fab8808 | Stripe Developers | Page 1

swift dustBOT Feb 8, 2024, 7:56 PM

#

humble marsh Feb 8, 2024, 8:05 PM

#

hey there!

#

Most commonly this is an issue with the raw webhook request body, as you note

#

What did you do to try to fix that?

peak ridge Feb 8, 2024, 8:08 PM

#

Hey thanks! I just changed from :

payload = request.body.decode("utf-8")

to :

payload = request.body

but nothing changes. I dont have any other ideas.

humble marsh Feb 8, 2024, 8:10 PM

#

What do you mean nothing changes? What behaviour are you observing? Is that the raw request body or is your framework parsing the string to json somewhere upstream?

peak ridge Feb 8, 2024, 8:12 PM

#

I mean that the error generated is the same:

No signatures found matching the expected signature for payload

this error is generated at this line inside the stripe.webhook.py module:

@classmethod
    def verify_header(cls, payload, header, secret, tolerance=None):
        try:
            timestamp, signatures = cls._get_timestamp_and_signatures(
                header, cls.EXPECTED_SCHEME
            )
        except Exception:
            raise error.SignatureVerificationError(
                "Unable to extract timestamp and signatures from header",
                header,
                payload,
            )

        if not signatures:
            raise error.SignatureVerificationError(
                "No signatures found with expected scheme "
                "%s" % cls.EXPECTED_SCHEME,
                header,
                payload,
            )

        signed_payload = "%d.%s" % (timestamp, payload)
        expected_sig = cls._compute_signature(signed_payload, secret)
        if not any(util.secure_compare(expected_sig, s) for s in signatures):
            raise error.SignatureVerificationError(
                "No signatures found matching the expected signature for "
                "payload",
                header,
                payload,
            )

        if tolerance and timestamp < time.time() - tolerance:
            raise error.SignatureVerificationError(
                "Timestamp outside the tolerance zone (%d)" % timestamp,
                header,
                payload,
            )

        return True

At line 14 from the bottom

humble marsh Feb 8, 2024, 8:16 PM

#

Sure but thats the internals of that method right?

#

I mean in your code, whats happening with the request and the payload?

#

You should first check that all the arguments here contain the values you expect:

event = stripe.Webhook.construct_event(
                payload = payload, sig_header = sig_header, secret = endpoint_secret
            )

#

Many frameworks will try to be helpful and parse json from request body strings, but that will interfere with the signature verification here

peak ridge Feb 8, 2024, 8:19 PM

#

the request is just called from stripe client I don't do anything. I have to check may be the 'sig_header' . Are you suggesting that may be django is doing something under the hood?

#

I checked the signature_header..is not empty but I don't know if it s right or wrong..

humble marsh Feb 8, 2024, 8:27 PM

#

Assume the signature header is valid if not empty

#

Check your endpoint secret matches what you see on the dashboard page for the endpoint (or the CLI output if using stripe listen)

#fab8808