#Gyan
quartz atlas
exotic geyser
Hello
Can you elaborate on what you mean by the "event is already being received"?
Ah I see what you are asking
Yeah that method is specifically to secure your endpoint
It uses the raw request body + the endpoint secret + the signature to ensure that the Event is coming from Stripe and not a malicious actor
barren forge
As in Stripe is sending events to "/customer-webhook" endpoint that is configured in my application, i see that request has the stripe event in it.
barren forge
It uses the raw request body + the endpoint secret + the signature to ensure tha...
okay, how can i use it, because at this point when am using the webhook secret in stripe.webhooks.constructEvent() that i found from the stripe console. It is throwing below error:
Webhook Error: No signatures found matching the expected signature for payload. Are you passing the raw request body you received from Stripe? https://github.com/stripe/stripe-node#webhook-signing
exotic geyser
Are you using Express?
barren forge
Yes
exotic geyser
Gotcha, this is a pretty normal issue as Express generally messes with the raw request body due to express.josn()
So basically you will want to change your code to do something like: ```app.use(express.static("."));
// change this --> app.use(express.json());
app.use((req, res, next) => {
if (req.originalUrl === '/webhook') {
next(); // Do nothing with the body because I need it in a raw state.
} else {
express.json()(req, res, next); // ONLY do express.json() if the received request is NOT a WebHook from Stripe.
}
});```
exotic geyser
Yep, give it a try and let me know if you still run into issues
barren forge
it is still throwing the same error:
I am using exactly the same code as given in the docs
exotic geyser
Can you provide your full webhook code?
barren forge
yes
const customerWebhook = async (req, res) => {
const webhookSecret = "whsec_TdMVri9j2q338OnzgKXyEQEd3qibP260";
let event = req.body;
const signature = req.headers["stripe-signature"];
try {
event = stripe.webhooks.constructEvent(req.body, signature, webhookSecret);
console.log("-------");
console.log(
Stripe Event received at : ==> ${new Date()},
JSON.stringify(event)
);
console.log("-------");
res.sendStatus(200);
} catch (err) {
res.status(400).send(Webhook Error: ${err.message});
}
exotic geyser
Can you include the Express code as well and can you provide an Event ID that you are testing with?
barren forge
app.use((req, res, next) => {
if (req.originalUrl === "/customer-webhook") {
next(); //need raw body in this case
} else {
express.json()(req, res, next); // for all other API calls
}
});
app.post("/customer-webhook", controllers.customerWebhook);
"id": "evt_1LmQC8IoChmUfsNALUrCdcXr"
exotic geyser
What is controllers.customerWebhook?
barren forge
What is `controllers.customerWebhook`?
that's the function which contains webhooks.constructEvent() operation given above.
exotic geyser
Ah woops missed that
barren forge
it's going to catch block there.
exotic geyser
Can you add express.raw({type: 'application/json'}) to that?
Like in our quickstart: https://stripe.com/docs/webhooks/quickstart
barren forge
Can you add `express.raw({type: 'application/json'})` to that?
in the express code?
barren forge
okay
exotic geyser
Curious if it is still messing with the raw request body if you don't specify request.raw
barren forge
Perfect it is working now
exotic geyser
🎉
barren forge
So, this is enough to make sure, the application will not entertain any third party fake request. It will make sure it is coming from Stripe.
exotic geyser
Yep
It basically uses a combo of the timestamp and the signature and the endpoint secret.
You can basically see how it works by looking at how to handle it manually: https://stripe.com/docs/webhooks/signatures#verify-manually