#BarefootDev

Hi 👋 what's your question?

hey sorry, just edited with more info

any ideas what i could be doing wrong?

Based on the error message, it could be a few things. What have you tried so far?

im using the endpointSecret provided in the node.js sample, and the raw request body. only difference is im doing it in a serverless function (emulated locally), not an express app

I havent come up with any ideas to try fix

Are you able to log the raw response body you received from Stripe and manually confirm that the signature matches what you provided in the request?

umm to trigger the webhook im just using stripe trigger checkout.session.completed

so i dont know what sig is being provided in the req

when i run stripe listen it does log the webhook signing secret it's using, which matches the endpointSecret im using in my code

but not sure about the sig

Ah, okay. I didn't realize you were using the CLI to do this. Let me dig a bit more and circle back

Thanks

Do you have a request ID for the request that raises the error?

Here's how you can find a request ID: https://support.stripe.com/questions/finding-the-id-for-an-api-request

Yep here's one: req_thuDTBix56CZwT

👋

Can you share your Webhook code?

Also have you logged out the request body?

Usually the issue here is that your framework is manipulating the raw body and that causes signature verification to fail

oh okay that sounds possible, im using a firebase function and have the handler wrapped in a cors thing

exports.stripeWebhookHandler = functions.https.onRequest((req, res) => {
  cors(req, res, async () => {
    await stripeWebhookHandler(req, res);
    return res.status(200).send("Webhook received");
  });
});

That might do it. If you log out the raw body it should be a buffer that looks like binary

If you see JSON then your framework is likely the issue

Oftentimes the framework "helps you" with this... but this is one case where you have to force it to not do anything to the raw body

Hmm okay

If i log req.body in the above code (even before cors( it's just a json

Yep that is likely the issue then

https://stackoverflow.com/questions/42950561/how-can-i-get-the-raw-request-body-in-a-google-cloud-function

Maybe

req.rawBody

It looks like my request object has a rawBody

oh yeah you saw that too

Yeah try that

that's working!

thank you 😄

🎉

just one quick q: is it possible to send some kind of metadata (e.g. a user id) when i initially create the checkout session, so that the webhook receives it?

Yep

https://stripe.com/docs/api/checkout/sessions/create#create_checkout_session-metadata

ah awesome

You can also set the metadata at the PaymentIntent level using https://stripe.com/docs/api/checkout/sessions/create#create_checkout_session-payment_intent_data-metadata

thanks a bunch

If you prefer the metadata to get carried down to the PaymentIntent

Instead of the metadata being associated to the Checkout Session

not entirely sure what the diff is between payment intend and checkout sess tbh

ill do some digging

A PaymentIntent is created due to the Checkout Session

It is a state machine for the payment attempt

But yeah, mostly I would recommend just testing the flow out

ah i see

cool

And look at what is created and what is sent to your Webhook

Yep that's great

cheers