CSRF Protection in Stripe Connect with Laravel

One way is to exclude the webhook route from your VerifyCsrfToken middleware

https://laravel.com/docs/5.6/csrf#csrf-excluding-uris

@bryanmonzon Sorry, I think you didn't understand me correctly. I know how to exclude CSRF, but I want to check CSRF when stripe redirects me back to my page with test.com?state={myoldcsrf}

You'd probably have to use something other than Laravels csrf for that, such as generating a unique token on your own, passing it to stripe, and then manually checking to see if the token they passed back matches yours.

Since Laravels CSRF runs automatically, you can't tell it to "use this token from a query string parameter in the url". Laravels CSRF checks the csrf cookie sent in the request, called "XSRF-TOKEN". Stripe won't be sending cookies back, so it won't work with Laravels native CSRF mechanism.

I think you could actually use the csrf token manually, but you'd need to

1. exclude that stripe callback route from csrf
2. pass the csrf token to stripe
3. in the callback url that stripe posts back to (which is excluded from CSRF in #1), get the token.
4. manually compare if the token they passed back in the query string matches the value of csrf_token().

It's basically what I said in my previous post, except using laravels token instead of manually generating a unique token.

Ah, I did misunderstand. Apologies. What cronix said is exactly what we did for Stripe's Oauth. Since the user was already created, we stored a random string on the users table before sending them to Stripe. Then we checked against the users table in a middleware on the redirect back to our app.