Stripe Payments webhook handler`

I’m working through this tutorial trying to get payments working with Stripe.

I’ve implemented a Stripe webhook handler:

defmodule Postbox.StripeHandler do
  @behaviour Plug

  alias Plug.Conn

  def init(config), do: config

  def call(%{request_path: "/webhook/payments"} = conn, _params) do
    signing_secret = Application.get_env(:stripity_stripe, :webhook_key)
    [stripe_signature] = Plug.Conn.get_req_header(conn, "stripe-signature")

    with {:ok, body, _} = Plug.Conn.read_body(conn),
         {:ok, stripe_event} =
           Stripe.Webhook.construct_event(body, stripe_signature, signing_secret) do
      Plug.Conn.assign(conn, :stripe_event, stripe_event)
      err ->
        |> Conn.send_resp(:bad_request, err)
        |> Conn.halt()

I’ve copied my webhook secret (:webhook_key directly from the signing secret) but I’m still, continuously getting this error from Stripe: ** (MatchError) no match of right hand side value: {:error, "No signatures found matching the expected signature for payload"}.

This is a test account and I’m using Ngrok for the Webhook address.

Initial question aside I’m wondering if I’m just using Stripe.Checkout.Session do I need to even bother with Webhooks? Willl Stripe returning a successful URL be sufficient?

I don’t believe it’s directly related to your issue, but note that there’s a specific callout in the docs for Plug.Conn.read_body saying NOT to discard the conn:

Like all functions in this module, the conn returned by read_body must be passed to the next stage of your pipeline and should not be ignored.

1 Like

Never ignore a returned conn, that’s the new state you must use from then on! Start with that.

…Oh, I see @al2o3cr beat me to it.

Thanks for pointing that out, I will be sure to use the new conn!

That said I don’t think this is causing the issue, I should have been more clear I believe the with chain is failing at Stripe.Webhook.construct_event(body, stripe_signature, signing_secret). It seems like a simple authentication error but I have checked the :webhook_key/:signing_secret and it’s the one from stripe.

When is your plug called?

I think it has to run before all other parsers (plug Plug.Parsers in endpoint.ex) that may change the body, to verify the body as received from stripe.

1 Like

The code you posted matches what’s in the stripity_stripe docs, so the next thing to check is all the inputs. At least one of signing_secret, stripe_signature, or body isn’t getting the value that construct_event is expecting.

One thing I’d particularly watch out for is “test mode” vs “production mode”; IIRC the test mode uses a different signing secret.

You need to access the body before it has been modified by a subsequent Plug.

Here is an example in Plug.Parsers docs that exposes this very use case :slight_smile:

Edit : note that you can also do that with a custom Parser that runs before other Plug.Parsers. You can pattern match on the request path if you wish to avoid copying the raw body for other kind of requests.

@behaviour Plug.Parsers
  alias Plug.Conn

  def parse(%{request_path: "/specific_path"} = conn, _type, _subtype, _headers, opts) do
    case Conn.read_body(conn, opts) do
      {:ok, body, conn} ->
        {:ok, %{raw_body: body}, conn}
      {:more, _data, conn} ->
        {:error, :too_large, conn}

  def parse(conn, _type, _subtype, _headers, _opts), do: {:next, conn}

Check for exhaustiveness with the docs, because I cannot verify it today.

After that, the %{raw_body: r} map gets merged into conn.params. You can access it by pattern matching on conn.params in your controller.

def handle_webhook(%{params: %{raw_body: raw_body}} = conn, params) do

There are many ways to get to the desired result, but the goal is the same : preserve the raw request body.

1 Like

I saw that but if you have plug App.StripeHandler before plug Plug.Parsers wouldn’t that resolve the issue without writing a custom parser?

For what it’s worth: the payload from Plug.Conn.read_body(conn) looks like:

"{\n  \"id\": \"evt_3POga12ilwm20D11GsbWweX\",\n  \"object\": \"event\",\n  \"api_version\": \"2020-08-27\",\n  \"created\": 1717681345,\n  \"data\": {\n    \"object\": {\n      \"id\"....

Essentially just stringifyed JSON. Should it be raw JSON?

This blog post might be helpful: How we verify webhooks - Dashbit Blog.


Look at the tutorial for stripity_stripe:

Maybe you don’t need to implement a plug at all because it’s already implemented in the package? Just use the behaviours in your handler @behaviour Stripe.WebhookHandler.

Initial question aside I’m wondering if I’m just using Stripe.Checkout.Session do I need to even bother with Webhooks? Willl Stripe returning a successful URL be sufficient?

Yes, you need to handle the event after the checkout like I did for setup payment methods:

defmodule MyApp.Endpoint do
    at: "/webhook/stripe",
    handler: MyApp.PaymentService.API.Stripe.EventHandler,
    secret: {MyApp.Config, :cfg, [[:stripity_stripe, :signing_secret]]}
defmodule MyApp.PaymentService.API.Stripe.EventHandler do
  @behaviour Stripe.WebhookHandler

  @impl Stripe.WebhookHandler
  def handle_event(%Stripe.Event{type: "checkout.session.completed", data: %{object: %Stripe.Checkout.Session{mode: "setup"}}} = event) do

It’s required to handle all checkout session events. Look at the Stripe API and handle your events according to entity statuses and event types.

In my case I needed to handle the “checkout.session.completed” and then update some payment method fields in the DB to make it active in my system.

Session object API

You should look at the events you need Types of events | Stripe API Reference and handle them as you want, e.g. update a Payment schema entity status.

I would not rely on synchronous API responses only and strongly advice to handle events in a webhook.

P.S.: some useful docs and recommendations about using webhooks - Stripe-Ereignisse in Ihrem Webhook-Endpoint empfangen | Stripe-Dokumentation