Senthill-webhook-signature | Stripe Developers | Page 1

willow turret Dec 31, 2021, 9:28 PM

#

Hi there, can you share your webhook code?

rancid talon Dec 31, 2021, 9:29 PM

#

Stripe::setApiKey(Yii::$app->params['stripe']['secretKey']);
$endpoint_secret = 'whsec_np5....Y4MPgxV7';

    $payload = @file_get_contents('php://input');
    $sig_header = $_SERVER['HTTP_STRIPE_SIGNATURE'];
    $event = null;

    try {
        $event = \Stripe\Event::constructFrom(
            json_decode($payload, true), $sig_header, $endpoint_secret
        );
    } catch(UnexpectedValueException $e) {
        // Invalid payload
        http_response_code(400);
        exit();
    } catch(\Stripe\Exception\SignatureVerificationException $e) {
        // Invalid signature
        http_response_code(400);
        exit();
    }

#

No matter what incorrect value I supply to $endpoint_secret the exception does not get triggered.

willow turret Dec 31, 2021, 9:32 PM

#

I think it is supposed to be \Stripe\Event::constructEvent

#

I admit I am not the most familiar with PHP

#

But I'd log out to make sure you are receiving your endpoint secret in the event construction

rancid talon Dec 31, 2021, 9:33 PM

#

Error: Call to undefined method Stripe\Event::constructEvent()

#

I am just passing the end-point string ...

#

it's hardcoded from the output of the local listner. In fact here I am actually forcing a wrong value - so it should raise an error

willow turret Dec 31, 2021, 9:37 PM

#

k give me a sec

rancid talon Dec 31, 2021, 9:38 PM

#

here is the stripe event object ... does not seem to have the endpoint.

willow turret Dec 31, 2021, 9:42 PM

#

You aren't seeing the event actually send to the webhook?

rancid talon Dec 31, 2021, 9:43 PM

#

I get the webhook and able to process it fine. That works. Just that even if I validate against an incorrect key it still works!

📎 stripe-object.txt

#

So a malicious user can simply send me webhooks and I would think stripe is confirming payments

#

I suspect this may be a bug

willow turret Dec 31, 2021, 9:45 PM

#

Give me a second. This may be due to using the CLI

rancid talon Dec 31, 2021, 9:45 PM

#

oh ok

willow turret Dec 31, 2021, 9:50 PM

#

You aren't forwarding events to your server, correct? You are just listening via the CLI?

rancid talon Dec 31, 2021, 9:50 PM

#

I am forwarding to my server

#

stripe listen --forward-to http://example.org/webhook

#

and my server gets the request and processes it - all good there

willow turret Dec 31, 2021, 9:51 PM

#

Okay thanks

#

Still looking to confirm if this is specific to forwarding via CLI

#

Or if something else going on

rancid talon Dec 31, 2021, 9:51 PM

#

ok thanks

willow turret Dec 31, 2021, 10:06 PM

#

Okay yes, so with the CLI the signing secret is dictated by the CLI itself.

#

If you set up your endpoint in your DB (https://dashboard.stripe.com/test/webhooks) and receive events to that endpoint then you can test changing the signing secret

rancid talon Dec 31, 2021, 10:08 PM

#

ok will test it out

#Senthill-webhook-signature