#mulo_webhooks

👋 Welcome to your new thread!

⏲️ We'll be here soon! We typically respond in a few minutes, but in some cases we might need a bit more time (e.g., server's busy, you've got a complex question, etc.).

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1260604125951819807

📝 Have more to share? Add details, code, screenshots, videos, etc. below.

when somebody loads a session, the server logs for example:

6|appbot website  | sessionId:  cs_live_a1X6skMX4SP7awiq1i3MD90zaPS0Ul2lm5GNodWcDqt....

But in the error above no session were logged

❌ Error getting raw body: No signatures found matching the expected signature for payload. Are you passing the raw request body you received from Stripe?
6|appbot w |  If a webhook request is being forwarded by a third-party tool, ensure that the exact request body, including JSON formatting and new line style, is preserved.
6|appbot w |
6|appbot w | Learn more about webhook signing and explore webhook integration examples for various frameworks at https://github.com/stripe/stripe-node#webhook-signing

Hello, that constructEvent method can be very sensitive because hashing algorithms by design try to make a very different hash if even one bit is off. Basically one of the three things that you are passing in to that method is incorrect so you will want to double check:

1. That you are passing in the correct whsec_ secret key for your secret
2. That the message headers that you are passing in are populated properly
3. That you are passing in the event's raw body decoded as UTF-8

#3 is usually the issue but I would reccommend checking #1 and #2 first because they are much faster to check. I'm happy to walk through how to check them if you are unsure

you mean the creating session part of the code?

Nope, this is in your webhook endpoint code, which would be separate

The checkout session creation is working properly, we are sending you a webhook event after and that is what is erroring out

import getRawBody from 'raw-body';

let prodSecret = process.env.prodSecret
const endpointSecret = process.env.endpointSecret
const webhookSecret = process.env.webhookSecret
const stripe = new Stripe(prodSecret, {
  apiVersion: '2022-11-15',
});

export const config = {
  api: {
    bodyParser: false, // Disable Next.js's body parsing
  },
};


export default async function handler(request, response) {
  
let event;
  try {

    const rawBody =  await getRawBody(request);
    const signature = request.headers['stripe-signature'] ?? '';

    event = stripe.webhooks.constructEvent(
      rawBody,
      signature,
      webhookSecret
    );

  } catch (err) {
    console.log(`❌ Error getting raw body: ${err.message}`);
    return response.status(500).send(`Error getting raw body: ${err.message}`);
  }
...

i guess that is the error

tho i did try myself using stripe with a credit card and all went through correctly before

now I think a customer did use a card but there were no funds? dunno if that might be the case

@atomic pewter

Those are two separate issues. We can check in to both, but I want to be clear there. The notification might have been about the payment succeeding, but the payment will succeed or fail regardless of whether your server can process the webhook.

That being said, the webhook is important to listen to, because otherwise you may miss that a payment happened

right, i think if the payment fails i'v set it up to do nothing or res 500
im only processing if (event.type === 'invoice.paid') {

is there something wrong on the above code?
As mentioned I did live test with real card of mine before and worked properly

unless somebody is misuing the backend url

as in making fake requests

actuallly that would not be possible as they would not know the url

If you have not already, it might be a good idea to change your endpoint's settings so that we only send invoice.paid events to that endpoint. It will probably still make sense to make that check, but filtering the events at the settings level could help your server process less data.
https://dashboard.stripe.com/workbench/webhooks

That is actually exactly what that constructEvent code is about! It is trying to verify that the event actually came from Stripe. If you always get this error for any event, then it sounds like you may have something wrong with your code

I know, but there should not be a way a random user would see that url right

There shouldn't, but you never know. Bad actors can get access to all kinds of URLs and such that they shouldn't be able to access. We highly reccommend verifying your webhook events to protect against this.

as in are what u suggested:

1) That you are passing in the correct whsec_ secret key for your secret
2) That the message headers that you are passing in are populated properly
3) That you are passing in the event's raw body decoded as UTF-8

properly set in my code?

I can't check any of those from here, those all refer to what your variables are set to. You will want to check the three variables that you are passing in for:

      rawBody,
      signature,
      webhookSecret
    );```

So first, I would say to check what webhookSecret is set to, and verify that it is the same as the webhook secret that you see if you click on that blue "Reveal" link on the page from this screenshot

✅ correct

the rest is

import getRawBody from 'raw-body';


 const rawBody =  await getRawBody(request);
 const signature = request.headers['stripe-signature'] ?? '';

so not much from me

I guess I should just make a less obvious webhook endpoint maybe? random characters

Can you print out your signature variable and send it here?

id need an event, iv console logged it, not sure when it will come through again

You can resend events through our CLI. That would be a great way to test this https://docs.stripe.com/cli/events/resend

Actually, did you test this same code in test mode? If this code is working in test mode, it should be able to work in live mode except with your live mode secret

so i can only resend an event in test mode?

const signature = request.headers['stripe-signature'] ?? '';
console.log(signature)

Yep that looks correct

but now im actually super confused: i'v found this in my test mode dashboard:

I believe you can resend in live or test, it just may be easier to test in test mode

these are the errors i was all of a sudden getting from .. test mode?

im confused

Do you also see logs like that in the live mode version of that page?

i ust disabled the one I was using

so no I guess

what coudl have triggered test mode webhook events lol

I guess stripe still sends events to test first and only if it finds it in test mode

disabled all webhooks on test mode I guess

could u confirm?

also side question: Iv just created a new webhook, I just need to update the secret and the we_1p ... variable and im all set?

The webhook secret should start with whsec_ but yes, when you are using a new webhook endpoint, you will need to use its secret when you are constructing events that are sent to that endpoint

I guess stripe still sends events to test first and only if it finds it in test mode
👆 this was the issue?

No, we only send test events in test mode and live events in live mode. Are your test and live endpoints pointed to the same URL? If so, it sounds like this error may be happening because you are using a live mode secret for test mode events

Are your test and live endpoints pointed to the same URL
yup they were actually, hence the observation that test events take priority

anyway i think it is solved. Thanks for support!

Gotcha, while that is true we will send events from whichever endpoint is enabled to that URL. We typically reccommend using different URLs as it makes choosing the key easier, but you can also check what mode the event is from in your code https://docs.stripe.com/api/events/object#event_object-livemode

@craggy vapor let me know if you have more qs