条纹验证网络钩子签名 HMAC sha254 HAPI.js [英] Stripe verify web-hook signature HMAC sha254 HAPI.js

问题描述

我正在尝试在我的 hapi.js 应用程序中验证由 stripe 发送的 webhook.我已按照此处详述的说明进行操作:

I'm trying to verify a webhook sent by stripe in my hapi.js app. I've followed the instructions detailed here:

https://stripe.com/docs/webhooks/signatures

(我显然没有在这里发布我的端点秘密:)

(I've obviously not posted my endpoint secret here :)

<!-- language: lang-js -->

const enpointSecret = ######;

const sig = _.fromPairs(request.headers["stripe-signature"].split(',')
.map(s => s.split('=')));
// produces object eg { t: '1111', v1: '111111..', v0: '...'} etc


const signed_payload = `${sig.t}.${JSON.stringify(request.payload)}`;

const hmac = crypto.createHmac('sha256', endpointSecret)
.update(signed_payload)
.digest('hex');

生成的 hmac 与标头 (sig.v1) 中的签名不匹配.我不知道我做错了什么...

The generated hmac does NOT match the signature in the header (sig.v1). I can't figure out what I'm doing wrong...

我正在本地开发 - 并使用 ngrok，以便我可以测试我的 webhooks.这可能是一个问题吗?谢谢

I'm developing locally - and using ngrok, so that i can test my webhooks. Could this be an issue? Thanks

推荐答案

在 Hapi 17 中，继评论之后 - 在 Hapi 17 中，您必须防止主体被解析.我在房子周围跳舞设置有效载荷配置的输出......但你不需要这样做.简单设置payload.parse为false

In Hapi 17, Following on from the comments - in Hapi 17, you must prevent the body from being parsed. I was dancing around the houses setting the output of the payload config... but you don't need to do this. Simple set payload.parse to false

<!-- language: lang-js -->

    module.exports = {
        method: 'POST',
        path: '/api/webhook',
        config: {
            auth: false,
            payload: {
             parse: false // the important bit
            },
        handler: async (request, h) => {

然后我就可以使用内置的条带方法

I was then able to use the built in stripe method

<!-- language: lang-js -->

    try {
       let event = stripe.webhooks.constructEvent( request.payload.toString(), request.headers["stripe-signature"], endpointSecret);
            console.log(event);
    }
    catch (err) {
       console.log(err)
    }

真正的功劳应该归功于 Karl Reid - 所以虽然我在这里发布了这个，但我没有将其标记为已接受的答案.

The real credit should go to Karl Reid - so while I have posted this here, I have not marked it as the accepted answer.

这篇关于条纹验证网络钩子签名 HMAC sha254 HAPI.js的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！