#RafaCitec-webhook
blazing quest
Generally the code to handle webhook doesn't load signature properly
wraith parrot
Generally the code to handle webhook doesn't load signature properly
ok, what is the signature for? it is mandatory
I have been copying code from your examples and from some github repositories and I don't really understand where the signature is obtained from
blazing quest
You can skip verification and let Stripe SDK do it for you
wraith parrot
then that send in this function?
wraith parrot
I don't understand
@blazing quest @viral reef is mandatory use signature in my webhook function handler?
viral reef
no, it's not mandatory, it's just usually recommended.
viral reef
in your case the verification probably doesn't work because you modify the incoming HTTP body in some way. For example you seem to receive it as this StripeWebhook object, what's that? If you or the frameworks you use touch the incoming HTTP body in any way, you will modify it and the signature won't match.
viral reef
how i get this signature?
there are examples in Python on https://stripe.com/docs/webhooks/quickstart
wraith parrot
wraith parrot
there are examples in Python on https://stripe.com/docs/webhooks/quickstart
i followed these examples I now I have this error
this is the type of request
viral reef
not sure what you mean since that code you're sharing doesn't look like anything we have in our docs I think.
viral reef
this is the type of request
so you parse the incoming raw HTTP POST body into a model in your application?
wraith parrot
yes
viral reef
that's likely the problem, you should take the exact raw string from the incoming body and pass that to construct_event. If you pass something that differs in any way, whitespace, order of keys in the dictionary, anything, it won't verify.
wraith parrot
using this like example
viral reef
what do you mean exactly?
wraith parrot
that I have created the model with the structure received in https://dashboard.stripe.com/test/webhooks/create?endpoint_location=local
I do not use all fields
for example, api_version I don't use
but I have typed, modeled, all necessary fields
is wrong?
viral reef
yes
like I said, you can not change the body in any way.
so if what your application does is, read the incoming HTTP body, parse it into your own model class, then you pass that model class to the construct_event function, it will never work.
you need to do what we do in all of our examples and I explained multiple times, you need to pass the exact raw incoming HTTP request body to that function as the payload paramater.
after you verify the signature you can convert into your own model if needed
wraith parrot
Ok, I see, I will try to do as you say and I will tell you
Another question, this is more process than technical, why do I have to call the .construct_event() method?
Does not the request that Stripe sends to our endpoint already have the event object? don't have all the information?
viral reef
because that function takes the raw request body, the signature, and it checks that the signature matches(proving the request came from Stripe), and it returns a nice Python object from our SDK that you can work with more easily than the raw body.