419 Error When Testing Stripe Webhook

produkt ・

Feb 26th, 2025 09:43 PM

I'm trying to test my Stripe webhook and I'm seeing the events appear in the console but each one fails with a 419 error. I am running stripe listen --forward-to https://wave.test/webhook/stripe and I have checked my secret keys and everything. Any ideas?

Report

bobbyiliev ・

Feb 26th, 2025 11:29 PM

Hi there,

The secret keys should remain the same but the signing secret (STRIPE_WEBHOOK_SECRET ) would be a new one which you will have to add to your .env file and then clear your config:

php artisan optimize:clear

Also, does your APP_URL match https://wave.test?

Report

produkt ・

Feb 27th, 2025 05:14 AM

Hi yes, I meant that I am changing the STRIPE WEBHOOK SECRET to what is returned in the terminal upon starting. I tried then running the optimize:clear command after and I am getting the same result. I am using my actual test domain in my real setup, not wave.test. The responses seem to be hitting the webhook script but the 419 error indicates maybe a CSRF or page expired type or response. I'm not sure how that's happening. Is there anything else I should check?

Report

bobbyiliev ・

Feb 27th, 2025 05:22 AM

Hey!

The /webhook/stripe route is already excluded from the CSRF protection:

app/Http/Middleware/VerifyCsrfToken.php#L16

Have you by any chance made any changes to that file?

Also the APP URL needs to match the domain that you've used to start the stripe listen --forward-to command, otherwise a redirect might occur which could also cause that error.

Report

produkt ・

Feb 27th, 2025 05:50 AM

I have not made any changes to the file and the APP URL and the listen to URL domains match.

Report

produkt ・

Feb 27th, 2025 06:21 AM

Alright, I once again isolated the problem to the bootstrap/app.php config file I had made changes to in order to include a health check endpoint. I guess the Excpetions in the middleware isn't registering with the changes I made. Here is my 'updated' file (this code below breaks the Stripe CSRF exclusion middleware):

use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;

return Application::configure(basePath: dirname(__DIR__))
    ->withRouting(
        web: __DIR__.'/../routes/web.php',
        api: __DIR__.'/../routes/api.php',
        commands: __DIR__.'/../routes/console.php',
        channels: __DIR__.'/../routes/channels.php',
        health: '/up',
    )
    ->withMiddleware(function (Middleware $middleware) {
        $middleware->statefulApi();
    })
    ->withExceptions(function (Exceptions $exceptions) {
        //
    })->create();

It seems that the current version of this file is an outdated method. Is there a chance we can modernize this file and get an updated version that has the health endpoint but also still works with Wave?

Report

bobbyiliev ・

Feb 27th, 2025 06:24 AM

・

Best Answer

Oh, you might need to exclude the route in the bootstrap/app.php file as I remember that you added a custom one in one of our previous discussions.

Follow the steps here:

https://laravel.com/docs/11.x/csrf#csrf-excluding-uris

->withMiddleware(function (Middleware $middleware) {
    $middleware->validateCsrfTokens(except: [
        'webhook/*',
        'http://example.com/foo/bar',
        'http://example.com/foo/*',
    ]);
})

Report

produkt ・

Feb 27th, 2025 06:38 AM

Okay great. Thanks, and it would be webhook/* just FYI not stripe/* just in case anyone else needs this

Report

bobbyiliev ・

Feb 27th, 2025 10:59 AM

Awesome! Happy to hear that it worked!

Report

Tails

Blocks

Wave

Pines

Auth

Designer comingsoon

DevBlog comingsoon

Static

SaaS Adventure

419 Error When Testing Stripe Webhook