standup-webhook-signature | Stripe Developers | Page 1

spring glacierBOT Mar 21, 2023, 5:47 PM

#

desert shore Mar 21, 2023, 5:48 PM

#

@woven path this error seems more like you don't properly extract the signature value. I'd recommend adding clear logs to your code to understand what exactly your code is getting

#

standup-webhook-signature

woven path Mar 21, 2023, 5:48 PM

#

Here is the code checking the signature:

#

  event: APIGatewayEvent,
  webhookType: 'connect' | 'account'
) {
  const sig = event.headers['stripe-signature']
  logger.warn(`APIGatewayEvent: ${JSON.stringify(event)}`)
  return stripe.webhooks.constructEvent(
    event.body,
    sig,
    webhookType === 'connect'
      ? process.env.STRIPE_CONNECT_WHSEC
      : process.env.STRIPE_ACCOUNT_WHSEC
  )
}

#

and here is the event as logged ^^

#

📎 message.txt

#

hmm, maybe the capital S on Stripe-Signature matters in live env and not so much in test env?

glossy pulsar Mar 21, 2023, 5:51 PM

#

As a User who's seen this many times: likely your use of event.body - Stripe uses "stegonography" to encode extra data on the webhook JSON body. They use non-coding extra spaces, line breaks, tabs, etc. This can still be parsed as JSON, but the signature verification needs the non-coding parts - that's why you have to be quite careful to not modify it at all before checking signature. (it also kinda masks the issue - the body parses as JSON just fine, so it looks like it's correct, but the verification fails). This is often caused by using request.body instead of request.rawbody, or by something like Express middleware.

desert shore Mar 21, 2023, 5:52 PM

#

That can't be that

#

if it was that, it'd say "no signature matching" or whatever which is not the error they are getting right now

#

@woven path okay so clearly what you logged has the Stripe-Signature header right? So are you logging that when you extract it? Are you passing this properly to the constructEvent?

#

I see your code does event.headers['stripe-signature'] without upper case. I wonder if that's the problem and your Live environment is configured differently?

woven path Mar 21, 2023, 5:54 PM

#

yes, I need to try with capital S

glossy pulsar Mar 21, 2023, 6:00 PM

#

In my express-JS api handler:

  const sig = request.headers["stripe-signature"];

#

(known-working)

desert shore Mar 21, 2023, 6:01 PM

#

lower and upper case for headers depends on your server's configuration though

glossy pulsar Mar 21, 2023, 6:01 PM

#

wheee.

#standup-webhook-signature