travisf
Stripe Payments webhook handler`
I’m working through this tutorial trying to get payments working with Stripe.
I’ve implemented a Stripe webhook handler:
defmodule Postbox.StripeHandler do
@behaviour Plug
alias Plug.Conn
def init(config), do: config
def call(%{request_path: "/webhook/payments"} = conn, _params) do
signing_secret = Application.get_env(:stripity_stripe, :webhook_key)
[stripe_signature] = Plug.Conn.get_req_header(conn, "stripe-signature")
with {:ok, body, _} = Plug.Conn.read_body(conn),
{:ok, stripe_event} =
Stripe.Webhook.construct_event(body, stripe_signature, signing_secret) do
Plug.Conn.assign(conn, :stripe_event, stripe_event)
else
err ->
conn
|> Conn.send_resp(:bad_request, err)
|> Conn.halt()
end
end
end
I’ve copied my webhook secret (:webhook_key directly from the signing secret) but I’m still, continuously getting this error from Stripe: ** (MatchError) no match of right hand side value: {:error, "No signatures found matching the expected signature for payload"}.
This is a test account and I’m using Ngrok for the Webhook address.
Initial question aside I’m wondering if I’m just using Stripe.Checkout.Session do I need to even bother with Webhooks? Willl Stripe returning a successful URL be sufficient?
Most Liked
sorentwo
I noticed that the post appears to be deleted earlier this week. Here’s a brief, working example of how to verify stripe webhooks in phoenix.
First, parsed JSON will strip some whitespace and alphabetize keys. To calculate the correct HMAC you need to stash the original unparsed request body. A small body_reader module will do it:
# body_reader.ex
defmodule MyApp.BodyReader do
def read_body(conn, _opts) do
# You may want to only do this for certain paths
with {:ok, raw_body, conn} <- Plug.Conn.read_body(conn) do
{:ok, raw_body, Plug.Conn.put_private(conn, :raw_body, raw_body)}
end
end
end
Configure Plug.Parsers to use the new body_reader module:
plug Plug.Parsers,
parsers: [:urlencoded, :multipart, :json],
pass: ["*/*"],
json_decoder: Phoenix.json_library(),
body_reader: {MyApp.BodyReader, :read_body, []}
Then define a private function to verify the signature in your controller:
defmodule MyAppWeb.StripeController do
use MyAppWeb, :controller
plug :verify_signature
# actions go here
defp verify_signature(conn, _opts) do
case get_req_header(conn, "stripe-signature") do
[header] ->
["t=" <> time, "v1=" <> sigv | _] = String.split(header, ",")
signing_secret = Application.fetch_env!(:my_app, :stripe_signing_secret)
hmac =
:hmac
|> :crypto.mac(:sha256, signing_secret, [time, ".", conn.private.raw_body])
|> Base.encode16(case: :lower)
if Plug.Crypto.secure_compare(hmac, sigv) do
conn
else
conn
|> send_resp(400, "Invalid Signature")
|> halt()
end
_ ->
conn
|> send_resp(400, "Missing Signature")
|> halt()
end
end
end
That will do it! If you test your webhook controller, which you certainly should, you’ll need to inject a signature as well. The signature below is fake and computed using a test signing key (whsec_test), a fake timestamp, and :raw_body:
@signature "t=123456789,v1=34e0846d2ae20d2fcde8c391d069223f72d0518eaf511de69f785470938e1505"
setup %{conn: conn} do
conn =
conn
|> put_req_header("stripe-signature", @signature)
|> put_private(:raw_body, ~s({"fake":"body"}))
{:ok, conn: conn}
end
wojtekmach
This blog post might be helpful: https://dashbit.co/blog/how-we-verify-webhooks.
Lucassifoni
You need to access the body before it has been modified by a subsequent Plug.
Here is an example in Plug.Parsers docs that exposes this very use case ![]()
Edit : note that you can also do that with a custom Parser that runs before other Plug.Parsers. You can pattern match on the request path if you wish to avoid copying the raw body for other kind of requests.
@behaviour Plug.Parsers
alias Plug.Conn
def parse(%{request_path: "/specific_path"} = conn, _type, _subtype, _headers, opts) do
case Conn.read_body(conn, opts) do
{:ok, body, conn} ->
{:ok, %{raw_body: body}, conn}
{:more, _data, conn} ->
{:error, :too_large, conn}
end
end
def parse(conn, _type, _subtype, _headers, _opts), do: {:next, conn}
Check for exhaustiveness with the docs, because I cannot verify it today.
After that, the %{raw_body: r} map gets merged into conn.params. You can access it by pattern matching on conn.params in your controller.
def handle_webhook(%{params: %{raw_body: raw_body}} = conn, params) do
There are many ways to get to the desired result, but the goal is the same : preserve the raw request body.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #javascript
- #code-sync
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








