Creating a Stripe Checkout session
Transcript was automatically generated and may be inaccurate.
-
–
If we go to the Cashier docs and to the "Creating Subscription" section, -
–
we can see that the example code it expects a payment method ID to be submitted -
–
in order to create a subscription. -
–
This approach expects you to create a payment UI using Stripe's -
–
Elements UI kit -
–
to capture the customer's payment details and tokenize it and then submit it to -
–
an endpoint in our application. -
–
Luckily, however, there's a much easier way to create subscriptions and capture -
–
payments and that's Stripe Checkout. -
–
Stripe Checkout is a checkout page hosted by Stripe. -
–
We can redirect to a checkout page and then listen for webhooks to be notified -
–
when the checkout is completed and the subscription should be activated. -
–
We'll also get a webhook notifying as if the customer has left the checkout or -
–
the session expires, allowing us to clean up subscriptions with incomplete -
–
payments. -
–
We first need a route that will redirect to Stripe Checkout. -
–
I do like to try and keep things as resourceful as possible in my applications. -
–
So in this instance, we're creating a checkout for a subscription here. -
–
So I'm going to create a "SubscriptionCheckoutController". -
–
Open up the file. -
–
And then I'm going to delete every method except the "create" method. -
–
Rather than showing a form, this method will just redirect to Stripe Checkout. -
–
If you go back to the Cashier docs, there's a section for creating checkouts -
–
for subscriptions. -
–
We can copy this code. -
–
Paste it in our new controller action. -
–
And leave the first parameter, the name, as "default". -
–
But we do need to get our pricing plan ID from Stripe to use as the second -
–
parameter. -
–
If you go back to Stripe dashboard, click "Products". -
–
And then click the name of your product. -
–
You should see a pricing plan underneath the "Pricing" heading. -
–
We want the API ID. Click this button to copy its value. -
–
And then back in our controller, we can paste that here. -
–
We also need to type hint the Request object here. -
–
We only want authenticated users to be able to subscribe. -
–
So let's add the "auth" middleware. -
–
Create a constructor for the controller. -
–
And then add the "auth" middleware. -
–
A user will now be required to log in or sign up before they can subscribe. -
–
Finally, let's create a new route pointing to our controller action. -
–
We should also add a name to our default route. -
–
Call it "home". -
–
That's the name of the route Cashier is expecting when redirecting back from -
–
checkout. -
–
Now, if we've go to /subscribe in the browser, we should be -
–
redirected to a Stripe Checkout. -
–
We should also add a name to our default route. -
–
Call it "home". -
–
That's the name of the route Cashier is expecting when redirecting back from -
–
checkout. -
–
Now, if we've go to /subscribe in the browser, we should be -
–
redirected to a Stripe Checkout. -
–
Before we go ahead and test this checkout, we need a set of webhook listening -
–
otherwise our application won't be updated. -
–
For example, if I were to complete this checkout session now, we won't know -
–
because we haven't told Stripe where to deliver webhooks yet. -
–
The very first thing we need to do is open up the VerifyCsrfToken middleware -
–
Just like the Mux webhook, we need to add an exclusion for Stripe. -
–
Back in your Stripe dashboard, go to "Developers", click the "Webhooks" tab, and -
–
ensure you're in test mode. -
–
If you click the "Test in the local environment" button, it will show you that -
–
you can listen to webhooks in a local environment such as ours. -
–
The first step is to download and install the Stripe CLI. -
–
There are instructions on how to install the CLI for Windows, macOS, and Linux. -
–
Once you've installed the CLI, come back. -
–
With the CLI installed and set up on your computer, you can now run the -
–
following command: -
–
stripe listen --forward-to localhost/stripe/webhook -
–
With this command running we'll now see webhook events coming in from Stripe. -
–
For commands like the above, instead of having to remember them each time, I -
–
like to create small scripts that can be executed when I need them. -
–
If you are a macOS or Linux, create a bin/stripe-webhook.sh file at the !# -
–
header, and then copy and paste this command. -
–
And paste it into the file. -
–
Make the file executable. -
–
Now I can now run ./bin/stripe-webhook.sh whenever I need to test something that -
–
relies on a Stripe webhook. -
–
You'll be able to do something similar on Windows with a .bat file. -
–
Now that we're listening for any sent webhooks, we can resume testing create -
–
in subscriptions. -
–
If I hit the subscribe endpoint again, we should be redirected to Stripe Checkout. -
–
As we're in test mode, we can use a test card number 4242 4242 4242 4242. -
–
We can set a future expiry date, and we can use any three digits for the CVC. -
–
Click "Subscribe". -
–
Once the payment is completed, we're redirected back to our application. -
–
If we look in our database in the "subscriptions" table and refresh, we'll see -
–
that we now have a new subscription with a status of "active". -
–
So users can now subscribe, but there's nothing stopping them from hitting the -
–
subscribe endpoint again and erroneously creating another subscription. -
–
Let's prevent users from doing this, so they don't accidentally create multiple -
–
concurrent subscriptions. -
–
In our SubscriptionCheckoutController, at the top of our "create" method, let's -
–
abort the request if the user is already subscribed. -
–
Now, if we go to the subscribe endpoint, if we're already subscribed, we'll get -
–
an error message saying as much. -
–
Right now, our webhook handler is open. This isn't so much of a problem locally -
–
where we can only receive requests if we create a tunnel and expose our -
–
application to the public internet, -
–
but it's definitely something you want to address when you deploy your -
–
application and make it live. -
–
When installing Cashier, you may remember there was a "STRIPE_WEBHOOK_SECRET" -
–
environment variable that we didn't set. -
–
When Stripe sends webhooks to our application, those requests will also include -
–
a signature that an application can verify using this secret, -
–
but it's up to our application to do the checking. -
–
You may have also noticed that when we use the Stripe CLI to forward webhook -
–
events to our local environment, that it gives us a webhook secret key. -
–
We could have used the value of this webhook secret for our Stripe webhook -
–
secret environment variable. -
–
When you do deploy your application to a live environment, you won't be using -
–
to Stripe CLI to forward it webhooks. -
–
Instead, you'll need to add the URL of your webhook handler in the Stripe -
–
dashboard, since you won't be using localhost, but rather an actual domain name. -
–
You'll also need to make sure you use your live mode publishable key and secret -
–
key for your live application. -
–
When you add your webhook URL, you'll also get a signing secret. This is what -
–
you should use as the value of your "STRIPE_WEBHOOK_SECRET" in your live -
–
environment. -
–
Now we're creating subscriptions, accepting payments via Stripe, but also -
–
learned how to listen to webhooks coming from Stripe in both local and live -
–
environments and how to secure those webhook listeners.