/*ssl-certs*/mydomain.com.key;

To allow only the most secure SSL protocols and ciphers, add the following lines to the file:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
add_header Strict-Transport-Security max-age=63072000;

If you want HTTP traffic to redirect to HTTPS, you can add this additional server block at the top of the file.

server {
    listen 80;
    server_name mydomain.com;
    return 301 https://$host$request_uri;
}

Then save and quit.

Now restart Nginx to load the new configuration and enable TLS/SSL over HTTPS!

$ sudo service nginx restart

Test it out by accessing your site via HTTPS, e.g. https://mydomain.com.

while restarting the server if you are getting fail then see the log using the following command in terminal and fix it.

$ nginx -t

OK, now We have nice green lock icon showing up in the web browser, but it turns out it was not enough. As I Checked with the SSL Server Test, some SSL ciphers like RC4 are vulnerable, and SSL 3 is broken (my initial test score was B-…).

To fix this I changed the *ssl_ciphers *like:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';/etc/ssl/ssl-certs

My next vulnerability according to the test was my weak Diffie-Hellman keys. Diffie-Hellman key exchange is a protocol providing the pretty cool property that, even if some attackers get their hands on your server’s private key, it will be exponentially hard for them to decipher the communication between the server and its clients. However, the default key size in OpenSSL is 1024 bits, which seems breakable with the computing power of a nation-state. So, you let’s generate some better parameters.

First, generate your DH parameters with OpenSSL:

Let's switch into the directory where .crt and .key extended files are present.

$ cd /etc/ssl/*ssl-certs*

Then run the below command to generate DH parameters. this might take a longer time.

$ openssl dhparam -out dhparam.pem 4096

Again open the server configuration file.

$ cd /etc/nginx/sites-enabled
$ sudo vi default

and add the following line.

ssl_dhparam /etc/ssl/*ssl-certs*/dhparam.pem;

Now save the editor and restart the server.

$ sudo service nginx restart

Yeah! SSL successfully install on your server and test it out by accessing your site.*
Now you check with SSL Server Test.*

References:-

For Apache server go to DigitalOcean documentation
Improve SSL configuration

I hope, it was helpful to you. If you liked this article you are invited to leave some claps.