search

laravel / cashier-paddle

Cashier Paddle provides an expressive, fluent interface to Paddle's subscription billing services.
https://laravel.com/docs/cashier-paddle
MIT License
245 stars 57 forks source link

Webhook: Invalid webhook signature while everything seems right setup #283

Closed PaulBorie closed 1 week ago

PaulBorie commented 1 week ago

Cashier Paddle Version

2.5.2

Laravel Version

11.25.0

PHP Version

8.3.7

Database Driver & Version

No response

Description

I can't make Paddle webhooks working while everything seems setup right. I constantly get 403 error response from my app

"message": "Invalid webhook signature.",
    "exception": "Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException",
    "file": "/home/user/myapp/vendor/laravel/cashier-paddle/src/Http/Middleware/VerifyWebhookSignature.php",
    "line": 33,

I exposed my local machine using ngrok with a static domain. I added a webhook endpoint on my Paddle Sandbox pointing to my https://ngrok_static_domain/paddle/webhook I retrieved the PADDLE_WEBHOOKSECRET variable from this newly created webhook starting with "pdl" and set it to my .env file. I tried to write it with and without quote. I cleared cached config many times and dump config('cashier.webhook_secret') displaying the right secret.

The signature header in the Paddle webhook request to my server is presen: Paddle-Signature: ts=1728935049;h1=1f71aae5ce2ed647bad4b3d4b36**7c34ae7f

Steps To Reproduce

Setup a new Laravel project, install paddle cashier and add a create a checkout view checkout.blade.php. Setup all the necessary env keys from your paddle account and pay using the checkout to trigger the webhook. 

<?php
$options = $checkout->options();
$options['settings']['frameTarget'] = 'paddle-checkout';
$options['settings']['frameInitialHeight'] = 366;
$options['settings']['theme'] = 'light';
$options['settings']['variant'] = 'one-page';
?>
 @push('paddle-scripts')
        @paddleJS
 @endpush
 <div class="p-1 lg:p-8 ">
           <div
                 class="paddle-checkout"
                 x-data="{}"
                 x-init="Paddle.Checkout.open(@js($options));">
           </div>
</div>
driesvints commented 1 week ago

Hi there,

Thanks for reporting but it looks like this is a question which can be asked on a support channel. Please only use this issue tracker for reporting bugs with the library itself. If you have a question on how to use functionality provided by this repo you can try one of the following channels:

However, this issue will not be locked and everyone is still free to discuss solutions to your problem!

Thanks.

PaulBorie commented 1 week ago

Hi! Sorry for opening an issue unnecessarily. I thought Paddle might have changed the way they sign their webhooks. Actually my Ubuntu dev machine what not synced with NTP clock servers anymore causing the isInvalidSignature function in theVerifyWebhookSignature middleware to fail. Especially this line made if fail. 

if ($this->maximumVariance > 0 && time() > $timestamp + $this->maximumVariance) {
            return true;
}

Just had to resync my Ubuntu laptop with NTP servers ! Thanks