#blockChain_engr

Hi
You are trying to verify the signature of an event in your webhook endpoint. The error means that your endpoint couldn't verify the signature of the event received by Stripe due to signature mismatch. In most cases, this could be due to using an invalid webhook secret or your endpoint is modifying the request body of the request (e.g. using a body parser middelware in your Node Express endpoint)

app.use(express.json());
app.use(express.urlencoded({ extended: true }));

I am using above 2 middlewares

is it because of this?

Yes

I need these 2, how to manage then?

You can follow this sample, in order to ignore the json parser for your webhook endpoint

https://github.com/stripe/stripe-node/blob/master/examples/webhook-signing/node-express/express.js#L10

Can you explain now?

the error is changed...

I gives us the event object now...

what's the issue now?

Looks like your webhook code isn't configured to handle account.updated events:
Unhandled event type

I guess there's a switch statement in your code that checks the event.type on the payload and handles accordingly

You probably need to add a case for account.updated

module.exports = async (app) => {
app.use('/stripe/web-hook', express.raw({type: 'application/json'}), async (req, res, next) => {
let event;
try {
const secret = config.get('webhookSecret')
const bufferObj = Buffer.from(secret, "base64");
const sig = req.headers['stripe-signature'];
// console.log(bufferObj.toString("utf8"));
event = stripe.webhooks.constructEvent(req.body, sig, bufferObj.toString("utf8"));
console.log(event);
} catch (err) {
console.log(err.message);
res.status(400).send(Error: ${err});
return;
}

    // Handle the event
    switch (event.type) {
        case 'account.updated':
            const transfer = event.data.object;
            // Then define and call a function to handle the event transfer.created
            break;
        case 'transfer.reversed':
            transfer = event.data.object;
            // Then define and call a function to handle the event transfer.reversed
            break;
        case 'transfer.updated':
            transfer = event.data.object;
            // Then define and call a function to handle the event transfer.updated
            break;
        // ... handle other event types
        default:
            console.log(`Unhandled event type ${event.type}`);
    }
    // Handle the event
    console.log(`Unhandled event type ${event.type}`);

    // Return a 200 response to acknowledge receipt of the event 
});

}

this is my code

Sure, you have an account.updated case. But it doesn't do anything

Not sure what you're expecting

Actually it is because of the unnecessary log statement it was showing unhandled event

now please refer to the new pic

I made few changes

why is saying

No signatures found matching the expected signature for payload. Are you passing the raw request body you received from Stripe? https://github.com/stripe/stripe-node#webhook-signing

Looks like the constructEvent fn is failing

Either your secret variable is wrong, or you're not passing the raw webhook body

what do you mean by this "you're not passing the raw webhook body" ?

constructEvent expects the raw payload from the event, not JSON or anything else. That can be malformed by integrations, either intentionallity or unintentionally

Anyway, I don't think that's the issue. Why are you using Buffer with your secret?

Can you The Request Body:

it is not in Json formate

You just need to pass the whsec_xxx as a string:

stripe.webhooks.constructEvent(req.body, sig, secret)

I am saving the secret in decoded form then encoding it it...

secret is okay

I have check multiple times

Why? That's redundant

The other thing is that it could just be the wrong whsec_xxx. Where did you get it?

can you see according to documentation the payload shall be in this form, but I have logged it in the above pic it is in different form

what are you referring to, what is redundent

If you log req.body then you're malforming it from the format constructEvent expects. Don't do that

Encoding/decoding the whsec_xxx

Are you using the CLI?

yes I use CLI for triggering event

only decoding bro here

And where did you get the whsec_xxx?

Well that's not necessary. It's just a string, just pass it as I advised before

I get this by using this code

Yeah that's the wrong whsec_xxx if you're using the CLI. The CLI will spit out the whsec_xxx you need to use when you run stripe listen ...

I did not get that

Are you definitely using our CLI?

How are your events being forwarded to your local webhook?

have a look please, like this

Ok, ignore me. You're not using stripe listen so that isn't the issue

I register the webhook endpoint using above code then I am triggering the event using above terminal commands

got it?

You need to stop 'decoding' your whsec_xxx with Buffer and just pass it as a string:
stripe.webhooks.constructEvent(req.body, sig, secret)

okay wait, I will log it as well for you

Not sure what else to suggest outside of that I'm afraid

Looks to me like your code is maybe receiving events from multiple webhooks? Each webhook would have a unique whsec_xxx so that would cause an error too

okay now?

You can't log req.body like that – it'll malform it

oaky wait

okay now?

Well you're still using Buffer, but ok

that is for secret decoding you will see now it is okay

I logged it for you

see, the key okay

Right, but just trying to eliminate anything that could be causing issues and that may have been one

Looks to me like your code is maybe receiving events from multiple webhooks? Each webhook would have a unique whsec_xxx so that would cause an error too

Did you see that message when I sent it earlier?

I will change the url of end point and register it again, what do you say?

but I am registering using code in Node.js

is that okay?

Can you share the we_xxx ID?

still the same issue

whsec_09U1qJzr8OpurSLQ22m5B3PjQDiLltfB

is it safe if some can see it?

No, the ID of the webhook you've created: https://dashboard.stripe.com/webhooks

are you triggering event? using my we_xxx ?

??

I am not using live

I assume you're working in test mode, so its fine yes

it is test

Can you share a we_xxx from the link above

whsec_fee0fc45f6df4dd95d7cd484ba79cd3628ba19e142bb7f913f1c22c762b8af41

let me remove the decoding and encoding

That's not the ID I need

It'll look like we_xxx in your URL bar from the Dashboard

Is there multiple webhooks on that Dashboard page?

{
"data": null,
"message": "You already reached the limit of 16 test webhook endpoints.",
"error": "Error"
}

Sounds like you're creating a new webhook for every event?

No I called this code so many time in postman

how can I reset things?

Ok, so if you've created multiple webhooks for the same endpoint that listen to the same event types (e.g. account.updated) then your endpoint is going to receive n payloads for each event.

This is problematic as I outlined before as each webhook has a unique whsec_xxx that signs each event

What is the solution to the mess I have created?

And your code is only configured to use whsec_abc. So whilst it successfully processes the events signed with whsec_abc, events signed with other secret will fail

Deleted all but one webhook, and use the whsec_xxx from that webhook

where should I delete them from?

Should be possible in the Dashboard

can you please answer this?
Currently I have not activated the account so no points are shown, Now I will use the follwing (in the pic) to add an endpoint,

my question is the code of Node.js to register the end point is only for live accounts?

You need to switch the toggle into test mode on the Dashboard

ALRADY IN TEST MODE

Based on that screenshot, I think you're looking at the Dashboard of a Connected account

this is my own account

I guess

Hi there 👋 jumping in as my teammate needed to step away. I was trying to get an understanding of the state of this conversation from past messages but they seem to jump around a bit. Would you mind summarizing what is currently giving your troubles?