#someone

Hello, the webhook secret and body are the two things that cause that error. If your webhook secret is still correct then it sounds like your body is still getting modified in some way

can it be because of test mode?

Have you double checked that your secret variable is populated to the secret key that you are expecting for this specific endpoint (each endpoint and CLI endpoints have a different secret(

Nope, this code works in test mode with the proper secret and body

i will check if secret is ok

yeah secret key's good

Thanks for checking. Sounds like the issue is likely still that you need to get the raw request body.

Oh, I now see that you are calling json stringify on the request body that you are passing in to the contruct event function. Can you try sending the body in by itself with no modification?

Using json parsers will mess with our request body as even the whitespace is counted when making the signature you are verifying against

im sending only request.body

Gotcha, unfortunately that means it is still being modified in some way though it is hard to say how. Is there any middleware that may be modifying the request vody before your code gets to it?

nope

hi

👋

Anything you still need help with?

Okay so seems like you are still having a signature verification issue?

Can you share your full webhook handler code?

yeah

wait a sec

Can you show me your express initialization

Are you using express.json()?

When you log out request.body what do you see?

Is it JSON?

Or do you see a buffer (looks like binary)?

yeah wait

Ah okay cool

So then the raw request body isn't the issue

So what is the exact error you see?

Do you have an example event I can look at as well that you tested with?

yeah i will send ss

or link

https://stripe.com/docs/payments/checkout/fulfill-orders

I need an Event ID

Looks like evt_xxxx

evt_3Myd4RDnC20fs5eD2xCNavOP

Ah you are forwarding via the CLI?

yes

Okay and you are using the webhook secret that the CLI provided you when you run stripe listen

yes

Can you show me what you see in the CLI for the error?

Hi there 👋 taking over, as my colleague needs to step away

Give me a few minutes to get caught up.

ok

It looks like your server isn't sending back a 200 response, which usually means that you're forwarding requests to an endpoint on your server that is misconfigured or nonexistent.

yes

i guess its because of problem i have with verification

Do you have your server running in another terminal instance? If so, is it logging the error?

yes

i sended it before

It looks like maybe your endpoint is mishandling the signing secret. Have you looked at this guide for verifying the signing secret already?

https://stripe.com/docs/webhooks/signatures#verify-official-libraries

my code is based on it

I was just about to mention that I saw the screenshot you posted of your code. Do you know exactly which line in the try block is throwing the error?

this

Well yeah, but it is trying to execute each line of code in the try side of the try/catch block first, so which line from the try is throwing an exception?

i guess this one

I would recommend putting a console.log(); after each line to make sure you know for sure first

ok wait

Okay, so it's the line where you call stripe.webhooks.generateTestHeaderString(). What are you actually trying to do with that line? I don't see it in our docs, so I assume you saw it somewhere else and that's why it's there?

your error log told me to follow instructions in your github

https://github.com/stripe/stripe-node#webhook-signing

Ahhh, okay. Let's start by commenting out that line and see if you can get a 200 back to Stripe CLI

On the first line of the webhook handler, you use bodyParser.raw() instead of express.raw(). I wonder if that's manipulating the raw header you need to verify against.

still the same

i have changed it to express.raw and still same thing

huh... I'm running out of idead.

When you go to this page, do you see your listener under Local listeners?

https://dashboard.stripe.com/test/webhooks

yes

Let me get mine up and running. Just a sec

If you click on it, does it show you the exact same signing secret that you've copy-pasted into your code?

yes

Hey there, can you explain why you're paying this JSON.stringify output? Does the result change if you pass in request.body directly? Looking at the past messages its not clear if this was the original state so sorry if that the case.

im not using it in constructevent

i forgot to remove it

Also as we move forward please use code snippets of text copied rather than images, use triple-backticks like this:

multi
line
code

ok

you could just say to paste my code in here 😅

Yes, do that please 🙂

    console.log(payload)

    let event;

    try {
        console.log(1)
        const sig = request.headers['stripe-signature'];
        console.log(2)
        event = stripe.webhooks.constructEvent(request.body, sig, endpointSecret);
    } catch (err) {
        console.log(`Webhook Error: ${err.message}`)
        return response.status(400).send(`Webhook Error: ${err.message}`);
    }

    if (event.type === 'checkout.session.completed') {
        const sessionWithLineItems = await stripe.checkout.sessions.retrieve(
            session.id,
            {
                expand: ['line_items'],
            }
        );
        const lineItems = session.line_items;

        fulfillOrder(lineItems);
    }

    response.status(200).end();```

I checked the images, its just a bit harder to review/reference

Can you remove the additional reference to request.body: const payload = request.body;
if thats not needed

and i want to confirm that you set endpointSecret to the secret shown in the listen command output, NOT any secret from your dashboard

so that was the whole problem

in docs they said that i have to paste secret from dashboard

Fantastic!

Where do you see that?

It is likely refering to building an online endpoint we send to directly, which does need the endpoint secret from the dashboard

but when testing locally with the forward-to option you need to use the CLI listen secret

ok

nice

thanks guys

https://stripe.com/docs/webhooks/test#webhook-test-cli

If you’re checking webhook signatures, use the {{WEBHOOK_SIGNING_SECRET}} from the initial output of the listen command.

stripe listen --forward-to localhost:4242/stripe_webhooks

Output
Ready! Your webhook signing secret is '{{WEBHOOK_SIGNING_SECRET}}' (^C to quit)

yeah maybe i misunderstood something

It's possible, but glad we sorted it out 🙂

yeah

thanks again and have a nice evening

you too, my pleasure