#Bentley - local webhook signature

Hello! Here is your thread to post details in

Thank you

`def post(self, request, *args, **kwargs):
webhook_key = settings.RESIDENTAPP_STRIPE_WEBHOOK_SECRET
payload = json.loads(request.body)
event = None

    try:
        if webhook_key:
            event = stripe.Event.construct_from(
                payload,
                request.META['HTTP_STRIPE_SIGNATURE'],
                webhook_key
            )
        else:
            event = stripe.Event.construct_from(
                payload,
                settings.STRIPE_SECRET_KEY
            )
    except stripe.error.SignatureVerificationError as e:
        # Invalid signature.  Log it an move on.
        _logger.exception(e)
        return HttpResponse(status=200)
    except Exception as e:
        _logger.exception(e)
        return HttpResponse(status = 400)`

My question is whether or not the local listener will validate the signature when using stripe trigger

Right now it's not. I hardcoded the webhook_key value to be something bogus and the event still got constructed.

Interesting, I would definitely think it should.

I will test this myself in a moment. So have you been hard coding over that config file or just replacing what is in the file? Sometimes configs cache in weird ways

Maybe I should be using named params? If so, I'm not sure what they should be.

I've been replacing what's in the file by setting webhook_key = whsec_9 immediately after grabbing it from the config.

Interesting. Maybe we don't validate like I thought we did. The server got a bit busy but I am testing this myself now

Sorry, I had to jump to a stand-up meeting. Yeah, I figured it was a local development thing, but then why would I get a webhook key when I run stripe listen? :/

So I have some good news and some bad news

Ominous

This worked properly for me in that validation failed when I had the wrong signature

Bad news being that I am a bit stumped on what to check next if you are already hard coding the value like this

Are you sure that you are in the right part of that if else clause?

Hmmm, weird. Maybe I nerfed my key a bit too hard? I'll try just swapping out the last character.

If you get rid of it and just do one construct event with a hard coded wrong key does that fail?

I am. I put a few print statements in to verify my nerfed webhook key and the signature coming from Stripe.

I'll give that a go rq.

Ugh, it made it through. Could this be an issue? Pulled it from the constructed event. "api_version": "2019-05-16"

I don't think so, I think that that event should still have a signature even for that API version

And just to triple check, this was with the if else logic removed? Or at least with a breakpoint or something to show that you are going through the path that passes in the signature?

Yup, removed it so that I'm always passing in the signature and key. 😩

I got it. I'm an idiot. I'm calling the wrong method. I'm supposed to be calling stripe.Webhook.construct_event. Got bit by a c/p error.

I mean that completely went over my head too so I get how you'd get there

Good catch!

haha, the fact that you got it to work clued me in on the fact that it must be something simple on my end. Thank you so much for the help!