greatBear-webhook-signatures | Stripe Developers | Page 1

elder pawn Jun 29, 2022, 3:32 PM

#

Hello 👋
Give me a moment to catch up here and I'll respond as soon as I can 🙂 Thanks

worthy fog Jun 29, 2022, 3:33 PM

#

No worries. In the meantime I'll provide some context.

#

Im using the API to verify the signature (see https://stripe.com/docs/webhooks/signatures)

#

but for some reason Im doing something wrong.

#

According to the code example the $payload variable contains the HTTP body which is a JSON string.

#

Here is a sample of how this string looks like:

📎 code_sample.txt

#

$sig_header, $endpoint_secret are also passed to \Stripe\Webhook::constructEvent(...).

#

The issue is that an exception error is triggered: throw Exception\SignatureVerificationException::factory( 'No signatures found matching the expected signature for payload',

#

My guess is that the $payload data is incorrect. But according to the doc. the http body must be passed. So what can I be doing wrong

visual bronze Jun 29, 2022, 3:57 PM

#

👋 stepping in here as hanzo had to step away.

#

Can you share your code?

#

Are you doing anything to the $payload?

#

It has to be the raw body to verify correctly.

worthy fog Jun 29, 2022, 4:22 PM

#

my code

📎 code_sample.txt

#

Im using Wordpress. So it neatly extracts the body content and places it in a obj property.

#

Well I shared the body string with you. Check out my first attachment file

brazen peak Jun 29, 2022, 4:28 PM

#

Stripe uses "stegonography" to encode extra data on the JSON body. They use non-coding extra spaces, line breaks, tabs, etc. This can still be parsed as JSON, but the signature verification needs the non-coding parts - that's why you have to be quite careful to not modify it at all before checking signature. (it also kinda masks the issue - the body parses as JSON just fine, so it looks like it's correct, but the verification fails). This is often caused by using request.body instead of request.rawbody, or by something like Express middleware.

visual bronze Jun 29, 2022, 4:32 PM

#

Yep so you need to pass your $event above to constructEvent(). You don't pull out the body itself to verify the signature.

worthy fog Jun 29, 2022, 4:43 PM

#

Actually the $event is a Wordpress WP_REST_Request object.

visual bronze Jun 29, 2022, 4:43 PM

#

Ah okay in that case you need the actual raw payload that we are sending.

worthy fog Jun 29, 2022, 4:43 PM

#

it strikes me ass odd that Wordpress might not be compatible with your API

#

I will check if there is a way to extract the raw body.

#

i'll update you when its done

#greatBear-webhook-signatures