Invalid Signature

[thebeautyofcoding]

I am trying to implement a subscription payment feature. Using stripe listen and stripe trigger I am trying to test my code. However I am getting a 500 Error. Looking in the error log, I can see The signature is invalid spatie\\WebhookClient\\Exceptions\\InvalidWebhookSignature
The isValid function looks like this

class DefaultSignatureValidator implements SignatureValidator
{
public function isValid(Request $request, WebhookConfig $config): bool
{

    $signature = $request->header($config->signatureHeaderName);

    if (!$signature) {
        return false;
    }

    $signingSecret = $config->signingSecret;

    if (empty($signingSecret)) {
        throw InvalidConfig::signingSecretNotSet();
    }

    $computedSignature = hash_hmac('sha256', $request->getContent(), $signingSecret);

    return hash_equals($signature, $computedSignature);
}

}
By simply deleting the code in the function and returning true, I can avoid the error and everything works. But this is not good practice and might be insecure, or? Why I am getting this error in the first place. Why is the signature invalid? Thanks a lot :)

[freekmurze]

Add debugging statements to that piece of code. It will probably give you a hint on what is going wrong.

[freekmurze]

Probably the error is not caused by our package, but due to some configuration on your end. Use functions like print_r, var_dump or ray (https://myray.app). To look at the contents of the variables in that function.

[thebeautyofcoding]

I think the cause of the error is that $computedSignature and $signature are not equal?
When logging 2 of the variables via Log::info('info', [$computedSignature, $signature]); I get as values:

"bb36f64c2c4e9c237e2f32c85815fb8f55de1b5d8f4137cb827fcc6809ddcc2e","t=1670017043,v1=fca0f86b2e9ca2f00a860fcfde47166bef72ae211528673c3f25e78a609dae82,v0=c4497e37cde3030aa370e7eef3838ac4ceffcb0d0e2f825aab212df890edb43d"

These two should be equal, or? and then hash_equals just returns false as a consequence?

[freekmurze]

Those should be equal yeah. Take a look at the parameters that are received to computer the hash. Probably there's something fishy going on there.

[thebeautyofcoding]

They are different but I cannot figure out why. I use ngrok, so Stripe can access my app over the internet. From Stripe I send events then. I also grabbed the stripe webhook secret and put it in my .env as STRIPE_WEBHOOK_SECRET=whsec_..... This may have nothing to do with your awesome package. Thanks for the great help.

[phaberest]

I'm dealing with the same problem, @thebeautyofcoding were you able to figure out what was going wrong?

[iRajul]

@phaberest Make sure to set webhook secret which starts with whsec in .env file with variable STRIPE_WEBHOOK_SECRET