IsmailSarikaya-webhook signature | Stripe Developers | Page 1

steel thunder May 19, 2022, 10:41 AM

#

👋 happy to help

#

could you please share your code?

unkempt moth May 19, 2022, 10:41 AM

#

sure

#

📎 message.txt

#

Did you see something wrong? I actually got this code structure directly from Stripe's web site.

steel thunder May 19, 2022, 10:50 AM

#

I'm taking a look

unkempt moth May 19, 2022, 10:53 AM

#

Great, thanks.

steel thunder May 19, 2022, 11:25 AM

#

so basically I saw something but I'm not sure whether it's related or not

#

you're using Request.Headers["Stripe-Signature"] instead of HttpContext.Request.Headers["Stripe-Signature"]

unkempt moth May 19, 2022, 11:27 AM

#

I didn't write these parts on my own. Is this the correct one? HttpContext.Request.Headers["Stripe-Signature"]

steel thunder May 19, 2022, 11:29 AM

#

I'm not sure

#

I don't have a full look at your code base

#

I don't know if Request is something that is exposed in your BaseController or what exactly

unkempt moth May 19, 2022, 11:30 AM

#

Take a look at this:
https://stripe.com/docs/webhooks

There:
var stripeEvent = EventUtility.ParseEvent(json);

Use incoming webhooks to get real-time updates

Listen for events on your Stripe account so your integration can automatically trigger reactions.

steel thunder May 19, 2022, 11:32 AM

#

yes

#

just take a look at this https://stripe.com/docs/webhooks/quickstart

Set up and deploy a webhook

Learn how to set up and deploy a webhook to listen to events from Stripe.

#

and try to make it as much the same as possible

#

that's my best guess for you

unkempt moth May 19, 2022, 11:37 AM

#

Yes, I agree with you. But I am trying to understand if 'Stripe-Signature' must be used?
Because in the example that I mentioned, there is no header, they parsed directly from json but in you example they used signature.
And in my example, they didn't use endpointSecret. I am confused.

steel thunder May 19, 2022, 11:38 AM

#

in that code they are not verifying the signature

#

it's important to verify the signature so that you can't be attacked since you're exposing your API on the internet

unkempt moth May 19, 2022, 11:40 AM

#

You say it's for the security? So at my own risk, does it work if I don't use it?

steel thunder May 19, 2022, 11:41 AM

#

yes

unkempt moth May 19, 2022, 11:41 AM

#

Then I will try without it until the final product release.

steel thunder May 19, 2022, 11:45 AM

#

oh wait

#

you're missing this var stripeEvent = EventUtility.ParseEvent(json); from your code

#

you need those three lines

var stripeEvent = EventUtility.ParseEvent(json);
var signatureHeader = Request.Headers["Stripe-Signature"];
stripeEvent = EventUtility.ConstructEvent(json,
         signatureHeader, endpointSecret);```

#

in your code your only using var stripeEvent = EventUtility.ConstructEvent(json, Request.Headers["Stripe-Signature"], endpointSecret); which passes the json without parsing it first

unkempt moth May 19, 2022, 11:49 AM

#

Ok I will try this and let you know. Thanks.

#IsmailSarikaya-webhook signature