#yony-webhook-signature

yony-webhook-signature

@hybrid river unfortunately webhook signatures are quite tough to get right with Node.js. What is the exact error message you get? Also are you using the CLI?

Yes, we are testing with the stripe CLI also, and it shows the same error.

Okay so are you using the right secret? The one from the CLI itself and not the Dashboard?

Yes, correct. The webhook secret key we are using is the same as the one we have on the stripe dashboard webhook secret key.

Not the one from the CLI.

If you use the CLI, you have to use the secret from the CLI

is this okay to share the webhook key here?

no

My point is that for a give webhook endpoint, the secret in the Dashboard and the one you see in the CLI are different

Here is the stripe webhook key we are using for our web app.

whsec_r6bYV9w........................ctAfQhEdyL

And here is the one from the CLI
whsec_26a25................................f8b5c8037abe

you want to use the CLI one is you are using the CLI to test things locally

No, currently we are testing it from our web app, not the CLI.

And here is the error we are getting when webhook event is triggered.

⚠️ Webhook signature verification failed. Webhook payload must be provided as a string or a Buffer (https://nodejs.org/api/buffer.html) instance representing the raw request body.Payload was provided as a parsed JavaScript object instead.
Signature verification is impossible without access to the original signed material.
Learn more about webhook signing and explore webhook integration examples for various frameworks at https://github.com/stripe/stripe-node#webhook-signing

Okay so the error message indicates it is not a webhook secret issue

the problem is really that your code is not properly passing the raw payload to our library

Ok, here is a sample code of the webhook API route.

router.post( '/webhook', express.raw({ type: 'application/json' }),....)

And we remove using json parser middleware from our server. And instead we are adding express.json() to the other routes we have except for the /webhook route.

Some other part of the express app must be parsing those request bodies and mutating them

No, we are not parsing the request before reaching the API route. here is sample code of our server.js

const app = express(); app.use(cors()); app.get('/', (req, res) => res.send('Hello Legacy!')); app.use('/stripe', stripeRoutes);

Ok, and what's defined in stripeRoutes?

such as
/create-checkout
/create-subscription-checkout
/webhook

Sure but anything else that might be parsing the body json?

What does that look like?

Can you please look at these files and mention if anything looks suspicious?

No nothing suspicious to me, but something must be doing this

Does anything change if you move your /webhook route to be defined first?

Umm, I don't that will make any change.

but i will check it.

Are there any other things you suspect could be the cause of the issue?

Nothing stands out to me, no, and AFAIK this is not the default behaviour of express router

Ok thanks @winged mortar

This thread has been archived. If you need help with anything else please ask in #dev-help or contact Stripe Support: https://support.stripe.com/contact

Hello 👋

I move the webhook router to the main express app but doesn't fix the issue.

And webhook event does work when I test it locally using the stripe CLI. But when I test it from my web app, I am getting "Webhook payload must be provided as a string or a Buffer" error. The webhook secret key looks like "whsec_kRDodU7.....................PrLPjuprtQB"

Can someone please help me with this? i am stuck on this issue for about 3 days.