maverick-webhook-signature | Stripe Developers | Page 1

modern merlinBOT Feb 16, 2024, 11:43 PM

#

frank sky Feb 16, 2024, 11:43 PM

#

hey 🙂

raven gazelle Feb 16, 2024, 11:44 PM

#

Hi 👋

First can you log and confirm the Webhook endpoint secret and Stripe Signature header in the request?

frank sky Feb 16, 2024, 11:44 PM

#

const endpointSecret = "redacted";

app.post('/webhook', express.raw({type: 'application/json'}), async (request, response) => {
  const sig = request.headers['stripe-signature'];

  let event;

  console.log("request.body: ", request.body)
  try {
    event = stripe.webhooks.constructEvent(request.body, sig, endpointSecret);
  } catch (err) {
    console.log("error: ", err.message)
    response.status(400).send(`Webhook Error: ${err.message}`);
    return;
  }

  response.send();
});

raven gazelle Feb 16, 2024, 11:45 PM

#

Primary causes for this error, especially when going from dev -> prod

webhook secret isn't set to production endpoint value
signature header is not extracted
request body is transformed by app (or hosting provider)

frank sky Feb 16, 2024, 11:45 PM

#

it goes in the catch block in production

frank sky Feb 16, 2024, 11:45 PM

#

raven gazelle Primary causes for this error, especially when going from dev -> prod * webhook ...

I would guess #3

raven gazelle Feb 16, 2024, 11:46 PM

#

Okay so first log the secret. Don't share it here but make sure it matches the endpoint secret for your Webhook endpoint: https://docs.stripe.com/api/webhook_endpoints/object#webhook_endpoint_object-secret

frank sky Feb 16, 2024, 11:46 PM

#

it's defined right before the function so it should be fine, right?

raven gazelle Feb 16, 2024, 11:46 PM

#

No

#

log it

frank sky Feb 16, 2024, 11:46 PM

#

all right, redeploying

raven gazelle Feb 16, 2024, 11:46 PM

#

Also, is that checked into version control?

frank sky Feb 16, 2024, 11:47 PM

#

yeah

raven gazelle Feb 16, 2024, 11:47 PM

#

Shouldn't you be using some sort of env config?

frank sky Feb 16, 2024, 11:47 PM

#

it's all private for now, but yes you are right

#

this should go into the .env

#

also thanks for the swift response/assistance with this

raven gazelle Feb 16, 2024, 11:49 PM

#

So the first thing I would do is make sure it matches the secret fot the webhook endpoint you have registered in your Stripe dashboard

#

I see you are logging the request.body. Does that appear to be the same between dev and production?

modern merlinBOT Feb 16, 2024, 11:50 PM

#

maverick-webhook-signature

frank sky Feb 16, 2024, 11:54 PM

#

sorry for the delay. my host sucks 🙂 it does log the endpointSecret though

frank sky Feb 16, 2024, 11:54 PM

#

raven gazelle I see you _are_ logging the `request.body`. Does that appear to be the same bet...

yes. both buffers

#

same structure

raven gazelle Feb 16, 2024, 11:54 PM

#

No worries. And that string matches the endpoint secret for the webhook in your dashboard?

frank sky Feb 16, 2024, 11:54 PM

#

yes, it does. exact match

raven gazelle Feb 16, 2024, 11:58 PM

#

okay and what about the value for sig? Does that look as expected?

frank sky Feb 17, 2024, 12:06 AM

#

after logging the sig, i noticed a missing character in the endpointSecret

#

thank you so much

#

and apologies for the incompetence

#maverick-webhook-signature