#p_webhooks

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1463142170583367743

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

👋 Hi there! Let me take a look

The event ID you shared doesn't seem to exist. Are you sure it's correct?

But if you're seeing errors about webhook signature verification, then this guide can be useful: https://docs.stripe.com/webhooks/signature

Hi Arran, il be right with you😃

I'm here, alright I would like a bit of help testing this code, I will share my file here, and maybe you can tell me where my error is?

1. I am testing my stripe-webhook file from VS code, edge function logs in Supabase are supposed to show 200 Ok after a test purchase on the pricing page in my website

2. The event ID I just sent you were from yesterday's tests. Today I created a new event, same test, but it doesn't show as an event unless I pay with Link? Like paying with pre-signed in email etc - that seems to create an event that can be repeated. Like checkout .updated.etc

3. I am only looking to test my webhook before accepting live data from real customers on Stripe

Can you share any ID, whether your account ID (acct_…) or a payment intent (pi_…), so I can see what's happening with your webhooks?

My file structure is app/supabase/stripe-webhook/index.ts

Yes, let me check to see that an event updates, and I will share the ID with youfrom my recent tests today

https://dashboard.stripe.com/acct_1SrLYnGLw3u0O4n2/test/workbench/events

Here is the link to my workbench

OK, so this account has one webhook endpoint, listening to checkout.session.completed events — but your account has not yet generated any events, except for the one you mentioned earlier: https://dashboard.stripe.com/acct_1SrLYnGLw3u0O4n2/test/events/evt_1SrLYoGLw3u0O4n2l3P0wCJB

So there haven't been any events sent to your current webhook so far from Stripe

I just updated my env.local file with the new test keys of this workbench and am testing another test transaction, it should generate an event in a couple of moments

I select a product on my pricing page > it links to stripes checkout

Here is remembers the test email and test card, and if I pay this way, an event is created

OK, and do you see that event in Workbench?

No, it's strange. Yesterday, they were showing up
Both new test checkouts and email saved test checkouts

These logs of each test do show up in Supabase, as the STRIPE_WEBHOOK_SECRET is saved in the secrets section

Can you share a Checkout Session ID? It looks like cs_test_… — you can also see it in the checkout URL

Why are they showing up and updating in Supabase, but not in Stripe?

I will share with you the raw data from Supabase's logs, maybe it will be there?

If there's an evt_ ID that would help, but not the whole log

Or a cs_test_… ID

Here are the Supabase logs, the 200 Ok, shows the transaction working and coming in, and the 401s after that, are supposed to say DEBUG LOGS, WEBHOOK CREATED SUCCESS OK, or something like that

You need to share a Stripe ID from your Checkout for me to be able to see what we're sending, and what your webhook endpoint is returning

The Checkout url?

The Stripe Checkout url in the browser?

Yeah, that would be fine. Or just the cs_test_… ID from that URL

Here is my Stripe test url from the Checkout Session

https://checkout.stripe.com/c/pay/cs_test_a1Fz4qdpQew3OB3CgMoTuGRdMRMvqtkR1OmWlEwTXcqLFaNVB0J55zyBUo#fidnandhYHdWcXxpYCc%2FJ2FgY2RwaXEnKSdkdWxOYHwnPyd1blpxYHZxWjA0VHJgMmFCVUBWQ3RfU0l3bk5MQz1ffGpSalNUXH9vcz1APU1kbWxpTUdifU8wRE58TWg8QGI8RGRNSGJ0X09LU3VzSzFqU2RxaU9fNTNcTElkQXBCXUc9NTVBYEYyQjxnMycpJ2N3amhWYHdzYHcnP3F3cGApJ2dkZm5id2pwa2FGamlqdyc%2FJyZjY2NjY2MnKSdpZHxqcHFRfHVgJz8ndmxrYmlgWmxxYGgnKSdga2RnaWBVaWRmYG1qaWFgd3YnP3F3cGB4JSUl

OK, thanks. And you've completed the payment there?

I am about to, should I pay with Link, the remembered test payment info pre registered? Or should I pay without Link, a new test transaction 4242 4242 4242 4242, and a new test name and Zip code etc?

It doesn't matter. But that ID helped me to find your account (different from the sandbox ID you shared earlier) and the most recent checkout event: https://dashboard.stripe.com/acct_1Qwe7dGPESFqZVLr/test/events/evt_1Sre3mGPESFqZVLrFfRC69mG

If you look at those details in Workbench, you should see that your Supabase endpoint is returning HTTP 401 with this content:

{
  code: 401,
  message: "Missing authorization header",
}

So it looks like your endpoint is configured to require authentication, like a username or password?

Yes, I talked to Stripe Support on Twitter, they are the ones who reffered me to the Discord chat with you, it looks like last Year Stripe redesigned the Sandbox, test mode, and webhook creation last year

Yes I heard that from Chat GPT AI, the error is either the user Auth, or the Stripe-Signature verification, being accepted.

But I have user auth toggled off, for the testing and completion of my website. I am almost done developing it, and was testing only the paywalls and checkout process. Once the webhookds are confirmed, I will enter live mode on Stripe, update my products with price IDs, and then add the email/ user Auth back

Do you recommend user auth be active in my website before testing payments and webhooks? Or is it a requirement?

Supabase comes with user Auth and magic link emails already coded into the backend, but I toggled it off because it needs to be tested separately, for logged in user sessions persisting

Whether you have authentication on your website and other API endpoints is a separate topic to whether you have authentication on your Stripe webhook endpoint.

For your webhook endpoint URL (https://lyrydofvbckjylmqxnyy.supabase.co/functions/v1/stripe-webhook) you can leave authentication disabled, and then make sure that your Supabase code is verifying the webhook signature: https://docs.stripe.com/webhooks#verify-official-libraries

Or if you do want to keep username+password authentication enabled on your /functions/v1/stripe-webhook endpoint, you would need to update your webhook URL in Workbench to something like: https://my-username:my-password@lyrydofvbckjylmqxnyy.supabase.co/functions/v1/stripe-webhook

This is interesting, so you mentioned the logs are showing Auth header required, this means the logic is asking for uuid, or some type of logged in user

That would require a logged in or different url from Supabase to create the webhook url for Stripe

But in Supabase, I logged in automatically with Github when creating my account.

If the webhook works with the test checkout session, with no logged in user, that should bring back the 200 ok success and DEBUG logs that the webhook logs are supposed to show.

I haven't created any other webhooks on my site, but I do understand their value. It is to confirm the validity of monetary data in this case passed between my website and Stripe

It protects from any chargebacks, canceled payments, any kind of injection or malware that (hopefully never happens) at the time of payment

Normally on a website, a user would be logged in to their account when they pay for something, do you think that could be why the webhook is failing?

👋 Hey, taking over here, just give me a few minutes to catch up

Hi Dougal, thank you guys for your help. I am new to webhooks and user Auth here, and their relationship. You guys are the experts, it's better to ask you guys than Chat GPT

By the way, here I have only been selecting the left option, since my webhook url says v1, should I select the right option?

So when Stripe attempts to deliver an event to your webhook URL, it won't be logged in as a user, so the URL has to be accessible without any kind of authentication, I think this is the main issue here. You need to ensure that the particular webhook endpoint URL is accessible without being logged in

The left option is indeed the correct one

Ok, my checklist for webhooks is this, maybe you can help me see where the error might be?

Since the webhook doesn't require user auth, it only checks for Stripe Signature, Service Role Key inside the function, and my database tables

I have updated Supabase secrets - those AI said, typing the whsec-.... secret key from Stripe is better than copying it into Supabase since there could be empty orinvisible blank space when secret keys are copied and stored.

Webhook Url from supabase
Updated stripe-webhook/index.ts file
Update stripe test keys that match the new endpoint created
Deployed to supabase

I think I need to add the new stripe_secret_key to supabase's secrets

I just updated the STRIPE_SECRET_KEY in Supabase Secrets to test the webhook from Stripe

I am going to test a transaction, send you the url, so you see the cs_id.... and then you will what you see in the raw data from the webhook's response

Great, thanks. Can you also share your webhook's code?

Here is the url from the new checkout test

https://checkout.stripe.com/c/pay/cs_test_a1Fz4qdpQew3OB3CgMoTuGRdMRMvqtkR1OmWlEwTXcqLFaNVB0J55zyBUo#fidnandhYHdWcXxpYCc%2FJ2FgY2RwaXEnKSdkdWxOYHwnPyd1blpxYHZxWjA0VHJgMmFCVUBWQ3RfU0l3bk5MQz1ffGpSalNUXH9vcz1APU1kbWxpTUdifU8wRE58TWg8QGI8RGRNSGJ0X09LU3VzSzFqU2RxaU9fNTNcTElkQXBCXUc9NTVBYEYyQjxnMycpJ2N3amhWYHdzYHcnP3F3cGApJ2dkZm5id2pwa2FGamlqdyc%2FJyZjY2NjY2MnKSdpZHxqcHFRfHVgJz8ndmxrYmlgWmxxYGgnKSdga2RnaWBVaWRmYG1qaWFgd3YnP3F3cGB4JSUl

app/subabase/functions/stripe-webhook/index.ts

import { crypto } from "https://deno.land/std@0.224.0/crypto/mod.ts";
import { createClient } from "https://esm.sh/@supabase/supabase-js@2";

const supabase = createClient(
Deno.env.get("SUPABASE_URL")!,
Deno.env.get("SUPABASE_SERVICE_ROLE_KEY")!
);

Deno.serve(async (req) => {
console.log("DEBUG: Function invoked");

const endpointSecret = Deno.env.get("STRIPE_WEBHOOK_SECRET");
const sig = req.headers.get("Stripe-Signature");
const body = await req.text();

if (!sig || !endpointSecret) {
console.log("DEBUG: Missing signature or secret");
return new Response("Unauthorized", { status: 401 });
}

// Parse Stripe header
const parts = Object.fromEntries(sig.split(",").map((p) => p.split("=")));
const timestamp = parts["t"];
const signature = parts["v1"];

if (!timestamp || !signature) {
console.log("DEBUG: Missing timestamp or v1 signature");
return new Response("Invalid signature", { status: 400 });
}

const signedPayload = ${timestamp}.${body};

// Compute HMAC
const encoder = new TextEncoder();
const key = await crypto.subtle.importKey(
"raw",
encoder.encode(endpointSecret),
{ name: "HMAC", hash: "SHA-256" },
false,
["sign"]
);

Here is the 2nd part, I don't have Discord Nitro yet, after I make some sales, I will be sure to subscribe to it for longer messages 🙂

Ok, interesting, so I see the URL is returning the Missing authorization header response when we try to send the event to it, but there doesn't appear to be anything in your code that specifically sets this. This suggests it might be your develpment platform, Supabase, that is setting it. I don't know anything about Supabase unfortunately, so you might need to refer to their docs or contact them to see why this error is being set. My suspicion is that it's still trying to do some kind of authentication

Yes, that is what I am thinking, because other backends like Mongo DB and Prisma might be different

Supabase comes with auth link coded in by design, I truend it off in my code, because it isn't perfect. The magic link was logging me in and then back to login, so I toggled it off to test payments, so I can just do one test at a tmie, but it looks like Supabases user auth is persisting on their backend

I am just going to put my email back on, then test the webhook. I would like others to test the login to the website, but I don't to deploy the site live yet, without it being finished, and tested

Hi Synthrider, thanks for joining the chat 🙂
I am working on my webhook, I am going to test it in a couple of hours, bear with me guys

After everything is well, I will link my website here in the chat, and you guys can test it out. Let me know if anything is broken

Happy to help you look into issues, but you need to be the one to test and let us know whats not working like you expect.

It's not possible for us to know if the site <> webhook behaviour is working as you expect for your requirements

I thank you guys for being here to support. I know I will get it, it just has to be perfect with no Auth Header issues in Supabase logs. I don't think the issue is Stripe, but it is good to get extra confirmation for my tests.

Supabase hardcodes auth into their backend, to simplify authentication for their users
It is very helpful, but it isn't perfect, and when setting up paywalls in websites, routing and session storage must be validated to working consistently, similar to the Stripe Webhook

User Logs In With Email > Magic Link From Supabase goes to Email of User > User Clicks the Magic Link > Logged in Version of the Browser Appears > Supabase logs show user email

Anything authentication based should work from that point going forward, including webhooks, which aren't typically Auth Based

Right, so our webhook deliveries never use authentication, endpoints must be open/public endpoints and you verify authenticity with signatures on receipt

So if the endpoint is expecting auth headers on webhook delivery, you'll never get that and it must be disabled

I have no idea if thats possible in Supabase, you'd need to speak with them about how to do that, or use another service to receive events if it is not possible

It could just be that Supabase the backend I'm using has user auth all hardcoded into the schema and data tables, and Stripe is only checking for the events
I am going to get it working, it is just a dependency bug, either its Stripe-Signature
or it is Auth Header