#B33fb0n3-Checkout
burnt hearth
hii @chrome vector ๐
chrome vector
I'm not really following what you're trying to achieve, could you please explain your use case?
burnt hearth
sure. Give me a second, I gonna paint it ๐
chrome vector
the webhook signature are not specific to an event
the signature is related to the Webhook Endpoint you create on the dashboard
burnt hearth
if I send this from my backend, I wont have this: const sig = request.headers['stripe-signature'];
(https://stripe.com/docs/webhooks/signatures)
chrome vector
what are you using as a programming language?
burnt hearth
node js in backend and react in frontend
chrome vector
could you please share your webhook code?
burnt hearth
from my backend?
burnt hearth
chrome vector
could you please take a look at this guide
https://stripe.com/docs/webhooks/signatures#verify-official-libraries ?
you're missing the bodyParser.raw({type: 'application/json'}),
burnt hearth
I do here: ```
var app = express()
app.use(bodyParser.json({
verify: function (req, res, buf) {
req.rawBody = buf.toString()
}
}))
app.use(awsServerlessExpressMiddleware.eventContext())
you're using the json bodyParser and not the raw bodyParser
you need to specifically use the raw body parser as described in the guide I sent u
burnt hearth
done ๐
where is the problem? If I just use the black way, everything would work fine.
my problem is currently the missing webhook signature, when I dont use a webhook. ๐
chrome vector
do you have a checkout session id I could look at?
burnt hearth
sure. Can I send u the event?
burnt hearth
do you have a checkout session id I could look at?
thats an session id: cs_test_b1QAiNXcVCyfovx6P9Bmh2QdmaFyEhX1mcARzi9erRAxOzKCktuHGmYocl
chrome vector
I'll take a look
burnt hearth
ok, thank u ๐
chrome vector
sorry it took me a while to reply
burnt hearth
no problem
chrome vector
my problem is currently the missing webhook signature, when I dont use a webhook
what do you mean by when I don't use a webhook?
are you using this endpoint for something other than receiving events from Stripe?
burnt hearth
> my problem is currently the missing webhook signature, when I dont use a webho...
when a session is created, there is no event for the creation. So I cant use a webhook
burnt hearth
are you using this endpoint for something other than receiving events from Strip...
yes
chrome vector
you shouldn't be
burnt hearth
you shouldn't be
it's a rest api
burnt hearth
oh u mean the endpoint /webhook?
chrome vector
yes
chrome vector
are you sending a POST request to that endpoint to tell it that you have created a Checkout Session?
burnt hearth
I would, yes.
chrome vector
that's what I meant by you shouldn't be using that endpoint other than for the events you receive from Stripe
you can't send a POST request to your /webhook endpoint with a signature
burnt hearth
./webhook just handle stripe events
burnt hearth
you can't send a POST request to your `/webhook` endpoint with a signature
yeah, I cant. Because I have no signature
โ๏ธ there is the problem ๐
indigo mantle
so why are you POSTing to it then?
if it's for testing you can use stripe-cli for that
burnt hearth
so *why* are you POSTing to it then?
Because I have no signature
โ๏ธ
indigo mantle
e.g. run stripe trigger checkout.session.completed to generate an event to send to the endpoint.
indigo mantle
> Because I have no signature
โ๏ธ
that's circular reasoning though
burnt hearth
if it's for testing you can use stripe-cli for that
first testing and after that publish it.
indigo mantle
cool, so what's the problem really?
burnt hearth
this event does not exists: checkout.session.completed
ah wait
it exsits
I use it. But I searching for the event, when I create a session
indigo mantle
there's no such thing
burnt hearth
to update my backend securely
indigo mantle
you don't need an event for htat, since you create the Session synchronously by calling the API
burnt hearth
there's no such thing
there u can see my problem ๐
indigo mantle
so you know it exists and can update whatever you need at that point
burnt hearth
you don't need an event for htat, since you create the Session synchronously by ...
I can and I do.
indigo mantle
ok, but there isn't one
burnt hearth
so you know it exists and can update whatever you need at that point
but not securely.
burnt hearth
I have
indigo mantle
you have code on that server to call the CheckoutSession create API
burnt hearth
yes (public access)
indigo mantle
after calling that, you can update your database or whatever to say "I have created a CheckoutSession for customer X and I expect to see a checkout.session.completed event later", right?
burnt hearth
yes, I can. BUT: than its public and have no secure. So every person can create for example hundreds of session and can manipulate my backend.
indigo mantle
how would the event help? it's just adding a step.
Like, every person creates hundreds of sessions. You get hundreds of hypothetical "checkout.sesssion.created" events, and your backend is manipulated. How would that be any different?
burnt hearth
hm, u r right... ๐ค
burnt hearth
how would the event help? it's just adding a step.
Like, every person creates ...
so I have one last question: why do we check the signature from stripe webhooks?
indigo mantle
burnt hearth
I think u want, that I read this part: https://stripe.com/docs/payments/checkout/fulfill-orders#verifizieren-sie,-dass-die-ereignisse-von-stripe-stammen
why dont we check this also by checkout creation?
indigo mantle
because you don't need to. Creating a session is a synchronous API call, you get the API response immediately, you know it came from Stripe since that's where you sent the HTTP request.
The webhook is the async notification later that the customer has finished paying, and since that is just an incoming HTTP request we make to your server, so you might want to verify its origin.
burnt hearth
ohhh got it ๐คฆโโ๏ธ