I was able to set up stripe webhook validation

tbonezone · October 17, 2017, 9:17pm

I wasn’t able to find any useful help for validating webhooks from stripe, and I’m posting this here in case it helps anyone. Stripe has instructions, but the difficulty was that you need to get stripe’s JSON in the same form that they made the signature with. In other words you need the raw request data before it gets parsed into a JSON object by your router. There are a few tips out there suggesting you can compose the raw request data using code such as:

this.request.on('data', function (chunk) {
        rawBody += chunk;
});

However, it didn’t work in my routes. I am using iron router, and needed to add it in the onBeforeAction hook where you actually have access to the raw request data. The working code is like this:

Router.onBeforeAction(function(req,res,next) {
    var rawBody = "";
    req.on('data', function (chunk) {
        rawBody += chunk;
        req.rawBody = rawBody;
    });
    req.on('end', function () {
        req.rawBody = rawBody;
    });
    next();
}, { only: 'myStripeWebhookRouteName' });

Then in your “myStripeWebhookRouteName” route you can access the data in the rawBody field you just created as this.connection.rawBody. Then you can continue with stripe’s instructions, either using their webhook validator in the 5.0.+ version node package or it’s easy enough to do it yourself with cryptoJS HmacSha256 function (you’d need meteor packages jparker:crypto-sha256 and jparker:crypto-hmac).

Also, stripe’s JSON is formatted like JSON.stringify(obj,null,2), so you could probably just reconstruct the JSON string from the JSON object and not go through all these shenanigans, but I haven’t tested that.

ontokrat · October 20, 2017, 8:02am

@tbonezone and everyone who might be helped by that.
I use Picker as router Server Side (allow filter and sub-routes).
Body-parser in JSON for every webhook / exception for Stripe: verification of webhook’s signature (raw) and then handling the same webhook in JSON.

import bodyParser from 'body-parser';
import { Picker } from 'meteor/meteorhacks:picker';

// Middleware declaration
Picker.middleware(bodyParser.json({
  limit: '10MB',
  verify: function(req,res,buf) {
    var url = req.originalUrl;
    if (url.startsWith('/stripe-webhooks')) {
      req.rawBody = buf.toString()
    }
  }
}));

// filtered main route
var postRoutes = Picker.filter(function(req, res, buf) {
  var url = req.originalUrl;
  if (url.startsWith('/stripe-webhooks')) {
    // verify webhook's signature if he comes from stripe
    // 'req.rawBody' available here
    // Got only 'empty constructEvent' from official library ( let event = stripe.webhooks.constructEvent(req.body, sig, endpointSecret); )
    // adapt here https://github.com/stripe/stripe-node/blob/master/lib/Webhooks.js
    // see details: https://stripe.com/docs/webhooks#verify-manually
  }
    // handle only POST requests
    return req.method == "POST"
});


// from route, handling webhook and sending request
postRoutes.route('url', (request, response) => {
  // handle result here
});

See details here on Github’s Stripe Node Library