#nJoy

Check your server logs

That will give you a hint into the problem

There isn't an error in the server logs

The only thing we can see is the response you return, so best way to figure out what's happening is to check your logs. If there's not enough info, you'll need to improve your logging

It doesn't appear to be hitting the code on our server. Is a 400 actually getting into our server in some way that isn't a 403 1 or 4? Is it actually connecting?

Can you paste the event id

evt_3Mf8HqE7ebVHEdGC1aIdKO9m

Ah ok. Since it's sent through the cli/locally I don't have any visibility into the response after all

Is your server really running on port 44300?

Try hitting that same url with Postman and see if your server is logging that request

That's a good idea. Do the webhooks from stripe need https or can they use http?

http is fine locally

If I change this to stripe listen --forward-to localhost:8000/stripe/webhook I get a 403.

"Unable to extract timestamp and signatures from header

You likely have multiple services running on your machine. You need to find out what port the server you're trying to hit is running on

Yeah so 8000 is the right one I guess

throught PAW I see that error description. 8000 is the port that Laravel homestead forwards 80 to.

So now you can begin your debugging. Log your headers to inspect what's happening, etc

So yeah log the value of that stripe header

That's what paw is showing me. I get the same error 403 through stripe cli

there may be some library interfering with the header prior to you sending it for verification

Through the stripe cli?

No in your code

You need to debug why that error is occurring right?

So add more logging to find out what's broken

Overall I just recommend starting with our sample php webhook code though: https://stripe.com/docs/webhooks/quickstart?lang=php

Then modifying to fit your needs

I don't think this is our code. This will all work in production environment. And staging. It has something to do with the stripe cli connecting with a local server maybe?

Wait whose code is it then if not yours

That's the new piece we are trying to figure out. Not pushing code to an upstream dev sterver to test this

stripe trigger charge.succeeded
A newer version of the Stripe CLI is available, please update to: v1.13.10
Setting up fixture for: charge
Running fixture for: charge
Trigger succeeded! Check dashboard for event details.

We are running the above terminal command to test

The webhook then tries to access our local server (local on a desktop) and fails.

I understand

What did you mean by this?

This isn't your code?

I just meant that our code wasn't creating the event that caused the webhook. we are using your test triggers

That I know

It's already in prod?

ok. So the 403 says the server is refusing it. Not our custom code on the server

This is not in prod. Other webhooks are

And in dev etc.. All work. It's only a local issue

But is it different code that's in prod?

Or same code?

It's a different webhook. But I've tested webhooks that work as well in prod. Same 403 issue.

Did you log the value of the stripe signature header you're trying to use?

The error message from the php library: https://github.com/stripe/stripe-php/blob/91876a7d/lib/WebhookSignature.php#L32

Make sure that header is valid

Just trying to debug this with you, so need to know what the value of the Stripe-Signature header is

Logging that now. Appreciate it.

No problem. Once we have that we can go from there

Yes, the timestamp there is -1

because the header is null (through paw)

The header is null?

Ok can you print out all headers?

To see what you do have available

t=1677275322,v1=82e2a090ec838b9eaec4f464b6a4dc54bd4822eee5344556eb5ed1dc1992a854,v0=6452fbcda109dcd1dc377fbd72b4b82c1307482b373795cc95c1678522c11d8d

That's not all the headers

Which header is that?

I thought you said the stripe header was showing up as null?

that time it got a timestamp and header

through the stripe cli trigger

Still has a 403.

Paw was sending null headers.

2023-02-24 13:49:43 --> connect charge.succeeded [evt_3Mf998E7ebVHEdGC0lmDEbnp]
2023-02-24 13:49:44 <-- [403] POST http://localhost:8000/stripe/webhook [evt_3Mf998E7ebVHEdGC0lmDEbnp]
2023-02-24 13:49:44 <-- [403] POST http://localhost:8000/stripe/webhook [evt_3Mf998E7ebVHEdGC0lmDEbnp]

Hi, stepping in and catching up here

hi

Can you share what version of the cli you're using here and the version of your php library?

how do I check the cli version?

You can run stripe version

stripe version 1.13.9

php 7.4.25

Thank you for your patience here. If I cannot figure it out in a few minutes I'll loop someone else in from our team.

ok thank you

Can you share the steps you're taking here so I can share replicable steps with my teammate?

I am sending this: stripe trigger charge.succeeded through the terminal

through stripe cli

That's it'

When you just pass this, you see 400 error correct?

No. Now I see a 403

It was a 400 when I was trying to hit the ssl port

I can't reproduce this on my end but getting some help.

So what's happeningin WebhookSignagure.php is that it's not finding the expected signature

$expectedSignature = self::computeSignature($signedPayload, $secret);
$signatureFound = false;
foreach ($signatures as $signature) {
if (Util\Util::secureCompare($expectedSignature, $signature)) {
$signatureFound = true;

            break;
        }
    }

SignatureFound remains false

It has a signature:

0 => '995eeba937cab255338b887ebd8b5d2b3c4942c73006c5b8f966f28375d6a9a1',

It's just not thinking it's the right one

Feb 24 14:38:02 homestead php [2023-02-24 22:38:01] local.WARNING: exptected sig: b079a62f448c8dd6e4f9b0c1464c246ff297d64b3ab78565abac949913595fc9
Feb 24 14:38:02 homestead php [2023-02-24 22:38:01] local.WARNING: exptected sig: b95f6bdd45ccb3870c792ef13da5a81091936ab67154311492e3fc52da569869
Feb 24 14:38:02 homestead php [2023-02-24 22:38:02] local.WARNING: sig: 5033e3512033954ff0340e066d968821130c4adac39d9785fb71fd83b767da81
Feb 24 14:38:02 homestead php [2023-02-24 22:38:02] local.WARNING: sig: 6bc1853b1ae86da9ab59dcfb0fa09f90ce2d27cc3535a800c4900e5b8cda0af0

Hello! I'm taking over and catching up...

Are you using the whsec_ value provided by the stripe listen command?

I'm not sure what you mean

I followed the Stripe instructions online to set up stripe cli through the terminal.

This prints out in the terminal when I set the listener: Your webhook signing secret is whsec_d5ccd87b30da603e71c3d2bc50a9c1d0115f82a4d41590b57a5999a413e5ef03 (^C to quit)

And I don't do anything after that but listen

You need to use that whsec_ value in your code.

That's the secret that the CLI will use to sign the payloads.

You're getting the error because the expected signature is the one you're generating with whatever other whsec_ value you're using in your code, not the one generated using that whsec_ secret provided by Stripe CLI.

Now that makes total sense. Let me try that quickly

You solved the problem! Thank you very much. It's most appreciated.