#Cavalaa
cerulean escarp
grim river
Hi there!
Getting a SignatureVerificationError is quite common. It usually comes from two potential errors:
- You are using the wrong webhook secret. So please double check you are using the correct one. It should look like whsec_xxx and match the one displayed in your dashboard
- The payload you pass in the constructEvent function is not the raw payload. So you need to ensure that you get the raw body of the HTTP request that Stripe sent you, without any interference by your code or framework in the middle.
To debug this you'll need to add logging to every value you pass to constructEvent (the payload, the secret, and the signature header) and then we can try to have a look at what part is wrong
clever zealot
I checked the secret and its the same, Ive logged all of the request and have it here:
grim river
Can you share your code that handles webhook events?
clever zealot
func StripeWebhook(paymentService *payment.Service) gin.HandlerFunc {
return func(gtx *gin.Context) {
// read payload
payload, err := io.ReadAll(gtx.Request.Body)
if err != nil {
gtx.JSON(500, gin.H{"error": "failed to read request body"})
return
}
signature := gtx.Request.Header.Get("Stripe-Signature")
// Log the signature header
log.Println("Stripe-Signature Header:", signature)
// handle stripe event
if err := paymentService.StripeWebhook(gtx.Request.Context(), payload, signature); err != nil {
gtx.JSON(500, gin.H{"error": fmt.Sprintf("%v", err)})
return
}
gtx.Writer.WriteHeader(200)
}
}
and
func (s *Service) StripeWebhook(ctx context.Context, payload []byte, signature string) error {
// Log the signature header
log.Println("Stripe-Signature Header:", signature)
// parse and validate webhook request
event, err := webhook.ConstructEvent(
payload,
signature,
s.configs.Stripe.WebhookSecret,
)
if err != nil {
return fmt.Errorf("error verifying webhook signature: %v", err)
}
This is the key part:
payload,
signature,
s.configs.Stripe.WebhookSecret,
)```
Is `payload` the raw request or a JSON object? And can you triple check that the signature above match the one you see in your dashboard?FYI it should look like this: whsec_hr.....0e
clever zealot
Yeah the signature is right
I believe the payload is the raw request
From this line signature := gtx.Request.Header.Get(“Stripe-Signature”)
grim river
Sorry I wrote "signature" above by I meant "webhook secret".
clever zealot
Yeah the secret is as you’ve shown 👍
grim river
And the signature looks something like this t=xxx,v1=yyy,v0=zzz?
young spindle
Hi there 👋 jumping in as my teammate needs to step away.
Typically when we see webhook signature verification fail, it's for one of two reasons:
- The webhook signing secret being used in the event handler does not match the generated signing secret of the endpoint (each endpoint has a unique secret, if you created a new endpoint you will need to update the signing secret in your code)
- The payload that is provided does not match the original unaltered payload of the Event. This can happen if the framework you're using tries to do any additional processing on the request contents when they're being read, like converting them to a JSON object or performing any trimming.
clever zealot
There’s no v0 just a v1
2023/05/16 13:32:30 Stripe-Signature Header: t=1684243950,v1=ffa7b25127872f7dac315b94332352a48c7207a472c37201e1e49d0289b27cda
young spindle
v0 is only included for Events sent from test mode
clever zealot
event, err := webhook.ConstructEvent(
payload,
signature,
s.configs.Stripe.WebhookSecret,
) The line posted above is exactly whats stored in the payload here
resource: {2}
textPayload: "2023/05/16 10:32:02 Stripe-Signature Header: t=1684233122,v1=2bff7a9597d3db735bd593999e3cefd130aadd51e569b8e57feca83ed0e18b95"
timestamp: "2023-05-16T10:32:02.611866Z"
young spindle
If you use the approach shown here in our sample code to read the contents of the request's body, does the error persist?
https://stripe.com/docs/webhooks/signatures#verify-official-libraries
clever zealot
i'l give it a go no w