#rejesto-webhook-issue

Hi.

rejesto-webhook-issue

Here is the output from my log file.

I've looked online, and this is supposedly a @crsf issue

looks like the problem isn't your webhook

like the first 2 lines say you can't reach our API

oh I thought they said I could

response_code = 200 is OK, no?

I'm not sure I understand what you mean

you just shared a picture, the first 2 lines are your own code trying to call the Checkout Sessions API and unable to talk to Stripe

I mean maybe I'm being stupid, but I don't see how they're saying that
What part of the messages say "we couldn't connect to the API?"

I'm kinda new to this so apologies for you having to spell it out for me.

ah yeah no that's me I think I misunderstood your wording/shape and my intuition was wrong sorry

are you using Python/django?

yeah I am, I'll post the webhook if that helps.

okay so yes it's a CSRF issue

@csrf_exempt
def review_payment_confirmation_webhook(request, endpoint_secret=endpoint_secret_text):

    payload = request.body.decode('utf-8')
    sig_header = request.META['HTTP_STRIPE_SIGNATURE']
    event = None

    try:
        event = stripe.Webhook.construct_event(
            payload, sig_header, endpoint_secret
        )

    except ValueError as e:
        # Invalid payload
        print(e)
        return HttpResponse(status=400)

    except SignatureVerificationError as e:
        # Invalid signature
        print(e)
        return HttpResponse(status=400)

    # Passed signature verification

    try:
        payment_intent_id = (json.loads(str(payload)))['data']['object']['payment_intent']
    except KeyError as e:
        payment_intent_id = (json.loads(str(payload)))['data']['object']['id']

    if payment_intent_id[0:3] == "cus":
        return HttpResponse(status=202)

    relevant_submission = Submission.objects.get(relevant_stripe_transaction_id=payment_intent_id)

    # Handle the event
    if event['type'] == 'charge.succeeded':
        relevant_submission.payment_succeeded()
    elif event['type'] == 'payment_intent.succeeded':
        relevant_submission.payment_succeeded()
    elif event['type'] == 'checkout.session.async_payment_failed':
        relevant_submission.payment_status = 4
    elif event['type'] == 'checkout.session.async_payment_succeeded':
        relevant_submission.payment_succeeded()
    elif event['type'] == 'checkout.session.completed':
        pass
    elif event['type'] == 'checkout.session.expired':
        relevant_submission.payment_status = 4
    # ... handle other event types

    else:
        relevant_submission.payment_status = 4

    relevant_submission.save()
    return HttpResponse(status=200)

as you can see at the top though, I do have a @ crsf_exempt decorator present.

oops poor guy

and it's also imported properly for context

I can't really tell you much more yet. Like ignore Stripe for a sec, try making an HTTP POST request to your own endpoint with curl and without a referer and see what happens

aight I'll give it a go

https://askcodes.net/coding/what-does-error-mean-----forbidden--referer-checking-failed---no-referer---- might help otherwise

yeah seen this post on StackExchange already, its what led me to being so confused since I already have the decorator present.

the second answer is different no?

It is but I'm not super sure I understand it, but I wrote that part off since I'm already on Django4.0< so upgrading wouldn't really help me

ah gotcha. Then yeah I've never used django and looking at past discussions in the server it's mostly been the csrf decorator as a solution

eh shame.

Guess I'll keep grinding away at it.

did you try with a curl call first?

that's what I think is your first step

I've never used curl calls before, but I looked it up and tried this:

I'm open to suggestions on more meaningful things to put in it tho :)

ah you're on windows on top of it 😅

Yep 💪😎

https://developer.zendesk.com/documentation/developer-tools/getting-started/installing-and-using-curl/#windows-10-version-1803-or-later maybe this

or any other tool you use to make requests to your own server really

doesn't have to be curl

Curl is installed btw

As far as I'm aware

I just don't think it gave a response

a broader screenshot for you

i.e it looks like curl is here

I don't understand your pictures again

what's floop why is it there?

https://stackoverflow.com/questions/66226774/csrf-exempt-set-but-csrf-failed-referer-checking-failed-no-referer also has some answers

I'm not sure, I haven't used curl before and it said I needed to pass a variable

So I passed that

What should I put instead?

curl -X POST https://example.com/yoururl

i get nothing back, what is supposed to be there?

it's an HTTP request to your webhook endpoint. So whatever your webhook endpoint responds?

and am I meant to be trying this on a webbook that isnt the one that is currently not working?

the goal is to see what you see in your logs on your server and if you hit the same problem

does that make sense?

I see

So I need to get the same output from the cli as I do on the logs?

Or I need to use the cli then look at the logs and see what it says?

the latter. And add logs to your own code to track down what is even happening

Yeah I have ridiculous amount of logs

None of them trigger

I didn't include them in the snippet I sent you

But not even the first log gets triggered

So I assume the view never manages to execute

I tried it without the endpoint_secret as well and it still didn't work

can you hit any URL on your server? I can't help much beyond that unfortunately if you're not familiar with this 😦

yeah I can

It is strange that I would get a 403 from this though

its just a homepage

I don't know why it would do that, maybe that is something to do with the issue I'm getting?

its the same error that I'm getting on stripe as well

<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
<p>You are seeing this message because this HTTPS site requires a “Referer header” to be sent by your web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
<p>If you have configured your browser to disable “Referer” headers, please re-enable them, at least for this site, or for HTTPS connections, or for “same-origin” requests.</p>
<p>If you are using the <meta name="referrer" content="no-referrer"> tag or including the “Referrer-Policy: no-referrer” header, please remove them. The CSRF protection requires the “Referer” header to do strict referer checking. If you’re concerned about privacy, use alternatives like <a rel="noreferrer" …> for links to third-party sites.</p>
</div>

so still a CSRF issue

:/

yeah but now you can ignore Stripe's webhooks and just debug this end to end

try looking at your list of rests and configuring the CSRF disablement there maybe?

I don't use django-rest (as far as I'm aware), do you mean maybe configuring my own middleware? I did see someone suggesting that somewhere

Hi @cerulean plaza I'm taking over this thread

Awesome hello

I'm sorry if I caused koopajah any pain

It's a long thread, give me some time to catch up.

no problem, I'm eating rn so I'm in no rush (but am ready to respond)

also I understand this is kind of getting out of the scope of stripe so if I'm taking up too much time I can go elsewhere

I do appreciate this being here I don't want to degrade feedback quality lol