#Indesh-webhook-signature-verification

Hello 👋
Can you provide more information about what's failing exactly? Have you tried logging the responses and seeing if there are any differences in the object?

The signatures are not matching.I'm using Stripe's PHP SDK. The object is identical.

and you're saying it works for every other object except for the events that come from this one connected account?
Do you have any examples i can take a look at?

Yes, all other accounts are working.

Shall i give you both working and non-working event ids?

yes

Non-working: evt_1LfNUCC1AOEGqVOCFul6K019

Working: evt_1LfNDKSFgauaQUZShHUijAqn

Sorry for delay

@fast kestrel 🙏

hmm i'm not seeing much difference between the two events either

Can you share the code that you're using to verify the signature?

actually if you can share your webhook handler code, that'd work too

@formal turtle

Sure

I'm using PHP SDK of Stripe.

@formal turtle do we have a log of the signature received?

I'm extracting the logs to see if we are logging it.

For the 'evt_1LfOqfJ2O6UbCufwgC8fjQnm' the signature received is 't=1662559405,v1=036d0fcc0626ee216bb8dc194b4181408acca242e706b26c7842c5e5ce340631'

@fast kestrel

hanzo had to step away but I can help. Catching up on this thread...

Thanks

For the test mode event are you using the same webhook secret or are you switching between them based on whether the event is live mode or not?

Webhook secret varies based on test/live mode

Another connected store under same mode and secret key is working.

So is it all events for that specific connected account that are failing?

We're logging only 2 events checkout.session.completed & charge.refunded

Refund will not come into action unless our the other event succeeds.

Gotcha. Have you noticed any pattern to the events that are succeeding vs failing?

I couldn't trace anything different in both.

Is there any possibility of having some issue account-based issue?

I'm not sure at the moment. It looks like your signature verification is failing and that part shouldn't change based on which account you are getting events for

Quick question: does your code specify an encoding when it looks at the event body that we send you?

Sometimes verification can fail if you decode the body as ASCII instead of UTF-8. I don't see any Unicode characters in the failed body that you sent but that is one of the things that I've seen cause something like this before

Yea... I also thought of it earlier but couldn't find any special character so ruled it out.

I'll still to debug this further to rule it out completely.

Thanks, the server is still a bit busy but I will try to look in to this more deeply in a minute. If it stays too busy I'll call in a colleague who can

Sure.. thanks a lot

silly question, can you log the value of the endpoint secret whsec_xxx your code is passing, directly to constructEvent and post it here? you can leave out most of it, just whsec_......123456 with the last 6 characters of the secret would help

Sure

I ask because you said

Webhook secret varies based on test/live mode
when actually, it shouldn't

because of https://stripe.com/docs/connect/webhooks

For Connect webhooks, it’s important to note that while only test webhooks will be sent to your development webhook URLs, both live and test webhooks will be sent to your production webhook URLs.
so even if it's a testmode event, it will be signed with the secret of the actual endpoint it was sent to, which is livemode

Nope, I meant it varies based on the payment mode. But also the mode of both failing and succeeding webhooks is same, hence passing same secret key.

I'll still log it internally

thanks. My guess would have been the same as Pompey's , that it's an encoding issue, but you have working examples of other events that have a lot of non-ASCII characters in them, so I think I'm ruling that out. So the only other explanation is just that you're using the wrong secret somehow

Yea... the encoding isn't an issue. I'm logging the secret key internally

Let me see what is says

Exactly same secret keys in both the cases

😢

can you share the secret whsec_......<...> so I can just to try to verify if it seems correct?

ok

whsec_***************51c2i1

whsec_***************51c2i1

that doesn't seem correct, the secret on https://dashboard.stripe.com/webhooks/we_0HMUQVb2g6DPIN2kbcOsTsWJ is different

and that's the endpoint that the events are sent to so it's the secret that the code needs to use

the secret you posted matches https://dashboard.stripe.com/test/webhooks/we_0KgnA3b2g6DPIN2kLThfu7Te , which is the same URL but is an entirely different Stripe endpoint object(it's the test mode version of your Connect endpoint) so it would be a different secret.

But for example evt_1LfOqfJ2O6UbCufwgC8fjQnm is a testmode event sent to your livemode Connect endpoint(per above discussion, that's a weird part of our API but is how it works), so it 100% needs to have its signature checked using the secret from https://dashboard.stripe.com/webhooks/we_0HMUQVb2g6DPIN2kbcOsTsWJ (EDIT: updated that link) and not another one

I know your account is quite historical but I'd try to avoid setting up multiple Stripe endpoints that point to the same URL on your server, it makes the managing of secrets on your server really hard since you just get events and can't know what endpoint secret you need to use without inspecting them first, generally it would be recommended to use separate URLs like example.com/test_webhook_connect and example.com/live_webhook_connect so your code can simply map the route to the required secret.

I'm 95% certain the problem is that your logic for trying to pick the right secret for the incoming HTTP request is making a mistake here.

let me know if this helps @formal turtle

Thanks a lot.... I'll dig it further

Interesting to know about connect account modes.

Shouldn't the webhook secret be picked according to "livemode" in the received payload?

no

per above :
because of https://stripe.com/docs/connect/webhooks

For Connect webhooks, it’s important to note that while only test webhooks will be sent to
your development webhook URLs, both live and test webhooks will be sent to your production webhook URLs.
so even if it's a testmode event, it will be signed with the secret of the actual endpoint it was sent to, which is livemode

the secret is based on the endpoint object we are sending the event to, not any details of the actual event body itself like if it's live or test mode

it also doesn't really make sense to look at the event contents before checking the signature 🙂 the point of the signature verification is you check if the event is really from Stripe before you try to parse it. The "which secret to use" logic should really just be a simple mapping from the route of your URL to the secret(again why you should not use the same URL for multiple Stripe endpoints).

That's strange. Its being working correctly for months. Wondering how it kept working

It was suggested by Stripe support the last time I talked to them.

maybe a bug in your logic for picking the secret, I'm not sure what else it could be

I'll prepare some test cases as per your suggestions.

And strangely it has caused problem only on this account.

I don't have context on that but that might have been incorrect really. I'm 100% sure this is how webhooks work. The signature computation is based on the internal endpoint object we are sending the event to(the we_xxx endpoint ID like in the dashboard URLs I shared earlier) and nothing to do with what the event itself is.

I have to run soon unfortunately as it's late for me. Hopefully the next steps are clear

Sure... Thanks a lot. I'll ping in the morning if in case I had to get some more info on it.