#Cavalaa
smoky forum
sterile marsh
hey, I can't really take your approach because mentioned in the thread there previously because our whole server is configured using Gin handlers and not HTTP
topaz rose
I can't seem to access the previous thread ๐ฆ ugh discord UI is buggy
Can you give me a quick summary of what approach you're referring to?
sterile marsh
basically I keep getting 500 errors with webhook requests saying "error": "error verifying webhook signature: webhook had no valid signature", I cant find the issue because my code seems to be ok: func StripeWebhook(paymentService *payment.Service) gin.HandlerFunc {
return func(gtx *gin.Context) {
// read payload
payload, err := io.ReadAll(gtx.Request.Body)
if err != nil {
gtx.JSON(500, gin.H{"error": "failed to read request body"})
return
}
signature := gtx.Request.Header.Get("Stripe-Signature")
// Log the signature header
log.Println("Stripe-Signature Header:", signature)
// handle stripe event
if err := paymentService.StripeWebhook(gtx.Request.Context(), payload, signature); err != nil {
gtx.JSON(500, gin.H{"error": fmt.Sprintf("%v", err)})
return
}
gtx.Writer.WriteHeader(200)
}
}
and: func (s *Service) StripeWebhook(ctx context.Context, payload []byte, signature string) error {
// Log the signature header
log.Println("Stripe-Signature Header:", signature)
// parse and validate webhook request
event, err := webhook.ConstructEvent(
payload,
signature,
s.configs.Stripe.WebhookSecret,
)
if err != nil {
return fmt.Errorf("error verifying webhook signature: %v", err)
}
we thought it was this section: event, err := webhook.ConstructEvent(
payload,
signature,
s.configs.Stripe.WebhookSecret,
)
but the payload isnt being converted to JSON and is the raw payload: payload, err := io.ReadAll(gtx.Request.Body)
this returns this: resource: {2}
textPayload: "2023/05/16 10:32:02 Stripe-Signature Header: t=1684233122,v1=2bff7a9597d3db735bd593999e3cefd130aadd51e569b8e57feca83ed0e18b95"
timestamp: "2023-05-16T10:32:02.611866Z"
}
in my server logs
topaz rose
Do you have a middleware that's mutating the raw request that's coming from Stripe?
sterile marsh
// add middleware
server.Use(gin.Logger())
server.Use(gin.Recovery())
server.Use(func(c *gin.Context) {
body, err := io.ReadAll(c.Request.Body)
if err != nil {
log.Printf("Error reading body: %v", err)
return
}
// Write the body back for the next handlers
c.Request.Body = io.NopCloser(bytes.NewBuffer(body))
log.Printf("Original request body: %s", string(body))
})
server.Use(middleware.CORS(configs.Server.AllowOrigin))
server.Use(middleware.GinContextToContext())
server.Use(middleware.RequestID())
server.Use(middleware.Authenticate(auth))
server.Use(middleware.Dataloaders())
// Log the request body again
server.Use(func(c *gin.Context) {
body, err := io.ReadAll(c.Request.Body)
if err != nil {
log.Printf("Error reading body: %v", err)
return
}
// Write the body back for the next handlers
c.Request.Body = io.NopCloser(bytes.NewBuffer(body))
log.Printf("Request body before Stripe handler: %s", string(body))
})
Here's the middleware code, but I couldnt see any difference between pre and post middleware logs
topaz rose
Can you disable the middleware for the request bound to your webhook endpoint route?
Even if its a slight change in the headers somewhere, it could interfere with how signature verification works
sterile marsh
If i do that I cant log into any accounts on my site
here;s the pre and post logged
2023-05-16 16:35:02.421 CEST
2023/05/16 14:35:02 Original request body: {"query":"query notifications($page: Uint!, $pageSize: Uint!, $read: Boolean) {\n me {\n id\n name\n notifications(page: $page, pageSize: $pageSize, read: $read) {\n id\n type\n data\n read\n created\n __typename\n }\n __typename\n }\n}","operationName":"notifications","variables":{"page":3,"pageSize":10,"read":false}}
2023-05-16 16:35:02.424 CEST
2023/05/16 14:35:02 Request body before Stripe handler: {"query":"query notifications($page: Uint!, $pageSize: Uint!, $read: Boolean) {\n me {\n id\n name\n notifications(page: $page, pageSize: $pageSize, read: $read) {\n id\n type\n data\n read\n created\n __typename\n }\n __typename\n }\n}","operationName":"notifications","variables":{"page":3,"pageSize":10,"read":false}}
topaz rose
If i do that I cant log into any accounts on my site
But these event delivery requests are coming from Stripe Servers to your servers.
How can this be affecting login process on your site?
sterile marsh
server.Use(middleware.Authenticate(auth))
If i take away this line
no accounts authenticate
topaz rose
I'm only suggesting disabling it for the requests that are going to your webhook endpoint route (i.e. /webhook or something)
You can keep it enabled for every other request
sterile marsh
Not so sound stupid but how would I do that ๐
topaz rose
I don't know a ton about Go (which you're likely using here, I think)
but basically a conditional where you check the incoming request's path, if its going to your webhook path then don't run any logic in the middleware
sterile marsh
ok let me look into it
I'll try that, other than any middleware what do you think the problem could be?
topaz rose
have you already checked if you're using the correct webhook endpoint secret?