xinjin-webhook-signature | Stripe Developers | Page 1

karmic venture Oct 1, 2021, 5:28 PM

#

@drowsy field the signature verification only works if you give it the exact saw raw string we send you, like exact number of spaces, property ordering, etc.
99.9% the issues are due to your code "parsing" the data we send, and then sending it back in JSON. Depends on your language/framework but that's what you need to debug, you have to make sure you pass the exact raw POST body we send you

drowsy field Oct 1, 2021, 5:30 PM

#

You mean the buffer body might get changed?

#

I don't think the signature was changed.

#

I am using nestjs.

#

Oh,

#

you are right.

#

The buffer was changed.

#

Now it is working Thank you.

#

Oh,

#

sorry.

#

Actually it is not working.

karmic venture Oct 1, 2021, 5:34 PM

#

lol

#

that's a roller coaster

#

but really, it is absolutely a bug due to not accessing the raw body

drowsy field Oct 1, 2021, 5:42 PM

#

I don't think signature is not changed. Right?

#

It is getting from headers directly.

karmic venture Oct 1, 2021, 5:45 PM

#

you're misunderstanding the issue

#

The problem is that you are giving the signature to us, (it's correct) but with the wrong payload.

#

For example we send you { user: 'koopa', server: 'stripe' } and we say the signature is 11111 but your code gets our JSON, parses it, and gives it to you but now you get {server:'stripe',user:'koopa'} without any space and the keys are reversed and because of it the signature is now 2222222 and fails verification

drowsy field Oct 1, 2021, 5:49 PM

#

t=1633110531,v1=31b66ca496a01ea32dd4f32b93ecbce9aa250d3d7c239b0c5c4addf57de5b356,v0=7bd7b978d1f93c76da668c730b4c2bb653ced66d243c2eecf12d4ab941e0f48c

#

This is the signature.

karmic venture Oct 1, 2021, 5:50 PM

#

that's the signature we send you, yes. The problem, is not the signature, it's the payload and how you get it

#

I'm not sure how else to explain it unfortunately

drowsy field Oct 1, 2021, 5:50 PM

#

So the body don't need to be buffer?

#

Just the object string is okay, you mean?

karmic venture Oct 1, 2021, 5:51 PM

#

it has to be the exact raw body/payload we send you

#

The problem is that with node/JS a loooooot of frameworks try to be helpful and parse the raw body for you

#

it's way easier to work with, but in this specific case, it breaks the signature verification and you need a way to access the raw body, which can be really hard because of the layers of things that try to give you a parsed body

#

see https://github.com/stripe/stripe-node/issues/341 with tens of solutions depending on your case

GitHub

Webhook signature verification and bodyParser.json issue · Issue #3...

If you use in your express app bodyParser.json() for all routes, and then have a dedicated route for stripe's webhook, then the second call to bodyParser.json({verify: ...}) as done in the ...

drowsy field Oct 1, 2021, 6:19 PM

#

📎 message.txt

#

#

So the body is

#

this.

#

But actually,

#

it is changed essentially, right?

karmic venture Oct 1, 2021, 6:21 PM

#

that is my assumption yes

drowsy field Oct 1, 2021, 6:40 PM

#

Very weird.
I tried to use several ways.

#

I still didn't figure out.

#

I am going to remove

#

'\n

#

and whitespaces manually.

karmic venture Oct 1, 2021, 6:43 PM

#

you absolutely can not figure this out by manually removing spaces and \n I'm sorry

#

you really need to google based on your code and framework/set up how to get the raw body

karmic venture Oct 1, 2021, 8:54 PM

#

@drowsy field did you figure it out?

drowsy field Oct 1, 2021, 8:55 PM

#

Not actually.

#xinjin-webhook-signature