Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Stripe cli signature verification not working

See original GitHub issue

Hi, i’m using Stripe CLI for testing my webhook.

event = Webhook.constructEvent(payload, <Stripe-Signature header>, <Stripe CLI signing secret>); always returns an exception “No signatures found matching the expected signature for payload”.

Stripe CLI signing secret: whsec_2QF92N94RwqD5M6t553xec5ce3NGgfKs

Stripe-Signature header: t=1576858212,v1=63dbd81dd42f4b5406451e4add0b89357a62598deba8e1978e53d005487927a6,v0=3016f803483615a7f75716ca92c404f5e550eab968640a85c738f31c42109770

Payload: { “id”: “evt_1Fro3MEErckdb3enb7aSN8js”, “object”: “event”, “api_version”: “2019-12-03”, “created”: 1576858211, “data”: { “object”: { “id”: “pi_1Fro3KEErckdb3enotYuEhG1”, “object”: “payment_intent”, “amount”: 2000, “amount_capturable”: 0, “amount_received”: 2000, “application”: null, “application_fee_amount”: null, “canceled_at”: null, “cancellation_reason”: null, “capture_method”: “automatic”, “charges”: { “object”: “list”, “data”: [ { “id”: “ch_1Fro3LEErckdb3ene1m27XhJ”, “object”: “charge”, “amount”: 2000, “amount_refunded”: 0, “application”: null, “application_fee”: null, “application_fee_amount”: null, “balance_transaction”: “txn_1Fro3LEErckdb3ene7NN6V5C”, “billing_details”: { “address”: { “city”: null, “country”: null, “line1”: null, “line2”: null, “postal_code”: null, “state”: null }, “email”: null, “name”: null, “phone”: null }, “captured”: true, “created”: 1576858211, “currency”: “usd”, “customer”: null, “description”: “(created by Stripe CLI)”, “destination”: null, “dispute”: null, “disputed”: false, “failure_code”: null, “failure_message”: null, “fraud_details”: { }, “invoice”: null, “livemode”: false, “metadata”: { }, “on_behalf_of”: null, “order”: null, “outcome”: { “network_status”: “approved_by_network”, “reason”: null, “risk_level”: “normal”, “risk_score”: 22, “seller_message”: “Payment complete.”, “type”: “authorized” }, “paid”: true, “payment_intent”: “pi_1Fro3KEErckdb3enotYuEhG1”, “payment_method”: “pm_1Fro3KEErckdb3enJWQW6BYP”, “payment_method_details”: { “card”: { “brand”: “visa”, “checks”: { “address_line1_check”: null, “address_postal_code_check”: null, “cvc_check”: null }, “country”: “US”, “exp_month”: 12, “exp_year”: 2020, “fingerprint”: “RhCup5EEbm2AICiC”, “funding”: “credit”, “installments”: null, “last4”: “4242”, “network”: “visa”, “three_d_secure”: null, “wallet”: null }, “type”: “card” }, “receipt_email”: null, “receipt_number”: null, “receipt_url”: “https://pay.stripe.com/receipts/acct_1CaOCdEErckdb3en/ch_1Fro3LEErckdb3ene1m27XhJ/rcpt_GObFdv7k1cm1CvM4rAu2RGn6kTkYvtl”, “refunded”: false, “refunds”: { “object”: “list”, “data”: [

          ],
          "has_more": false,
          "total_count": 0,
          "url": "/v1/charges/ch_1Fro3LEErckdb3ene1m27XhJ/refunds"
        },
        "review": null,
        "shipping": {
          "address": {
            "city": "San Francisco",
            "country": "US",
            "line1": "510 Townsend St",
            "line2": null,
            "postal_code": "94103",
            "state": "CA"
          },
          "carrier": null,
          "name": "Jenny Rosen",
          "phone": null,
          "tracking_number": null
        },
        "source": null,
        "source_transfer": null,
        "statement_descriptor": null,
        "statement_descriptor_suffix": null,
        "status": "succeeded",
        "transfer_data": null,
        "transfer_group": null
      }
    ],
    "has_more": false,
    "total_count": 1,
    "url": "/v1/charges?payment_intent=pi_1Fro3KEErckdb3enotYuEhG1"
  },
  "client_secret": "pi_1Fro3KEErckdb3enotYuEhG1_secret_BVrTV5VdQq8zelcT76NAvMhFv",
  "confirmation_method": "automatic",
  "created": 1576858210,
  "currency": "usd",
  "customer": null,
  "description": "(created by Stripe CLI)",
  "invoice": null,
  "last_payment_error": null,
  "livemode": false,
  "metadata": {
  },
  "next_action": null,
  "on_behalf_of": null,
  "payment_method": "pm_1Fro3KEErckdb3enJWQW6BYP",
  "payment_method_options": {
    "card": {
      "installments": null,
      "request_three_d_secure": "automatic"
    }
  },
  "payment_method_types": [
    "card"
  ],
  "receipt_email": null,
  "review": null,
  "setup_future_usage": null,
  "shipping": {
    "address": {
      "city": "San Francisco",
      "country": "US",
      "line1": "510 Townsend St",
      "line2": null,
      "postal_code": "94103",
      "state": "CA"
    },
    "carrier": null,
    "name": "Jenny Rosen",
    "phone": null,
    "tracking_number": null
  },
  "source": null,
  "statement_descriptor": null,
  "statement_descriptor_suffix": null,
  "status": "succeeded",
  "transfer_data": null,
  "transfer_group": null
}

}, “livemode”: false, “pending_webhooks”: 2, “request”: { “id”: “req_QxV95RJcUkjLaJ”, “idempotency_key”: null }, “type”: “payment_intent.succeeded” }

API version: 2019-12-03

Can you help me?

Thanks. Giacomo

Issue Analytics

State:
Created 4 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

3reactions

JD-sixberriescommented, Jan 11, 2021

@JD-sixberries

I think that you have this error because your forgotten to use:

bodyParser.raw({ type: 'application/json' }),

This step is mandatory to avoid “Signature verification failures”.

Simple and working example:

const webhooksStripeRouter: Router = Router();

webhooksStripeRouter.post(
  '/webhooks/stripe',
  bodyParser.raw({ type: 'application/json' }), // <==== don't forget this 
  async (req: Request, res: Response) => {
    try {
      // Retrieve the event by verifying the signature using the raw body and secret.
      let event: Stripe.Event;

      try {
        event = stripe.webhooks.constructEvent(
          req.body,
          req.headers['stripe-signature'],
          'whsec_jtfJGfWz8YqSwCUExxxxxxxxxxxy',
        );
      } catch (error) {
        throw new Error('Stripe webhook signature verification failed.');
      }

      // Extract the data from the event.
      const { data, type }: { data: Stripe.Event.Data; type: string } = event;

      if (type === 'payment_intent.succeeded') {
        // Cast the event into a PaymentIntent to make use of the types.
        const paymentIntent: Stripe.PaymentIntent = data.object as Stripe.PaymentIntent;
        // Funds have been captured
        // Fulfill any orders, e-mail receipts, etc
        // To cancel the payment after capture you will need to issue a Refund (https://stripe.com/docs/api/refunds).
        console.log(`🔔  Webhook received: ${paymentIntent.object} ${paymentIntent.status}!`);
        console.log('💰 Payment captured!');
      } else if (type === 'payment_intent.payment_failed') {
        // Cast the event into a PaymentIntent to make use of the types.
        const pi: Stripe.PaymentIntent = data.object as Stripe.PaymentIntent;
        console.log(`🔔  Webhook received: ${pi.object} ${pi.status}!`);
        console.log('❌ Payment failed.');
      }
      res.sendStatus(200);
    } catch (error) {
      console.debug(error);
    }
  },
);

Thanks @rimiti I get the help when I reported or facing this issue. actually I convert my request data into the JSON which cause the issue otherwise it working as expected. So basically that was my bad during implementation

3reactions

remi-stripecommented, Jul 7, 2020

@JD-sixberries The Stripe CLI has its own webhook secret so you need to make sure you are using that one properly. It’s also important to ensure that your code or framework is not tampering with the raw data we sent you. The signature verification only works with the exact raw JSON, up to the exact new line or indentation space. Those 2 reasons are the most common reasons for this issue.

If you’re still having problems after that, we recommend that you reach out to our support team: https://support.stripe.com/contact