Allowing external domain to post data to auth route
Hey everyone,
I was integrating a Payment gateway in Laravel application where an authenticated user tries to make the payment. The user is redirected to the payment gateway website and then response is sent as a POST request back to the application. Since the authenticated user was making payment, it is important to continue his session and complete the payment. The problem is he is getting logged out when receiving response to that auth route.
Here are few important points:
I had to disable VerifyCSRFToken to this route to accept POST data from external payment gateway domain.
POST request URL has "auth" middleware which is causing the user to redirect to login page.
I checked the same with a fresh Laravel application with breeze setup and found that any external application when sends POST data to any auth route is sent back to the login page.
What could be done here to make the user authenticated while completing his payment?
@vinaykesharwani Webhooks have no idea who the authenticated user is. They‘re just POST requests made by a third-party service to your server.
You should instead be using the payload from the webhook event itself to create any database records in your application and fulfil any orders. There is no concept of a “authenticated user” here.
Most payment processors expect you to send some sort of identifier when creating a payment for this very reason. Stripe lets you specify a client_reference_id. PayPal will have a similar field. So you’d need to create some form of unpaid order on your website before redirecting. Pass the order reference to the payment when creating it, and then the reference will be sent in the webhook for you to look up the corresponding record in your database.
@VinayKesharwani Yeah, the webhook handler shouldn’t have auth middleware because the request is coming from a third-party, and not the user, so the request won’t have a cookie or anything to authenticate the user.
