#michael.fraser - signature verification

Is it always failing, or are there scenarios where it is succeeding?

I'm not 100%, but I think it's always failing. I just saw a couple of potential reasons for the failure - the stripe-dotnet library uses throwOnApiVersionMismatch = true by default (and we're using an older version of the library), and I'm not populating the platform account api key appropriately.

Can't be the throwOnApiVersionMismatch, because that'd result in a different exception than I'm seeing.

"I'm not populating the platform account api key appropriately"

The above would be a problem

What makes you think you're populating it incorrectly?

I'm not populating it at all for the verification step. It's in a setting that I forgot to set on the field that is being used for the check.

Ok well however you set it, it needs to be set for that step

The most common issue for these signature verification issues is modifying the inbound request body

If you aren't using the raw body that is sent to your webhook endpoint, the signature verification will fail

Sometimes it may get modified unintentionally

With some library in your stack

Hmm. I'm currently using model binding in ASP.NET Core to bind the body to a Stripe.Event object. Does that likely cause this issue?

I'm not a .NET expert but possibly. I recommend logging the body in your webhook handler code

If you share what that looks like in here, I can tell whether or not it looks like it's being modified

I'm logging the event JSON.

Can you share your code?

I don't think I can completely, but this is the endpoint that was receiving it.

Let's try that again.

Ok

I recommend using this to build a test webhook endpoint to debug: https://stripe.com/docs/webhooks/quickstart

You can compare and identify differences to track down the exact issue

In your experience, does signature validation work in local environments that are using the Stripe CLI to proxy events?

& thanks. I have seen that documentation.

Yes it should work

But it's a tricky issue to debug usually

Usual culprits are: not using raw inbound request body or using incorrect webhook signing secret

If you're doing it locally you should be using the signing secret from the CLI

Ooo. I'll double check that I'm using the CLI secret, thanks

I'll add in my description of the "rawBody" issue: Stripe uses "stegonography" to encode extra data on the JSON body. They use non-coding extra spaces, line breaks, tabs, etc. This can still be parsed as JSON, but the signature verificationneeds the non-coding parts - that's why you have to be quite careful to not modify it at all before checking signature

Ah!

(it also kinda masks the issue - the body parses as JSON just fine, so it looks like it's correct, but the verification fails)

Ok, that's likely the issue, then. I'm using the JSON from a serialized bound model (which more than likely strips any stenography from the JSON)

In addition to my other mistakes.

That's specifically why this is frustrating to debug.