brew-webhook-dotnet | Stripe Developers | Page 1

honest flareBOT Aug 22, 2023, 3:29 PM

#

jaunty beacon Aug 22, 2023, 3:35 PM

#

Hey @bitter schooner .. I guess you're hear to help. Just to add some context... I am recieved the webhook just fine, but the authentication is failing = and yes I absolutely am using the correct key (as supplied by the cLI listen console feedback). TO get around this, I am pulling the event ID out of the content, and just retrieving it fresh from Stripe. This is getting me around the authentication and still not having me trust the actual content supplied in the itself - but there are loopholes as you can imagine. It really should be using the authentication key before doing any work at the expense of effeciency.

Any ideas?

bitter schooner Aug 22, 2023, 3:36 PM

#

Hello 👋
Give me a moment to catch up

#

I haven't come across any issues similar to this before myself.

#

Looking to see if there's any already reported issues around this..

#

When you say authentication failing, what's the exact error you're seeing when you call ConstructEvent?

jaunty beacon Aug 22, 2023, 3:46 PM

#

Maybe its me then It must be..... In the ConstructEvent I am passing "Stripe-Signature={theheadervalue"}

theheadervalue in my case is t=1692716996,v1=0a5a18e337550fa8ccdc841dce341e1f74d539ed2a36451ee7954e591eabbd93,v0=28105b158a5ce4e8bbea566914b1b7f2d51eed432d0763db423230d9dd7c1ab5

I presume there's a datetime stamp in there checked against the default 300 threshold so it does change with every request

#

The error from the .net API framework comes from this code in the API

if (!IsSignaturePresent(signature, signatureItems["v1"]))
{
throw new StripeException(
"The expected signature was not found in the Stripe-Signature header. " +
"Make sure you're using the correct webhook secret (whsec_) and confirm the incoming request came from Stripe.");
}

#

That "t=" I know is the timestamp and the v0 is the key in the response header. But as you can see from the API code = ot

#

its looking for v1, not v0 thats in the header

bitter schooner Aug 22, 2023, 3:52 PM

#

Can you share the complete code you have for the webhook handler?

jaunty beacon Aug 22, 2023, 3:53 PM

#

Sure.. One sec.....

#

(let me just clean out all the comments).....

#

[Route("api/v1/webhooks")]
[HttpPost]
public async System.Threading.Tasks.Task<IHttpActionResult> Index()
{
var json = Request.Content.ReadAsStringAsync().Result;
try
{
string theSecret = "mysecret";

    var PassedKey = Request.Headers.GetValues("Stripe-Signature").FirstOrDefault();
    var stripeEvent = EventUtility.ConstructEvent(json, $"Stripe-Signature={PassedKey}", theSecret);
    
    if (stripeEvent.Type == Events.ChargeSucceeded)
    {
        var thisThing = stripeEvent.Data.Object as Charge;
    }
    else
    {
        Console.WriteLine("Unhandled event type: {0}", stripeEvent.Type);
        return NotFound();
    }

    return Ok<UniversalDataAccess.SERIALIZATION.ApiResult>(new UniversalDataAccess.SERIALIZATION.ApiResult("Logged"));
}
catch (Exception ex)
{
    return Content<UniversalDataAccess.SERIALIZATION.ApiResult>(HttpStatusCode.InternalServerError, new UniversalDataAccess.SERIALIZATION.ApiResult(ex.Message));
}

}

tawny garden Aug 22, 2023, 3:58 PM

#

@jaunty beacon you're not supposed to share that secret value, please edit your message and remove it and then roll your secret

#

brew-webhook-dotnet

#

There are many different reasons that can cause this issue. Why do you think the problem is with 1= versus v1= ?

#

where does json come from in you code? It's mentioned nowhere

jaunty beacon Aug 22, 2023, 3:59 PM

#

Because of this in the stripe.net library :

if (!IsSignaturePresent(signature, signatureItems["v1"]))
{
throw new StripeException(
"The expected signature was not found in the Stripe-Signature header. " +
"Make sure you're using the correct webhook secret (whsec_) and confirm the incoming request came from Stripe.");
}

It seems to be looking for key "v1" in the header which isn't sent. Only "v0" is found in the Sripe-Signature header

#

Oh = and sorry - I should have removed that json line. I use that to pull the ID out of the content if I am bypassing the authentication

tawny garden Aug 22, 2023, 4:03 PM

#

Do you have an example Event id I can look at?

jaunty beacon Aug 22, 2023, 4:03 PM

#

Sure... let me run it again.....

#

evt_3Nhx4NEyjK51k5ux1V6e7fHE

with key
t=1692720281,v1=eef1f49e44cbe1eb99d40e025723b6d87d476e175a4bf5a6d898500d135c8bfd,v0=920418f25da01255daf60547a12bd3d9a0ff1af29cb26de08c6303b5e2c66aba

#

Hey! THere's a v! now!

tawny garden Aug 22, 2023, 4:06 PM

#

yeah there's always going to be a v1

jaunty beacon Aug 22, 2023, 4:06 PM

#

Oh jesus.

#

I totally missed that.

#

Ok. Well... I thought the v1 was missing... I was just blinf

#

blind

tawny garden Aug 22, 2023, 4:07 PM

#

haha all good 🙂

jaunty beacon Aug 22, 2023, 4:08 PM

#

But... Something is still failing on the authentication..... Let me try pulling some API out so I can step thruogh it....

tawny garden Aug 22, 2023, 4:09 PM

#

Like it could be many things. Not having the right secret (common if you use Stripe CLI and don't realize it has its own secret). Or not having the exact raw payload we gave you (really common where people serialize/deserialize the JSON and don't realize they change the content)

jaunty beacon Aug 22, 2023, 4:13 PM

#

Nah - thats not it - it is something to do with how I am passing the headers back to the constructevent... I thought the string should look like "Strip-Signature=t=1692720281,v1=eef1f49e44cbe1eb99d40e025723b6d87d476e175a4bf5a6d898500d135c8bfd,v0=920418f25da01255daf60547a12bd3d9a0ff1af29cb26de08c6303b5e2c66aba"

But that's not right.... If you know off hand... great... otherwise I can dig into it.

tawny garden Aug 22, 2023, 4:15 PM

#

https://stripe.com/docs/webhooks/quickstart?lang=dotnet

#brew-webhook-dotnet