• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
.htaccess application folder - 403 forbidden access

#1
Hello ! 

I currently develop a website with CodeIgniter. I use the localhost. 
I'm facing to a problem with the .htaccess file from application directory. 

I develop the Stripe API (payment method) on my website. The Stripe API propose a Webhook system. Webhook give the possibility to inform the website when event occurs. For example when a payment was succeeded, Stripe send a Webhook to execute a php script on my server. 


As I work with localhost, I use the tool Ultrahook who allow me to receive Webhook from Stripe on localhost. So I would like to execute a PHP script on my application/controllers/ folder when I receive a Webhook from Stripe. 

When I try do it, I always receive a 403 error forbidden access for the application folder. So I have try to modify the .htaccess from application folder but without positive result. My initial .htaccess from application folder look like this : 


Code:
<IfModule authz_core_module>
   Require all denied
</IfModule>
<IfModule !authz_core_module>
   Deny from all
</IfModule>



Stripe documentation give me some IP address for Webhooks. 

The full list of IP addresses that webhook notifications may come from is:
  • 54.187.174.169
  • 54.187.205.235
  • 54.187.216.72
  • 54.241.31.99
  • 54.241.31.102
  • 54.241.34.107
IP address use by Stripe


So I have try to allow them in .htaccess with the following code but without success. 


Code:
Require ip xx.xxx.xxx.xxx  yy.yyy.yyy.yyy ...


Do you have any idea how to configure the .htaccess in application folder to give access to Stripe to the files in the controllers folder ?
 
Thanks ! 

Samuel
Reply

#2
If you look at the .htaccess file in the application folders you will see why you get the error.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply

#3
That .htaccess is there to prevent direct browser access to the files. This prevents a bad operator from doing something like

Code:
https://example.com/application/controllers/delete_everything.php

It's a giant security flaw to allow browser access to application folders/files.

I think you will have to show us how you are implementing Stripe before solid advice can be offered.

That said, most likely what you need is for webhooks to call a controller/method which loads libraries that utilize the stripe api.
Reply

#4
Thanks insiteFX & dave friend for your answers. 


This is how I would like to implement Stripe solution : 

When a payment occurs, my website exchange with Stripe. When Stripe says payment is successfull, they use Webhook to tell my website that the payment is OK and the Webhook execute the PHP script (in the application/controllers folder) to push all the informations in the database. 

In the last step of payment implementation with Stripe the datasheet said : 

Step 5: Asynchronously fulfill the customer’s order

You can use the PaymentIntent returned by Stripe.js to provide immediate feedback to your customers when the payment completes on the client. However, your integration should not attempt to handle order fulfillment on the client side because it is possible for customers to leave the page after payment is complete but before the fulfillment process initiates. Instead, you will need to handle asynchronous events in order to be notified and drive fulfillment when the payment succeeds.

You can find this datasheet here Stripe Payment Datasheet


Today I have tested this code for the file .htaccess in the application folder 

Code:
<IfModule authz_core_module>
   Require all denied
</IfModule>
<IfModule !authz_core_module>
   Deny from all
</IfModule>
<RequireAll>
   Require all granted
</RequireAll>

It work fine with this code but it's not secure. 

I just want to allow the IP address of Stripe Webhook. 


Maybe the tool Ultrahook that I use to connect public endpoint with my private endpoint(localhost) modify the IP address ?  
It can be the reason why Webhook's Stripe addresses doesn't work ? 

Thanks for your help ! 

Samuel
Reply

#5
Nobody have an alternative to fix this issue ?
Nobody have already use Stripe API ?

Thanks,

Samuel
Reply

#6
.htaccess add one of the following:

IPV4:
allow from <your IPv4>

IPV6:
allow from <your IPv6>

Format:
allow from 111.222.333.444
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.