#-m4yhem-_app-signature-verification

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1272931719212695734

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• -m4yhem-_code, 36 minutes ago, 8 messages

i checked the docs that was suggested in the previous thread, and, as stated what this is to verify a stripe app singnature, to verify that the requests are coming from the app UI from the dashboard

now, the signature isn't quite the same as teh one provided for the webhook

for the webhook, you have t=xxx, v1=yyy, v0=zzz, but for the app, you only have the two first ones

now, this doesn't seem to be a problem because stripe doesn't complain, it doesn't say something like "unable to extract params from sig"

but it does say that there is no signature matching the one you provided

Hi 👋 sorry, I'll need some time to review this flow, it isn't one I work with often and I don't recall how it works off the top of my head

no worries at all

Hm, I'm not entirely sure, but my suspicion here is that JS's JSON.stringify() function may be building strings slightly differently than Python's json.dumps. Is there any chance you'd be able to compare the output of the two? (I'll try to do so as well, but there server is pretty busy today so it may take me a bit)

I think I see that Python is adding extra spaces that node doesn't when using json.dumps.

I'd suggest trying to add separators=(',', ':') to the call to dumps, to avoid any whitespace being added to the resulting string.

i tried that, as in {'user_id':'the_id','acct_id':'the_id'}, that is, hardcoded, instead of getting it from the request body

but it still didn't work

Add the separators parameter too please.

Comparing Node:

Result:
{"x":5,"y":6}```
to Python:
```import json

temp = json.dumps(['foo', {'bar': ('baz', None, 1.0, 2)}])
print(temp)

Result:
["foo", {"bar": ["baz", null, 1.0, 2]}]```

the two methods add different amounts of whitspace by default, and I think that's the concern here.

Adding the separators parameter lets you adjust the whitespace:

temp = json.dumps(['foo', {'bar': ('baz', None, 1.0, 2)}], separators=(',', ':'))
print(temp)

Result:
["foo",{"bar":["baz",null,1.0,2]}]```

i understand, but, unfrotuntately, as I said before, it didn't work ;((

I need a lot more context on what you're seeing then. Can you share the exact code that you're using, along with the outputs you're seeing?

yes, i'll send you a pastebin link

here you go https://pastebin.com/4TiSyZdQ

it's burn after read

in the first part, you have the code of the frontend, the part that concerns the signature

and in the second part you have the server code of the signature

-m4yhem-_app-signature-verification

hi!

Hm, nothing is standing out to me looking through that.

Hello! I'm pretty sure the issue is that you're converting to JSON. The payload must be the exact, unmodified bytes from the request. Changing anything at all, including whitespace, will break the verification process.

Can you modify your approach to pass the raw, unaltered body instead of converting/parsing it into or out of JSON?

hi! thanks

the payload that's sent through the request from the fronted isn't it only to verify the signature? that is, the user id and account id are already on the signtature that was generated by the fetchStripeSignature method

that is, whatever is being sent is only relevant if it matches the way the webhook verifier reads the acct id and user id from the signature header

rather than having the exact same thing that was sent throught the request body from the frontend

at any rate, the whitespaces and ordering was respected

Ah, my fault, I missed that this is for Stripe Apps.

One moment...

no worries

Yeah, not seeing anything amiss in your code... perhaps the app_secret you're using isn't correct?

the secret it got it from the app settings, absec_..

that seems ok

i think that it could be a timezone thing

im checking that out now

because the server is UTC and I'm in CEST

but not sure if that's the case tho

The signature verification process does require the time to be set correctly, but the timezone shouldn't matter.

yes, you're most definitely right, but i thought that the fact that i was 2 hours ahead of server time (due to the timezone), it could be causing problems

Hang on, asking someone else on my team who's better at Python and Stripe Apps than I am. 😅

great! thanks a lot

i've just found out that it works if you send a payload with no data

if you send only this

body: JSON.stringify({
...signaturePayload,
}),

instead of

body: JSON.stringify({
...requestData,
...signaturePayload,
}), which is what's on the docs

okay, that wassn't the case, now it works even if you do that

super strange

Wait, so it's working now?

Or is it still giving you the signature error?

yes

it's working

but i havent' changed anything

jajaj wtf

😅

On one hand, I'm glad it's working. On the other hand, it would be nice to know why. 🙂

yup! guess we'll have to do with that for now.

feel free to close the thread and lots of thanks for your time and patience!