#.stevenp

Hi there, you shouldn't add thing to the stripeSignature, otherwise the signature verification would fail

ah yes, when I call it as the guide suggests here:

https://stripe.com/docs/stripe-apps/build-backend

```return fetch(https://example.com/${endpoint}/, {
method: 'POST',
headers: {
'Stripe-Signature': await fetchStripeSignature(),
'Content-Type': 'application/json',
},
// Include the account ID and user ID in the body to verify on backend.
body: JSON.stringify({
...requestData,
...signaturePayload,
}),
});

the request fails

Any error log from your server?

It's not failing on the server it's failing in chrome

it never makes it to the server

no logs on my server, and when I remove this header it works fine

Is the endpoint accessible?

yea

when I remove the header from the request it succeeds

can you share with me your exact code?

yessir

mport { Box, ContextView, Inline, Link } from "@stripe/ui-extension-sdk/ui";
import type { ExtensionContextValue } from "@stripe/ui-extension-sdk/context";

import BrandIcon from "./brand_icon.svg";
import {SignInView, SettingsView} from '@stripe/ui-extension-sdk/ui';
import React, { useEffect, useState } from 'react';
import {fetchStripeSignature} from '@stripe/ui-extension-sdk/utils';

/**
 * This is a view that is rendered in the Stripe dashboard's customer detail page.
 * In stripe-app.json, this view is configured with stripe.dashboard.customer.detail viewport.
 * You can add a new view by running "stripe apps add view" from the CLI.
 */
const App = ({ userContext, environment }: ExtensionContextValue) => {
  const isUserSignedIn = false 

  const [data, setData] = useState(null);
 
  useEffect(() => {

    const fetchData = async () => {
      try {
        // just returns a 200 status
        const signaturePayload = {
          user_id: userContext?.id,
          account_id: userContext?.account.id,
        };
        const stripeSignature = await fetchStripeSignature()

        console.log(stripeSignature)
        const response = await fetch('https://cartwheel.ngrok.io/test_stripe', {
          method: 'POST',
          headers: {
            'Stripe-Signature': stripeSignature,
            'Content-Type': 'application/json',
          },
          // Include the account ID and user ID in the body to verify on backend.
          body: JSON.stringify({
            signaturePayload
          })
        });
        const result = await response.json();
        console.log(result)
        setData(result);
      } catch (error) {
        console.error('Error:', error);
      }
    };

    fetchData()
  }, []);

  return (
    <ContextView
      title="Hello world22"
      brandColor="#F6F8FA" // replace this with your brand color
      brandIcon={BrandIcon} // replace this with your brand icon
      externalLink={{
        label: "View docs",
        href: "https://stripe.com/docs/stripe-apps"
      }}
    >

<SettingsView>
      {/* Add your settings view content. */}
    </SettingsView>
...

OK, do you see any error in your browser console?

not a particularly useful one

I am nearly certain the request never even makes it to my server as I have logs set up on my server and nothing is getting hit

Open your Network tab and see if it tells you more about the network error.

I think Stripe is killing the request from the browser due to the signature not being valid

Hmm, it's a CORS error.

Anyway, there's a mistake that you might want to fix in your code

            signaturePayload
          })

should be

            ...signaturePayload
          })

ah yeah good find

Does your server accept CORS requests?

yep, thing is when the 'Stripe-Signature' Header is removed there's no CORS error, the response 200s, so I'm not sure if the CORS error is accurte

yessir

it returns a successful response without the header

https://stripe.com/docs/stripe-apps/reference/app-manifest#csprequest

i've noticed on other projects chrome with show a CORS error when in reality the issue is somethign else, it's just chrome dev console not having good error logging

yep, i have my endpoint added there (if I didnt the request without the header wouldn't work)

did you add your endpoint to connect-src ?

      "connect-src": [
        "https://api.chargeblast.io/",
        "https://cartwheel.ngrok.io/"
      ],

yes I have it added there, it is something very specific to the Header being passed in I think

Do you mind if I do send some post requests to your server?

Go for it

So I've found another interesting observation:

 const response = await fetch('https://cartwheel.ngrok.io/test_stripe', {
          method: 'POST',
          headers: {
            'Example': 'XYZ',
            'Content-Type': 'application/json',
          },
          // Include the account ID and user ID in the body to verify on backend.
          body: JSON.stringify({
            ... signaturePayload
          })
        });

This does not work

But removing the "EXAMPLE" header works

it seems adding anything to the header (nothing to do with the Stripe verification part) is causing the fetch to not get made

When I do it from postman it works

So am thinking there's some middleware on the stripe dashboard thats killing it

Have you run stripe apps upload ?

yes

i've done that and I'm running it via stripe apps start for a live developer experience

i can reupload it

Did you upload it before you set the connect-src ?

yes

Ah, can you upload it again?

yes will do, just seeing a small error

found violation for connect-src "https://api.chargeblast.io/": path cannot be empty found violation for connect-src "https://cartwheel.ngrok.io/": path cannot be empty

would you know how to make it like a wildcard allow?

    "content_security_policy": {
      "connect-src": [
        "https://api.chargeblast.io/",
        "https://cartwheel.ngrok.io/"
      ],

will just tuck it under a /stripe/ folder

Change it to https://cartwheel.ngrok.io/test_stripe

https://cartwheel.ngrok.io/stripe/test_stripe

moved my endpoint here

give me a moment

Update the connect-src, upload the Stripe app and try again.

Ok so I moved my endpoint instead to the above and changed the stripe frontend code to hit new endpoint, and updated connect-src. I've test app both within the stripe page direct and via stripe apps start seeing the same issue

        const response = await fetch('https://cartwheel.ngrok.io/stripe/test_stripe', {
          method: 'POST',
          headers: {
            'Example': 'XYZ',
            'Content-Type': 'application/json',
          },

this fails

      "connect-src": [
        "https://api.chargeblast.io/stripe/",
        "https://cartwheel.ngrok.io/stripe/"
      ],```

I thought I asked you to change it to https://cartwheel.ngrok.io/test_stripe ?

Wait

it doesn't matter

Did you run stripe apps upload ? was the upload sucessful?

It shouldn't matter, i just thought I was being clever to make it under a subfolder

yes the upload was successful

also, I had a connect-src error before, when i didnt have the endpoint/folder there, the request failed even without a random header on it

so I don't think that's it

Can you remove the Example header and use Stripe-Signature instead?

done, it is still the same issue

would it help if i send the exact curl request?

Can you try increment the version number in stripe-app.json and upload it again?

yes

Still the same error?

give me a sec, seem to be having a different isuee

weird, it gets past this error when i do stripe apps start

but when i do stripe apps upload this is a new error and nothing is loading

You mean you get error in browser console when running stripe apps upload ?

When I run the app via stripe app upload now nothing is loading in the UI of the drawer, but when I do stripe apps start, it loads the UI correctly, just fails on this web request

so it hits an error way earlier in the lifecycle on stripe app upload compared to stripe apps start

This is the same app, just with stripe apps start instead

Close the browser, run stripe login to login to your Stripe account, and then run stripe apps start

ok now im getting the error i was getting before, but i will bet if i try stripe apps upload nothing will work

So still the same CORS error?

yes

That's very strange

Hmm, can you create new Stripe app and upload the same code?

ok - how do I delete the stripe app?

i made a second one but now my account is quite bugged

i cant delete the old one and i have two of the same app and am getting duplicate console logs

https://dashboard.stripe.com/settings/apps can you uninstall the old one from here?

yes that worked ty

do i really need this header on the request?

can i just pass in on the body?

No, needs to be in the header to verify the request in your backend

I suggest fixing your CORS configuration in your backend server to permit that header

I dont think it has anything to do w/ my server because when i make a request with a random header in it, it also is blocked

and the request succeeds from postman

in my backend, can't i just look at the body instead?

Ok, so what does your manifest.json look like and to what URL are you making the requests?

this is my stripe-app.json

{
  "id": "com.chargeblast.helloworld2",
  "version": "0.0.5",
  "name": "Helloworld2",
  "icon": "",
  "permissions": [
    {
      "permission": "event_read",
      "purpose": "Allows reading event data from users who have installed the app"
    },
    {
      "permission": "dispute_read",
      "purpose": "Allows reading event data from users who have installed the app"
    },
    {
      "permission": "dispute_write",
      "purpose": "Allows reading event data from users who have installed the app"
    },
    {
      "permission": "charge_read",
      "purpose": "Allows reading event data from users who have installed the app"
    },
    {
      "permission": "webhook_read",
      "purpose": "Allows reading event data from users who have installed the app"
    }
  ],
  "ui_extension": {
    "views": [
      {
        "viewport": "stripe.dashboard.drawer.default",
        "component": "App"
      }
    ],
    "content_security_policy": {
      "connect-src": [
        "https://api.chargeblast.io/stripe/",
        "https://cartwheel.ngrok.io/stripe/"
      ],
      "image-src": [
        "https://images.example.com/one_image.jpg",
        "https://images.example.com/a_whole_subdirectory/"
      ],
      "purpose": "These URLs allow the app to contact [YOUR APP] for creating shipping details and loading images of shipping partner logos"
    }
  },
  "allowed_redirect_uris": [
    "https://api.chargeblast.io/callback_stripe",
    "https://cartwheel.ngrok.io/callback_stripe"
  ]
}

making requests to https://cartwheel.ngrok.io/stripe/stripe_test

I

I'm not sure what you mean by manifest.json - do you mean for my backend?

I'm not using node on the backend

Sorry, that is the manifest you shared

  const sig = request.headers['stripe-signature'];
  // Retrieve user id and account id from the request body
  const payload = JSON.stringify({
    user_id: request.body['user_id'],
    account_id: request.body['account_id']
  });
  try {
    // Verify the payload and signature from the request with the app secret.
    stripe.webhooks.signature.verifyHeader(payload, sig, appSecret);

this is example code of what i should do on the backend

cant i just pull the signature from the body instead?

I suspect ngrok is the issue here

See: https://ngrok.com/docs/faq/#cors-with-http-basic-authentication

It's probably blocking any of the non-standard HTTP headers (i.e. Stripe-Signature)

get same error when i try a different url

if i go right to the api instead of ngrok