Stripe-dotnet: Always get "The signature for the webhook is not present in the Stripe-Signature header"

Created on 13 Dec 2019 · 8Comments · Source: stripe/stripe-dotnet

I'm using the test stripe to finish a checkout via webhook

The webook sends the following information to me
json:

{
  "id": "evt_1Fp8QCHONLOCX93ZtvM6ZfBJ",
  "object": "event",
  "api_version": "2019-11-05",
  "created": 1576221524,
  "data": {
    "object": {
      "id": "cs_test_sIivnmE97W8f01Gd9sKZWcHq0d4dtZorGKxo5rCRPn6qrRtkzd5Lu2Ux",
      "object": "checkout.session",
      "billing_address_collection": null,
      "cancel_url": "https://yushuhometest.azurewebsites.net/stripesuccess",
      "client_reference_id": null,
      "customer": "cus_GLq6B0RztXkLmK",
      "customer_email": "[email protected]",
      "display_items": [
        {
          "amount": 360000,
          "currency": "usd",
          "custom": {
            "description": "Annual Individual Sponsor VIP",
            "images": null,
            "name": "Annual Individual Sponsor VIP"
          },
          "quantity": 1,
          "type": "custom"
        }
      ],
      "livemode": false,
      "locale": "en",
      "mode": "payment",
      "payment_intent": "pi_1Fp8Q0HONLOCX93ZB2PHU7ZE",
      "payment_method_types": [
        "card"
      ],
      "setup_intent": null,
      "submit_type": null,
      "subscription": null,
      "success_url": "https://yushuhometest.azurewebsites.net/stripesuccess"
    }
  },
  "livemode": false,
  "pending_webhooks": 2,
  "request": {
    "id": null,
    "idempotency_key": null
  },
  "type": "checkout.session.completed"
}

stripe signature:

["t=1576221525,v1=da12e2b3870f0a97f8c9c22cc33991d716f0a1f9b1a5525fc9e2156cf14c901b,v0=88237c4455f8b2ab2bda2d90f88d215c7969bd10812a677d118ec3af662c2886"]

Stripe Webhook EndpointSecret I used for current test account:

But I still get Stripe exception: "The signature for the webhook is not present in the Stripe-Signature header."

I used asp.net core 2.2 to write the following code:
```c#
[HttpPost("[action]")]
public async Task Hook()
{
string json = await new StreamReader(HttpContext.Request.Body).ReadToEndAsync();
Stripe.Event stripeEvent = stripeEvent = Stripe.EventUtility.ConstructEvent(json, Request.Headers["Stripe-Signature"], _stripeConfig.WebhookEndpointSecret);
...
}

```

I wonder what's wrong with the code? I even went as far as debugging the signature comparing code in stripe.net , still don't see the issue. I failed in both dev machine (using CLI with its own secret), and in the cloud test server (using secret get from webhook).

Thanks!

Source

xqiu

Most helpful comment

I actually figured this out; I was using the secret from the dashboard, but stripe cli gives you a temporary one. There was no need to do any of the triming

r3plica on 1 Jun 2020

🚀3

All 8 comments

Hi @xqiu. Your code looks correct, and I've manually recomputed the signature to double-check that it's the correct one for that payload.

I would recommend checking the following:

make sure that _stripeConfig.WebhookEndpointSecret contains the "whsec_..." secret as a string, with no whitespace or newline characters
make sure that Request.Headers["Stripe-Signature"] contains the "t=...,v1=...,v0=..." header value, with no whitespace or newline characters
make sure that json contains the JSON payload of the event, with no trailing newline character after the last } character

ob-stripe on 17 Dec 2019

Thanks, ensuring triming the strings making my code work.

            string jsonOri = await new StreamReader(Request.Body).ReadToEndAsync();
            string json = jsonOri.Trim(new char[] { ' ', '\n', '\r' });
            string header = Request.Headers["Stripe-Signature"];
            string signature = header.Trim(new char[] { ' ', '\n', '\r' });
            try
            {
                Stripe.Event stripeEvent = Stripe.EventUtility.ConstructEvent(json, signature, _stripeConfig.WebhookEndpointSecret, 300, false);

xqiu on 18 Dec 2019

👍3 👎1

I tried that and I still get the error and I can verify that it does have all the steps you mentioned (endpoint secret starts with "whsec_", the header hast=, v1, v1 in it with no spaces, etc and the json string ends with \"payment_intent.created\"\n}")

r3plica on 31 May 2020

I tried that and I still get the error and I can verify that it does have all the steps you mentioned (endpoint secret starts with "whsec_", the header hast=, v1, v1 in it with no spaces, etc and the json string ends with \"payment_intent.created\"\n}")

Did you try the code I show above with triming both json and header? It works for me.

xqiu on 1 Jun 2020

I actually figured this out; I was using the secret from the dashboard, but stripe cli gives you a temporary one. There was no need to do any of the triming

r3plica on 1 Jun 2020

🚀3

This problem is unbelievable, well done @xqiu !

HoxWi on 12 Jun 2020

I am using stripe direct checkout for payment and configured webhook, getting "The signature for the webhook is not present in the Stripe-Signature header." error in the below code.

string jsonOri = await new StreamReader(Request.Body).ReadToEndAsync();
string json = jsonOri.Trim(new char[] { ' ', 'n', 'r' });
string header = Request.Headers["Stripe-Signature"];
string signature = header.Trim(new char[] { ' ', 'n', 'r' });

            if (Request.Headers["Stripe-Signature"].Count() > 0)
            {
                // validate webhook called by stripe only
            Stripe.Event stripeEvent  = Stripe.EventUtility.ConstructEvent(json,signature,"whsec_QpG30JY8XXXXXXXXX",300,false);

I also upgraded the API version to the latest 2020-08-27.

@xqiu Please look into this.