#Fireenn

Hey there

Hi

So the key here is that you need the raw request body when you do this verification

Can you share your webhook handler code?

yeah more or less copied the example from stripe

class StripeWebhooks(APIView):

    def __init__(self):
        super().__init__()
        self.endpoint_secret = 'key'

    def post(self, request, *args, **kwargs):

        response = {
            'message': "error",
            'status': status.HTTP_400_BAD_REQUEST
        }

        event = None
        payload = request.data
        sig_header = request.headers['STRIPE_SIGNATURE']

        try:
            event = stripe.Webhook.construct_event(
                payload, sig_header, self.endpoint_secret
            )
        except ValueError as e:
            response['error'] = e.__str__()

        except stripe.error.SignatureVerificationError as e:
            response['error'] = e.__str__()

        if not event:
            return Response(response, status=status.HTTP_400_BAD_REQUEST)

using django and a rest framework to handle api calls instead of flask from the examples given on stripe

Recommend editing the above and redacting your secret even if it is your testmode secret since this allows for access to your data

ah right my bad

No worries.

Looking at the code, one sec

K can you log out the payload before you construct_event?

yeah that payload is visible before the construct_event

What does it look like?

It should be a bunch of binary basically

to me it is an object of the request of the customer.created event.

not binary

Okay yeah

So that goes back to what I was saying earlier

Something is messing with the raw request body

What does your endpoint look like specifically?

Something is json'ing it before it actually comes to the verification

using ngrok to open up an endpoint on my machine. It could either be that or the rest API

Yeah it is likely the REST API. Can you show me the route code specifically?

route code?

Ah yeah I'm not very familiar with Django or Python. So post() is just your endpoint here

Is there any serialization happening anywhere?

Can you try decoding your request.body?

Like payload = request.body.decode('utf-8')

ah okay, but yeah post is just the endpoint, there shouldn't be any serialization happening according to the library unless stated somewhere.

unable to do it to the body because the payload is sent in the data portion of the request. But even switching body to data there is no decode/encode on it. And trying to read the request.body I get something like

you cannot access body after reading from requests data stream

Hello! I'm taking over and catching up...

oh okay, just having some problems with verifying webhooks

Can you try changing payload = request.data to payload = request.body and see if that makes any difference?

doesn't since the request object does not contain a body only data

available to me to check throughout the request

Where is request coming from? What framework are you using?

django rest framework

What version?

3.14.0

Hm. I'm a bit confused. According to the documentation there should be a body property: https://docs.djangoproject.com/en/3.1/ref/request-response/

looking at the DRF documentation the rest framework returns the parsed content of the body into the request.data

https://www.django-rest-framework.org/api-guide/requests/

Yeah, you don't want the parsed content, you need the raw content.

The parsed content is modified and won't work for webhook signature verification.

hmm okay, I'll have to figure out how to set an exception for these API calls then

Maybe you need request.stream?

hmm let me give it a try

nice, it works by accessing the request.stream.body

thanks for your help