#bogdan-webhook-signatures

Hi there. You should use our official client library to do this: https://stripe.com/docs/webhooks/quickstart?lang=java

Yes. This is what I'm doing.
When stripe is calling my webhook endpoint all works well.
But I would like to also have some integration tests.
I woudl like to sign some transactions in my integration tests.

I'm using gradle
implementation 'com.stripe:stripe-java:24.1.0'
and this is how I try to sign my request:

import com.stripe.net.Webhook; 
String stripeSignature = Webhook.Util.computeHmacSha256(webhookSigningSecret, body);

But you do not have examples online on how to generate valid signature

Only how to validate them so I'm stuck.

I can only test manualy but I need to setup also automated tests. So I need to generate some valid signatures

Ah so you are mocking the Webhook.constructEvent method then to build the test?

Correct.

What is the body variable above?

https://stripe.com/docs/webhooks#verify-manually
goes over how to calculate an expected signature

You can use that to generate one for test

This is not explaining how to generate that think.
That is exactly my frustratin.
Does Webhook.Util.computeHmacSha256(webhookSigningSecret, body); generats the v1 section and I need to fill in manualy the 1 and ignore v0 ?

Ass you can see allot of things are left out.

Yes

But that's explained above

But if you're mocking things that shouldn't matter much

I'm not moking thing. I need this to actualy process valid signatures during integration tests.

Ill try to conatenate the string and see if it passes the validation

I tried this.

String stripeSignature = Webhook.Util.computeHmacSha256(webhookSigningSecret, getRequestBody());
        long time = (new Date()).getTime();
        String concatenatedSignature = "t="+ time +",v1="+ stripeSignature;

It does not work

this was the generated signature
t=1700238001071,v1=04f6b5749ea7979a7aa1785d58ec08c86d418295712f532286dcfe88bff30bf1

What is getRequestBody doing

Also is this a test event or live event you're hashing

Is just a string that hods a copy of a request .

It allways returns this

I need to creae a gist. Is to long. but I saved in that string a valid body can actual stripe calld my webhook with.

It is this: https://gist.github.com/bogdan-marian/255ff0824c56d416ae5eb6e7445a6c94

If I pass this body with this signature
t=1700220464,v1=568ce3831b530347a261580d6b47c1794aefe54b70a9d12a6d359a0d53ac84af,v0=af1ab02ff14c9c243e2e62951a80fc904f4f9073ef32140c860f336d86cd7b62
it works

but the same body signed by me with this signature
t=1700238001071,v1=04f6b5749ea7979a7aa1785d58ec08c86d418295712f532286dcfe88bff30bf1
it fails

The body looks ok from the gist. The key here is though is it has to match exactly how your original webhook endpoint received it (formatting and whitespace has to be identical). You also have to use the same webhook signing secret that was used from that original webhook endpoint that received the event and included the above signature

Evrything is identical. Is loked down in this hardoced string.
When I pass that body with good signature it passes.
When I try to sign that body if fails.
Show me a snipped of code on how to sign please.
All the way to the final concatenated string.

This is not sufficnet

import com.stripe.net.Webhook;

Webhook.Util.computeHmacSha256(webhookSigningSecret, stringBody);

Hi 👋

I would strongly advise against attempting to build your own webhook signature verification process. We have the Webhook.constructEvent() function written into our Java client library to perform exactly this function
https://stripe.com/docs/webhooks/quickstart?lang=java

So how would a developer write a tests? I'm stuck with only hardcoded body and harcoded signature. ? This is not sustainable. That is the point of having this method exposed by stripe sdk? Webhook.Util.computeHmacSha256

I recommend using the Stripe CLI to trigger a webhook event, then use the received HTTP request to construct a mock request object you can test against.
https://stripe.com/docs/cli/trigger

You could create different mock requests for each event type and periodically update them to be sure you have the lastest changes. However, our Event objects and the Webhook requests do not change often

CLI was nice to get me to this point. But that is only manual testing. Is not good for autimation tests.
I automatin tests I need to validate differnet payment session different pricess differnet things.
I need automation.

For automated tests we recommend mocking responses

Stripe response don't change all that often

https://stripe.com/docs/automated-testing

Thank you for this.
It would be nice in spring to get this aymentIntent paymentIntent = PaymentIntent.create(params);
And send sign it and send it to my tested webhook.
I can only unit test like this but not integration test.
I quess it is what it its.
Thank you for support

I got it.
I was able to sign my payload.

        String body = getRequestBody();
        long timeStamp = (new Date()).getTime();
        String payload = timeStamp + "." + body;
        String signedPayload = Webhook.Util.computeHmacSha256(webhookSigningSecret, payload);
        String stripeSignature = "t=" + timeStamp + ",v1=" + signedPayload;

Okay great! 🎉