chiayi | Stripe Developers | Page 1

sharp forgeBOT Jul 11, 2023, 7:46 AM

#

echo trout Jul 11, 2023, 7:47 AM

#

this is my backend code

class Payload(BaseModel):
    user_id: str
    account_id: str

@app.post("/verifyRequest")
async def root(request: Request, response: Response, payload: Payload):
    if "stripe-signature" in request.headers:
        sig = request.headers["stripe-signature"]
    else:
        sig = {}
    payload_str = json.dumps({
        "user_id": payload.user_id,
        "account_id": payload.account_id
    })
    try: 
        stripe.WebhookSignature.verify_header(payload_str, sig, app_secret)
    except ValueError as e:
        raise e
    except stripe.error.SignatureVerificationError as e:
        raise e
    response.json({ success: true })

    return True

void coral Jul 11, 2023, 7:48 AM

#

Hi there, can you check there's a stripe-signature in the HTTP header?

echo trout Jul 11, 2023, 7:49 AM

#

yep there is

this is what print(request.headers) return

Headers({'host': '127.0.0.1:8000', 'connection': 'keep-alive', 'content-length': '69', 'access-control-allow-origin': '*', 'sec-ch-ua': '"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"', 'content-type': 'application/json', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36', 'stripe-signature': 't=xxxx,v1=xxxx', 'sec-ch-ua-platform': '"macOS"', 'accept': '*/*', 'origin': 'null', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'en-US,en;q=0.9'})

void coral Jul 11, 2023, 7:50 AM

#

'stripe-signature': 't=xxxx,v1=xxxx did you redact the data?

echo trout Jul 11, 2023, 7:50 AM

#

yea

#

not sure if its sensitive so i didn't show

void coral Jul 11, 2023, 7:50 AM

#

Don't worry it's not a sensitive data.

echo trout Jul 11, 2023, 7:51 AM

#

Headers({'host': '127.0.0.1:8000', 'connection': 'keep-alive', 'content-length': '69', 'access-control-allow-origin': '*', 'sec-ch-ua': '"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"', 'content-type': 'application/json', 'sec-ch-ua-mobile': '?0', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36', 'stripe-signature': 't=1689061740,v1=1634d40ff39cfc32f4b8aaed6b7089f02063ca30f13b48293423d0e8823238d4', 'sec-ch-ua-platform': '"macOS"', 'accept': '*/*', 'origin': 'null', 'sec-fetch-site': 'cross-site', 'sec-fetch-mode': 'cors', 'sec-fetch-dest': 'empty', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'en-US,en;q=0.9'})

okay this is how it looks like originally

void coral Jul 11, 2023, 7:53 AM

#

When your Stripe App construct the request data, does it put user_id first and then account_id ?

echo trout Jul 11, 2023, 7:54 AM

#

yep, this is how the request is constructed on my frontend

const Main = ({ userContext, environment }: ExtensionContextValue) => {
  useEffect(async () => {
    // By default the signature is signed with user id and account id.
    fetch("https://127.0.0.1:8000/verifyRequest", {
      method: "POST",
      headers: {
        "Stripe-Signature": await fetchStripeSignature(),
        "Content-Type": "application/json",
        "Access-Control-Allow-Origin": "*",
      },

      // Include the account ID and user ID in the body to verify on backend.
      body: JSON.stringify({
        user_id: userContext?.id,
        account_id: userContext?.account.id,
      }),
    });
  }, []);
  return null;
};

export default Main;

void coral Jul 11, 2023, 7:58 AM

#

Is the payload == requst.body?

echo trout Jul 11, 2023, 8:02 AM

#

no

await request.body() is a byte string (can't retrieve request.body without await on fastapi)

b'{"user_id":"usr_xxx","account_id":"acct_xxx"}'

payload is a python class object

user_id='usr_xxx' account_id='acct_xxx'

payload_str is a json

{"user_id": "usr_xxx", "account_id": "acct_xxx"}

I've tried await request.body() in my previous thread and it didn't work because in the doc they use JSON.stringify , so this time around I use json.dumps to convert payload into payload_str (to replicated JSON.stringify in python) and it still didn't work

sharp forgeBOT Jul 11, 2023, 8:08 AM

#

mighty ingot Jul 11, 2023, 8:18 AM

#

Is app_secret the correct value?

echo trout Jul 11, 2023, 8:18 AM

#

i got app_secret from dashboard -> signing secret , its correct

#

just curious - the content of stripe-signature in header shouldn't look like app_secret directly if I print it right? but they should be the same after the hashing is done in verify_header function

mighty ingot Jul 11, 2023, 8:22 AM

#

No the signature and secret are not the same

#

Does the CLI not spit out a secret when you do stripe apps start?

echo trout Jul 11, 2023, 8:33 AM

#

it doesn't 🤔 this is what it looks like

mighty ingot Jul 11, 2023, 8:34 AM

#

Ah, thought maybe it did like how the webhooks work

#

Yeah honestly I'm out of suggestions. I think this is going to need some deeper investigation. Could you write in to our team? https://support.stripe.com/contact/email?topic=api_integration

Contact Us | Stripe: Help & Support

Find help and support for Stripe. Our support center provides answers on all types of situations, including account information, charges and refunds, and subscriptions information. Get your questions answered and find international support for Stripe.

echo trout Jul 11, 2023, 8:36 AM

#

ok sure thanks!

#chiayi