#cooker-node-webhooksignature

cooker-node-webhooksignature

Hey @misty nexus. The 400 is because you aren't properly verifying the signature. This is unfortunately extremely common with Node.js code.

• 90% of the time, the issue is that you use the wrong endpoint secret. When using the CLI + forward you have to use the secret the CLI gives you, not the one you see in the Dashboard.
• 10% of the time the issue is because the "raw payload" Stripe gives you is not what your code is using. It's extremely common with Node. You'll have to carefully read https://github.com/stripe/stripe-node/issues/341 which has dozens of potential solutions and find the one that works for you

Yeah I am using body parser in conjunction to express.json higher up in the code file

So I think it may be the second one, I'mma try some stuff and get back to you - thanks :)

sounds good

Yeah, app.use(express.json()) was screwing with it - thanks man :)

One day, I will understand Node.js enough to tell people which fix is the right one for them

Yeah

IT's surreal how the only way is to link to that thread and say "yeah try some of those" but we haven't figured out anything better 😦

It was almost like a silent issue 😭

it seems to be subtle and it depends on a lot of different reasons

Mmm...

Yeah - node is funny like that, or at least how express was made

I think after this, I might switch fully to one of my other well known backend languages just for backend, which will either be Rust or Go. Which one do you recommend due to Stripe support etc?

(@old kite)

We only support go today not rust

Oh ok. Is/will there be Rust support in the future?

No plan to add Rust support any time soon no

There's https://github.com/arlyon/async-stripe from the community

Alright. Last thing, @old kite - for when I have to run the stripe listen command from the CLI of my deployment/prod droplet - will the signing secret change? Big inconvenience otherwise...

And can I make it not only last 90 days for the CLI auth login as this also would be inconvenient for the 24/7 on-ness of the backend and I would have to re-login every 90 days

Yeah there should be absolutely no reason to use the CLI for this

the CLI is mostly a local development tool. In production you add a webhook endpoint to your account in Live mode for a real/production HTTPS API for your server

Do you have an example guide of how to basically do what I am doing but for a production app?

Not really because it's just normal web development really. A webhook endpoint is simply an HTTPS POST route on your server. It's exactly the same as any other route you have to handle requests from your application.

Yeah but

Like

The stripe listen bit

You're saying I shouldn't do that on my prod machine

The CLI + listen was built because when you run your Node.js locally on your server and get localhost:1234 or whatever, Stripe has no way to reach your laptop. So the CLI does that for you, Stripe talks to the CLI directly (which we have access to) and your CLI forwards to your local server

Ohhh

So I just set it up in the dashboard with the URL then?

with a production app, there's nothing to forward. Like if your website is example.com and you have example.com/login and example.com/register you'd have a real route like example.com/webhook/stripe or whatever

and yep!

Cool

Great, very nice

Alright thanks - that'll be all :D

Enjoy your day!