How to get access to the raw request body?

[jenstroeger]

I’m on Pyramid 2.0.2.

Two days ago a Stripe webhook failed when it called back to the server:

stripe._error.SignatureVerificationError: No signatures found matching the expected signature for payload

According to the Stripe docs (link) and a Stackoverflow discussion (link) the issue may be that the Stripe code receives a modified request body, and thus fails.

My code in the Pyramid request handler that receives the Stripe webhook request is like so:

@view_config(
    route_name="stripe_webhooks_callback",
    request_method="POST",
)
def stripe_webhook(request):
    try:
        webhook_secret = config.get("stripe.webhook_secret")
        event = stripe.Webhook.construct_event(request.body, request.headers["Stripe-Signature"], webhook_secret)
    except stripe.error.SignatureVerificationError:
        ...     

This code has been running for a long time, and according to the docs (link) request.body should be the raw payload, right? It doesn’t say so explicitly but I would assume so and it’s worked in the past.

I just want to rule out that the body might have been JSON pretty-printed or been modified in another way? Thanks!

[mmerickel]

I’m unaware of any features in webob or pyramid that modify the raw request.body attribute. It is truncated at the content length iirc but that’s about it.

[jenstroeger]

Thanks @mmerickel, I was hoping for that response 🤓

[russellballestrini]

If it only happened once, maybe it was a malformed when derived by stripe.

Have you code to reproduce using test stripe API? Do you know the type of webhook that failed offhand or more about the structure of the request that failed?

I don't use any webhooks yet in makepostsell.com

[jenstroeger]

Have you code to reproduce using test stripe API?

That was from the test server, but I’ve not yet tried to reproduce it.

Do you know the type of webhook that failed offhand or more about the structure of the request that failed?

Yes, in case of a failure the server logs the entire request so I’ve got both headers and payload. There’s nothing suspicious about it, though when I run construct_event() locally I get the same error. Next, I’m going to verify the request manually (docs) and maybe I can find out more that way…

I don't use any webhooks yet in makepostsell.com

I’ve been very happy so far, and that’s the first issue I’ve seen in a long time.