pavlos_elpidorou | Stripe Developers | Page 1

summer nightBOT Feb 9, 2024, 9:03 AM

#

tropic canyon Feb 9, 2024, 9:04 AM

#

Can you share an example evt_xxx ID that is failing the signature check? Also your webhook handler code

keen breach Feb 9, 2024, 9:22 AM

#

Yes of course.

#

evt_3Oh46DCG5LI7m2080L1NMYDl

tropic canyon Feb 9, 2024, 9:27 AM

#

Taking a look

#

Yeah your endpoint is returning a 500 error. Can you share the code?

keen breach Feb 9, 2024, 9:31 AM

#

basically we are using this PHP package to handle the webhook request, including verifying if the signature matches

#

https://github.com/spatie/laravel-stripe-webhooks

GitHub

GitHub - spatie/laravel-stripe-webhooks: Handle Stripe webhooks in ...

Handle Stripe webhooks in a Laravel application. Contribute to spatie/laravel-stripe-webhooks development by creating an account on GitHub.

tropic canyon Feb 9, 2024, 9:34 AM

#

Then I recommend you file an issue with that third-party library. They write and maintain that codebase

#

Otherwise: ensure that the whsec_xxx you're using in your code is the correct one for the webhook endpoint from your Dashboard

keen breach Feb 9, 2024, 9:37 AM

#

Hm ok. I see.

#

So there is no way to manually verify the signature from the webhook request against the whsec_xxx to verify that they match?

tropic canyon Feb 9, 2024, 9:41 AM

#

keen breach So there is no way to manually verify the signature from the webhook request aga...

Well, you can. But it's cumbersome: https://stripe.com/docs/webhooks#verify-manually

Use incoming webhooks to get real-time updates

Listen for events on your Stripe account so your integration can automatically trigger reactions.

#

Our SDKs have this tooling built in, which is what I assume that Larvael library wraps (the PHP SDK)

keen breach Feb 9, 2024, 9:44 AM

#

Yes. the package internally uses the stripe-php package

tropic canyon Feb 9, 2024, 9:46 AM

#

Yeah then if you're sure that the whsec_xxx secret in your code definitely matches the one from the Dashboard for the endpoint then the likelihood is the issue lies in the code

#

And unfortunately, as you've not written the code yourself, it's hard for us to help

keen breach Feb 9, 2024, 9:53 AM

#

After having a look at the package's code, on the controller which handles the webhook request, it creates a new WebhookConfig instance and then passes it to the WebhookProcessor along with the request

#

#

which then calls this isValid method

tropic canyon Feb 9, 2024, 9:54 AM

#

No idea what either of those classes are. They're not native Stripe code so I guess it's specific to that lib

keen breach Feb 9, 2024, 9:54 AM

#

and internally it calls Webhook::constructEvent which is the native stripe-php library code

tropic canyon Feb 9, 2024, 9:55 AM

#

Yeah the common issues with invalid secret signing is:

The wrong whsec_xxx being used
The request payload is being parse/malformed by some logic before it's passed to constructEvent. That function expects the raw request body

#

If it doesn't match the signature from the headers, then it'll error

#

I suspect the issue is the latter, but you'd need to figure that out really as it's a third-party lib

keen breach Feb 9, 2024, 9:57 AM

#

is it possible for you to provide me with the raw request body for the specific event i've sent you - evt_3Oh46DCG5LI7m2080L1NMYDl - so i can do some investigation?

tropic canyon Feb 9, 2024, 10:00 AM

#

I can't no. You can re-trigger the event with the CLI though: https://stripe.com/docs/cli/events/resend

Stripe CLI Reference

keen breach Feb 9, 2024, 10:01 AM

#

ok thank you very much

#pavlos_elpidorou