#Bason91

👋 happy to help

Hello

would be with you shortly, in the meantime would mind moving your other message here to keep track of the whole conversation in one place?

Yep, just removed it.

application.post(
'/webhook/stripe', bodyParser.raw({}
),
async (request, response) => {
const stripe = new Stripe(Environment.BILLING_STRIPE_SECRET_KEY, null);
const event = (request as any).rawBody || request.body;
const sig = request.headers['stripe-signature'];
try {
const result = stripe.webhooks.constructEvent(
event,
sig,
'whsec_************' //I am using my developer stripe webhook secret here
);
console.log(result);
} catch (e) {
console.log(e.message);
}
await stripeEventsHandler.registerEvent(event);
response.status(200).json({ received: true });
});

I am using a local servet at local host:8080
Using the Stripe CLI for the events in the following way
stripe listen --forward-to localhost:8080/webhook/stripe

and then on an another terminal:
stripe trigger customer.updated

be back in a bit

Hey! Taking over for my colleague. Let me catch up.

Cool, I'll be back in around 15 minutes, getting some food 🥓

I invite you to test this complete integration first, by replacing your secret key and Webhook secret key
https://github.com/stripe/stripe-node/blob/master/examples/webhook-signing/node-express/express.js
https://github.com/stripe/stripe-node/tree/master/examples/webhook-signing

The idea is to make sure that you are using the right values of those parameters. And to make sure that there is no middleware in your integration that modifies the body of the request. It must be send to the stripe.constructEvent as rawbody without any modification

What webhook secret should I use ?

the one from the Stripe CLI or the one from the test account?

It depends on what webhook you are trying to listen to. If you are using Stripe Cli, then you use that webhook secret. and if you created a webhook, then you need to use its secret
https://dashboard.stripe.com/test/webhooks/create

Hello, just did it - I still get the same error.

Can you share an evt_xxx

Sure

evt_1M1q8MJWbpnZzq9uG1KQ2UKM

And the whsec_xxx is the one the CLI spits out when you run stripe listen?

yep

I triggered the event I shared from the stripe dashboard - i manually updated ac ustomer's subscription in test mode

I triggered the event I shared from the stripe dashboard
I thought you said you used stripe trigger?

Triggering an event from the Dashboard will use a different whsec_xxx

You need to use stripe trigger customer.subscription.updated and then separately stripe listen --forward-to and use the whsec_xxx the listen command prints

If you're triggering actions via the Dashboard, they will be signed with a different secret

that's what im doing

In this case I should use my whsec from the webhooks panel in the stripe dashobard, correct?

How are you actually triggering the events tough?

From the Stripe dashboard via the UI

I can also use Stripe CLi trigger

You need to use stripe trigger customer.subscription.updated as I explained:

Triggering an event from the Dashboard will use a different whsec_xxx
If you're triggering actions via the Dashboard, they will be signed with a different secret

If you're using the CLI it's best to just keep triggers isolated to there

If I trigger the event from the Dashboard - the whsec_xxx will be my signing secret code in the Webhook page in the Dashboard ?

Yes

if I trigger the event from the CLI - th whsec will be what the CLI spits out?

Yes

Currently, I am using the whsec_xxx from the Webhook page in the Dashboard and triggering the events from the dashboard while I have initliazed the Stripe CLI with
stripe listen --events customer.subscription.updated,customer.updated --forward-to localhost:8080/webhook/stripe

Sorry, to clarify. You need to use the whsec_xxx from stripe listen command

ok, give me a sec

and I should trigger the event from the stripe cli?

same error - No signatures found matching the expected signature for payload. Are you passing the raw request body you received from Stripe? https://github.com/stripe/stripe-node#webhook-signing

Ah, I just checked your code. Our recommendation is to use express.raw as opposed to bodyParser.raw:

app.post('/webhook/stripe', express.raw({type: 'application/json'}), (request, response) => {

ok, give me a sec

Are you ok with me pasting the payload that I receive ?

Sure, assuming there's no PII

request.body right now is of type Buffer {
"type": "Buffer",
"data": [
123,
10,
32,
32,
34,
105,
100,
34,
58,
32,
34,
101,
118,
116,
95,
49,
77,
49,
113,
104,
99,
74,
87,
98,
112,
110,
90,
122,
113,
57,
117,
55,
52,
109,
87,
70,
82,
112,
98,
34,
44,
10,
32,
32,
34,
111,
98,
106,
101,
99,
116,
34,
58,
32,
34,
101,
118,
101,
110,
116,
34,
44,
10,
32,
32,
34,
97,
112,
105,
95,
118,
101,
114,
115,
105,
111,
110,
34,
58,
32,
34,
50,
48,
49,
56,
45,
48,
57,
45,
50,
52,
34,
44,
10,
32,
32,
34,
99,
114,
101,
97,
116,
101,
100,
34,
58,
32,
49,
54,
54,
55,
57,
48,
57,
54,
57,
49,
44,
10,
32,
32,
34,
100,
97,
116,
97,
34,
58,
32,
123,
10,
32,
32,
32,
32,
34,
111,
98,
106,
101,

So we are not parsing it in any way and I get a new error

But that is not from the actual stripe.construct event

and the actual event is then reconstructed

so I guess that works

Can you share your full webhook handler code please

sure

const application: express.Express = express();
        application.use((req, res, next) => {
            if (req.originalUrl === '/webhook/stripe') {
                next();
            } else {
                express.json()(req, res, next);
            }
        });
 
application.post(
        '/webhook/stripe',
        express.raw({ type: 'application/json' }),
        async (request, response) => {
            const stripe = new Stripe(Environment.BILLING_STRIPE_SECRET_KEY, null);
            const event = request.body;
            const sig = request.headers['stripe-signature'];
            try {
                const result = stripe.webhooks.constructEvent(
                    event,
                    sig,
                    'whsec_6b5553314dbd17f6dcb1de18b4e603c2649f3069246a245e084c9d5e354c7fdc'
                );
                
            } catch (e) {
                console.log(e.message);
            }
        });

I'd redact that whsec_xxx

Anyway, you need to pass request.body to constructEvent, not your event variable (as that will be malformed - it requires the raw payload):

stripe.webhooks.constructEvent(request.body, sig, 'whsec_xxx')

However event = request.body - there is no parsing here.

Correct, the constructEvent will build the JSON payload for you (assuming the secret matches the signature). See: https://stripe.com/docs/webhooks/quickstart?lang=node