#azh - signature verification

Is your signing secret the one from the dashboard (not the one you used locally)? They are different

Yes, from the dashboard

Developers -> Webhooks -> Signing secret -> reveal

Is this test mode or live?

Test mode

I'm wondering if aws api gateway is doing something to the message body to change the hash

Ok. Make sure you're using the proper signing secret for live/test depending. With AWS, I've seen some various issues. Usually what happens is something in the AWS stack modifies the body so it's no longer the raw request body (alters spacing, etc.): https://github.com/stripe/stripe-node/issues/356

Usually the issues are in node

I recommend logging the request body at the top of your lambda function to see how it looks

It should have all the extra whitespace. You can log what it looks like on your local machine and compare

what data type is expected? or is it just that it might remove whitespace?

It should be a string of formatted json

I recommend logging both local output and in your lambda so we can see if the body is the issue

The logs go into CloudWatch, so it is hard to see if they're the same. CloudWatch will change the format if there are \n's. I'll send you something in a sec

Actually, I was able to get a 1 line log in CloudWatch

For local testing, I sent a webhook event, copied and pasted it locally, and did some "fixes" to make it pass the json checks, and ran the function as a mock. Massive kludgy headache, but it at least proved my code was working. I don't think that'll help us do a 1:1 comparison tho

I'm not sure what i did to make message.txt upload twice, but it is from the same source

Oh so you didn't run through out local testing flow? https://stripe.com/docs/webhooks/test

No, I'm using Orders beta which isn't supported by the CLI

Thus I haven't used it for the rest of dev/test

That's fine. I just meant sending any event to verify signature verification is working locally

So we can know whether it's a problem with your code or a problem with AWS

It did verify locally when I used amplify mock function with my altered event. I copy/pasted the event from Stripe's web. It'll take a bit, but want me to do that with an event locally?

Would be good to verify that it works. Just with the steps in that link. And can you print the body right before the construct_event call? Want to compare formats. But, right off the bat, the format of message.txt looks off (provided cloudwatch itself didn't modify the format)

I can't use the method in the link bc i'm running serverless. I can't forward to a mock lambda function afaik

serverless has its advantages, but it can be a PITA for testing

Ah so you don't have a local test server you can spin up then?

correct

Gotcha

Ok so let's assume cloudwatch logs didn't alter the format. The body was altered and doesn't have the extra whitespace

Let me check how we can deal with this

I think you could do something like a body mapping template: https://github.com/stripe/stripe-node/issues/356#issuecomment-311658193

Been looking into that and am seeing what I can do. AWS changes often, so a bunch has changed since 2017–20 when these msgs were posted

👋 I'm hopping in since @balmy rune had to head out - I believe using a body mapping template is what we recommend with AWS, but if you have any other questions let me know

cool, 👋 . I'm trying to find a viable body mapping template. Do you have any on hand?

This may be out of date, so it may need some tweaking but this is what we used to recommend:

{
  "method": "$context.httpMethod",
  "body": $input.json('$'),
  "rawBody": "$util.escapeJavaScript($input.body).replaceAll("\\'", "'")",
  "headers": {
    #foreach($param in $input.params().header.keySet())
    "$param": "$util.escapeJavaScript($input.params().header.get($param))"
    #if($foreach.hasNext),#end
    #end
  }
}

Content-Type: application/json (just this – do not include ; charset=utf-8 afterwards)

Cool, I tried it, but it doesn't pass amazon's validation. As a python dev, I'm not super familiar with fixing this format. I went to ask someone for help (which led to a quick lunch), but he isn't familiar with the format either.

I'll keep working on it, but I worry that i'll alter it where it won't be valid for what we're trying to do.

for ref, this is amazon's default for application/json:

{
"type" : "object",
"required" : [ "request" ],
"properties" : {
"request" : {
"type" : "string"
}
},
"title" : "Request Schema"
}

Interesting... did they give any details on what specifically isn't passing validation?

"Invalid model schema specified"

very informative 🙂

Is it possible you're accidentally creating a Model and not Mapping Template?

very possible...let me dig into that

You're right, i was putting that into model, not mapping template. I'm trying to find where aws moved mapping templates. It isn't in Integration Request anymore. O_o

The step by step guide that's documented here (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-override-request-response-parameters.html#apigateway-override-request-response-parameters-override-request) may be helpful for finding it if you haven't seen that yet

thank you. your google foo is stronger than mine

dang, nope. that is out of date 😦

😦 dang - I'm not sure where it would be then, and my googling isn't coming up with anything else

sorry, just really new to aws api gateway and serverless. old dog learning new tricks

i'll keep looking. if i have to come back to this tomorrow, can i use this same thread to ask Qs?

This thread will be archived, but if you ask in the main channel anybody should be able to pick it up and help

cool, thanks. i won't give up yet, but i'll let you know if i need more help within the next hour. i really appreciate help from you both

Progress! (letting you know in case it can help others)
The default/recommended way to integrate api gateway w lambdas doesn't allow for mapping templates anymore.

There is a checkbox for "Use Lambda Proxy integration" that is recommended, but as soon as you do that, you can't add a mapping template anymore. Thus, you have to set it all up manually on aws, which is a PITA