How do I generate a signed Stripe rest webhook request locally?

Question

I tried to create a webhook request to test locally, the library gave an error. I generated the body of the request by sending a test balance.available webhook here: https://dashboard.stripe.com/test/webhooks/we_1BI2E2IYOmXNPhc1uOyyRvHg I copied the body and put it into a file /tmp/stripe.webhook.json.tmp. The docs describe how to generate a signature: https://stripe.com/docs/webhooks#signatures

---

$ date +%s
1509229775
$ cat /tmp/stripe.webhook.tmp | openssl dgst -hmac whsec_nRZzpzBajM5zBLxnyFAHNZLkLLEu5Xlj -sha256
(stdin)= de2da72d739f0bdf0e2289eab5ac131f51cdd35af8f9c1f1224333b53abde9f7
$ curl -s -X POST http://localhost:3000/stripe/webhook -H "Stripe-Signature: t=1509229775,v1=de2da72d739f0bdf0e2289eab5ac131f51cdd35af8f9c1f1224333b53abde9f7" -d @/tmp/stripe.webhook.json.tmp | head -2         
Invalid signature.
$ head -2 /tmp/stripe.webhook.tmp
1509229775.{
  "created": 1326853478,
$ head -2 /tmp/stripe.webhook.json.tmp
{
  "created": 1326853478,

---

  def webhook
    payload = request.body.read
    sig_header = request.env['HTTP_STRIPE_SIGNATURE']
    endpoint_secret = ENV['STRIPE_WEBHOOK']
    event = nil
    begin
      event = Stripe::Webhook.construct_event(payload, sig_header,
endpoint_secret)
    rescue JSON::ParserError => e
      # Invalid payload
      render plain: "Invalid JSON.", status: 400
      return
    rescue Stripe::SignatureVerificationError => e
      # Invalid signature
      render plain: "Invalid signature.", status: 400
      return
    end

---

Answer 1

I think the issue has to do with the curl call. The -d/--data argument is stripping any line breaks from your json and the resulting digest computed by Stripe::Webhook.construct_event is different than what you've computed in the terminal.

After generating a digest I curled at my webhook endpoint:

Using the standard -d, threw an error saying the signature was invalid

curl -s -X POST http://localhost:3000/webhook  -H "Stripe-Signature: t=1509309309,v1=a2e2776cd5a57ba60355f7cfa3bcdd1d69e773373a0da" -d @./webhook.json.tmp

Whereas, specifying the --data-binary returned a valid signature

curl -s -X POST http://localhost:3000/webhook  -H "Stripe-Signature: t=1509309309,v1=a2e2776cd5a57ba60355f7cfa3bcdd1d69e773373a0da" --data-binary @./webhook.json.tmp

Answer 2

The best is to use Stripe CLI : https://github.com/stripe/stripe-cli

You can forward the request to localhost address.