Unable to verify signature locally with CLI webhooks

[AAverin]

The more information we have the easier it is for us to help. Feel free to remove any sections that might not apply

Issue

Following the Node guide here:https://stripe.com/docs/payments/checkout/fulfill-orders
I am trying to test webhook implementation with locally running CLI
Stripe CLI version is 1.5.1

When running, CLI gives me whsec_ signature that I used in the code to verify incoming payload.
Check results in

StripeSignatureVerificationError: No signatures found matching the expected signature for payload. Are you passing the raw request body you received from Stripe? https://github.com/stripe/stripe-node#webhook-signing
>        at Object.verifyHeader (functions/node_modules/stripe/lib/Webhooks.js:117:13)
>        at Object.constructEvent (/functions/node_modules/stripe/lib/Webhooks.js:12:20)

Expected Behavior

Signature verification should pass for local tests

Steps to reproduce

What are the steps we can take to reproduce this and verify it's fixed?

Traceback

Share any debug output that was given by the CLI

Environment

MacOS

[robz-stripe]

Hi @AAverin ! This is usually a result of the body being parsed (e.g. by bodyParser) before it's used to verify the signature. There are a bunch of possible solutions on stripe/stripe-node#341 depending on how you're parsing the body currently. It needs to be the raw body.

[AAverin]

@robz-stripe Hi.
I am following Stripe documentation at https://stripe.com/docs/payments/checkout/fulfill-orders
There it is parsed with raw

app.post('/webhook', bodyParser.raw({type: 'application/json'}), (request, response) => {
  const payload = request.body;
  const sig = request.headers['stripe-signature'];

  let event;

  try {
    event = stripe.webhooks.constructEvent(payload, sig, endpointSecret);
  } catch (err) {
    return response.status(400).send(`Webhook Error: ${err.message}`);
  }

  response.status(200);
});

[AAverin]

The reason for the error was that Firebase Functions do their own parsing of body.
The correct code for Firebase Functions would be:

app.post('/webhook', (request, response) => {
  const payload = request.rawBody;
  const sig = request.headers['stripe-signature'];

  let event;

  try {
    event = stripe.webhooks.constructEvent(payload, sig, endpointSecret);
  } catch (err) {
    return response.status(400).send(`Webhook Error: ${err.message}`);
  }

  response.status(200);
});

[AAverin]

@robz-stripe something worth mentioning in the documentation, I suppose

[dirkesquire]

BUG

Getting the exact same problem. StripeSignatureVerificationError when testing locally even though the secret is correct. I am simply passing in request.body:

event = stripe.webhooks.constructEvent(
          request.body,
          sig,
          endpointSecret
        );

I really think that Stripe needs to be clever enough to be able to execute stripe.webhooks.constructEvent by being passed in either a string or a json request.body. This is because Firebase Functions already does their own parsing of the body, and that is very convenient. Also it is possible to setup express() to also parse the body.

The expected behaviour of stripe.webhooks.constructEvent is that it should not fail because this is not a problem with the signature verification logic.

Also see:
firebase/firebase-functions#417