Austin_Rowe - webhook signatures | Stripe Developers | Page 1

blissful wharf Jul 14, 2022, 10:46 PM

#

Hi there!

dire kernel Jul 14, 2022, 10:48 PM

#

Hello @blissful wharf!

blissful wharf Jul 14, 2022, 10:48 PM

#

I think you'll want to use request.body instead of event in your constructEvent function

#

Let me know if this helps: https://stripe.com/docs/webhooks/signatures#verify-official-libraries

dire kernel Jul 14, 2022, 10:49 PM

#

I set the event to be the request.body

#

The third line of the snippet I attached shows this

#

Not trying to be smart, just want to point out that I'm passing in the raw body in the form of a variable called event

blissful wharf Jul 14, 2022, 10:52 PM

#

Oh totally missed that line

dire kernel Jul 14, 2022, 10:53 PM

#

No worries!

onyx olive Jul 14, 2022, 10:53 PM

#

No, you are not. req.body is not guaranteed to be the raw body, depending on other middleware. To be clearer: Stripe uses "stegonography" to encode extra data on the JSON body. They use non-coding extra spaces, line breaks, tabs, etc. This can still be parsed as JSON, but the signature verification needs the non-coding parts - that's why you have to be quite careful to not modify it at all before checking signature. (it also kinda masks the issue - the body parses as JSON just fine, so it looks like it's correct, but the verification fails). This is often caused by using request.body instead of request.rawbody, or by something like Express middleware.

dire kernel Jul 14, 2022, 10:57 PM

#

@onyx olive you're right! I resolved the issue by putting the following line before I added bodyParser to the overall app
app.use('/api/stripe-webhook', express.raw({type: 'application/json'}));

onyx olive Jul 14, 2022, 10:58 PM

#

Quite exactly. That's actually one of the hardest parts for (newer) developers to grasp.

#Austin_Rowe - webhook signatures