#jackarama-manual-webhook-verification

Hi 👋

Manual verification of webhook events is very error prone and honestly I don't know how much help we can provide beyond what is in our docs. It's why we recommend using the convenience features of our client libraries,

But I can help debug a little

I am pretty sure the signature, payload, and secret key I'm getting are not matching up.
What do you mean here

Well simply if you take the payload I've attached with the secret key that came from the CLI and compute the hash digest using the online tool like the one I'll linked, you can see it doesn't match the hash digest in the request header from Stripe.

I definitely appreciate that writing the code for message verification by hand is a PITA.

(and error prone)

Ah wait

I realized I forgot to concat the timestamp in the online tool

Though my code does do this.

I need to see if the digest still mismatches if I concatenate timestamp.body

Yeah, if I concatenate the timestamp to the front, the digest is 21688590e5d1e6090e301d87f4308b677f680783452942372551fca5792bc2e1, which still does not match the digest in the stripe header, anyway.

I'm the only person responding to all questions on the server at the moment so I won't have time to manually compute the signature. But if the HMAC verification is not matching then there are a few most likely culprits.

1. The WH signing secret (key from the CLI)
2. Verify the webhook signature value is making it to your code
3. Double check the request.body. Any changes, including whitespace can impact verification

No worries, I really appreciate your help.

I have definitely checked #1 more than once.

Also, I am pretty confident that #2 is OK, and even if it weren't I should be able to manually compute a correct hash, even if my code is not parsing the header string correctly (or it gets lost along the way, etc.).

#3 is definitely my biggest concern. I will say that this payload.json file was created by literally writing the exact bytes of the request body to disk. I am pretty sure the body is not being modified.

And you are concatenating the signed_payload string using .? https://stripe.com/docs/webhooks#verify-manually-2

Ahhhhhhhhh I finally figured it out! It turns out that I was not decoding the digest from the header from hex into bytes correctly!

I was going hex string -> bytes (UTF-8 bytes of the hex string), instead of correctly decoding the hex string into the bytes via a hex::decode.

So you are seeing matching signatures?

Yup!

All good, thanks for your support!

🎉 Happy to hear it 🙂

Manual verification is no easy trick! I'm glad you got it working