Aws Php Sns Message Validator Laravel Package

Getting Started

Start by requiring the package via Composer:

composer require aws/aws-php-sns-message-validator

Then, in your Laravel controller or HTTP endpoint handling SNS webhooks, instantiate the validator using SnsMessageValidator::create(), passing in the raw HTTP request body and headers. For example:

use Aws\Sns\SnsMessageValidator;

$validator = SnsMessageValidator::create();
$request = request(); // Laravel request instance
$validator->validate($request->getContent(), $request->headers->all());

The first critical use case is confirming subscription confirmation requests — when AWS sends a SubscriptionConfirmation type, you must call ConfirmSubscription() on the SigningCertURL’s domain (or let the validator handle initial validation), then return a plain OK response to confirm the subscription. The validator will throw InvalidSignatureException or InvalidMessageException on failure.

Implementation Patterns

• Middleware: Create a dedicated middleware (ValidateSnsMessage) that intercepts all SNS-related routes (e.g., /sns-webhook). Validate the payload and abort with 403 if invalid — clean separation and reusability.
• Job Dispatching: After successful validation in a controller, dispatch a queued job (e.g., ProcessSnsNotification) with the validated payload — deferring business logic while ensuring only authentic messages are enqueued.
• Testing: Mock SnsMessageValidator in tests using Prophecy or direct mocking, and provide fixtures for real AWS SNS message types (Notification, SubscriptionConfirmation, UnsubscribeConfirmation) to ensure robust coverage.
• Config-driven Certificates: For production, you may pre-cache certificate domains (e.g., sns.{region}.amazonaws.com) to avoid runtime HTTP fetches; override ValidatorInterface or use setCertificateCache() if extended.

Gotchas and Tips

• SigningCertURL validation is strict: Ensure your app can fetch HTTPS certificates from sns.us-east-1.amazonaws.com, sns.eu-west-1.amazonaws.com, etc., based on the SigningCertURL domain. Block self-signed certs by default (the library enforces HTTPS + valid chain by default — don’t disable this).
• Raw body matters: Always pass php://input or the exact raw request body — Laravel’s request()->all() will fail because JSON is parsed/modified. Use $request->getContent() or file_get_contents('php://input').
• SubscriptionConfirmations require extra care: You must call confirmSubscription() on the SubscribeURL after initial validation. The validator only checks signature integrity — it won’t auto-verify the subscription for you.
• Caching certificates: Fetching the signing certificate over HTTP on every request adds latency. Consider caching the certificate (e.g., Laravel cache for 24h) using setCertificate($url, $cert) or extending the validator.
• Test with real payloads: AWS sends real signatures — use AWS’s sample SNS messages to sanity-check your implementation in staging before going live.