franck-webhook-test | Stripe Developers | Page 1

grand jettyBOT Aug 15, 2023, 4:36 PM

#

long thicket Aug 15, 2023, 4:37 PM

#

@pliant chasm I'm sorry I don't really understand the question

pliant chasm Aug 15, 2023, 4:38 PM

#

Trying to write a test for my webhooks so I need to generate a valid test request containing the event payload but also a valid signature because my code verifies the signature using the stirpe php library like so

                    $request->getContent(),
                    $request->header('stripe-signature'),
                    config('services.stripe.webhook_signing_secret')
                );```

#

so I need a valid stripe-signature header

long thicket Aug 15, 2023, 4:39 PM

#

You either hardcode a valid one (what we do in our test suite) or you calculate one first I would say

#

franck-webhook-test

pliant chasm Aug 15, 2023, 4:40 PM

#

hmm how do I calculate a valid one ? 😛

long thicket Aug 15, 2023, 4:41 PM

#

https://stripe.com/docs/webhooks#verify-manually

#

you have to do the reverse of this. But really what I recommend is to use a valid one like what we do and hardcode that

pliant chasm Aug 15, 2023, 4:44 PM

#

I am just not sure what a "valid one" is or where i can get one

long thicket Aug 15, 2023, 4:46 PM

#

One way is to get a real Event in Test mode on your account and extract that information

#

it's also what this function you linked to does right? https://github.com/stripe/stripe-node/blob/ca229a6e9eda6f2da2b041dc36e6035f14f578f6/src/Webhooks.ts#L144-L171

#

https://github.com/stripe/stripe-php/blob/master/lib/WebhookSignature.php#L136-L139 exists in PHP

pliant chasm Aug 15, 2023, 4:54 PM

#

hmmm I get this error : "signature exception No signatures found matching the expected signature for payload"

long thicket Aug 15, 2023, 4:55 PM

#

are you calling the right method? What's your code? that function literally calculates the HMAC

pliant chasm Aug 15, 2023, 4:55 PM

#

            \hash_hmac('sha256', json_encode($payload), config('services.stripe.webhook_signing_secret'))
        );```

long thicket Aug 15, 2023, 4:56 PM

#

I mean that code would never cause the error you said the the error comes from somewhere else?
Also you should never call json_encode on the $payload either

pliant chasm Aug 15, 2023, 4:57 PM

#

well hashmac is expecting , string $data

long thicket Aug 15, 2023, 4:57 PM

#

you want a raw string, the exact payload Stripe would send when they send you the Event. If you as a developer to anything to tamper with that raw payload like using json_encode or json_decode or anything else, even adding a comma or a new line, you change the payload and change the whole signature

#

I worry you are mixing up how signatures are working and I would highly recommend taking a step back here and not reinventing what our library does

pliant chasm Aug 15, 2023, 4:58 PM

#

You are right let me check something, ill come back when I have a clearer head

#

thanks a lot

long thicket Aug 15, 2023, 5:01 PM

#

All good, really if it were me I would hardcode the values

#

that's what we do in the library, you could even pick those values

pliant chasm Aug 15, 2023, 5:02 PM

#

I am not sure what you mean by hardcode values... I dont know where to get those

long thicket Aug 15, 2023, 5:07 PM

#

You're a developer and you have a Stripe account so you can spend a few minutes generating a real Event in Test mode on your Stripe account, find the signature, etc.

pliant chasm Aug 15, 2023, 5:14 PM

#

#

Can I use one generated by the stripe-cli ?

long thicket Aug 15, 2023, 5:14 PM

#

the CLI doesn't generate anything, it just "forwards" what it receives from Stripe. but yes

#franck-webhook-test