Shivani | Stripe Developers | Page 1

weary heathBOT Apr 27, 2023, 5:05 PM

#

dry rune Apr 27, 2023, 5:06 PM

#

Can you elaborate a bit? What are you wanting to do?

#

Also, let's stick to one thread and one question at a time. We can tackle this one once I have more context on the above:

Has anyone implemented Stripe signature verification using Mule implementation?

weary heathBOT Apr 27, 2023, 5:15 PM

#

tulip stone Apr 27, 2023, 5:19 PM

#

Hello! Can you reply here please?

rain forum Apr 27, 2023, 5:24 PM

#

I wanted to understand if Stripe can provide any static ip/dlb url for whitelisting.

tulip stone Apr 27, 2023, 5:29 PM

#

We have a list of IPs where our webhooks come from here: https://stripe.com/docs/ips#webhook-notifications

#

But confirming the webhook came from one of those IPs is not sufficient to be sure it came from Stripe, you still need to perform signature verification.

#

Can we please talk here instead of other threads?

#

Yes I understand Stripe signature verification is necessary... however due to HMAC imementaruon the result is not always coming as expected
We tried using libraries as well.. but the result is not consistent
any one has done stripe signature verification in Mule?

#

I'm not familiar with Mule, sorry.

#

What specific issues are you having verifying signatures? The manual HMAC process should be consistent.

#

You implemented the manual verification process documented here, right? https://stripe.com/docs/webhooks/signatures#verify-manually

rain forum Apr 27, 2023, 5:43 PM

#

we tried manual verification

#

when we give raw message in our implementation it tends to add some extra space and new lines... and because of this the hmac gets changed

#

hmac never gets matched to the value of V1

#

even with libraries same behavior is observed

tulip stone Apr 27, 2023, 5:46 PM

#

It sounds like you need to figure out a way to get the raw body of the request without modifications. The signature verification process depends on the raw payload remaining 100% intact.

#

Whitespace and all.

#

Do you know what's modifying the body of the request?

rain forum Apr 27, 2023, 5:48 PM

#

we just read the message coming from Webhook and convert it into raw text as it comes in Json format

#

in that event only it gets modified

tulip stone Apr 27, 2023, 5:49 PM

#

You shouldn't be converting it to anything. You need to take the raw payload coming in and give it to the signature verification process as-is.

#

Treat it like raw binary data if you need to.

rain forum Apr 27, 2023, 5:49 PM

#

right we are reading Jason in binary data only...

#

still see the payload getting changed

#

if anyone in community has implemented in Mulesoft, please help me with it....

#

I have been rigorously working on it since last 1 month

tulip stone Apr 27, 2023, 5:55 PM

#

I've never encountered anyone here working with Mulesoft unfortunately. Is there a Mulesoft community or support forum you can get help from?

rain forum Apr 27, 2023, 5:56 PM

#

anyone who did in Java?

#

we can expose Java class in our impl

tulip stone Apr 27, 2023, 5:57 PM

#

There's a Java example in our docs here: https://stripe.com/docs/webhooks/signatures#verify-official-libraries

rain forum Apr 27, 2023, 6:00 PM

#

This i am aware ..

#

if anyone has done impl, please can they share the jar file?

#

because we tried this code

tulip stone Apr 27, 2023, 6:03 PM

#

There's not really anyone else here. When you tried this code you still ran into the same issues with the body of the request being modified?

rain forum Apr 27, 2023, 6:06 PM

#

yes

#

always getting unauthorized

#Shivani