Small issue regarding signature validation.

[deve-sh]

Issue Nature: Doubt

Issue Code Reference: https://github.com/razorpay/razorpay-node/blob/e3cb39105b540dea83372ff147df6fe5bf53d689/lib/utils/razorpay-utils.js#L94

As the above snippet suggests, the request body is being converted to a string form. But the Object.toString function always returns [object Object] as a string rather than the stringified object. Wouldn't using JSON.stringify here be better?

Could this be the reason why some signatures received from the Razorpay Webhooks do not match the ones calculated on my Node.js server?

[abhijit-hota]

According to the webhook docs, we shouldn't parse or cast the req.body in any way.

If you're using Express along with the body-parser package then your request bodies are automatically parsed to an object.

I'm assuming this is the source of the error. We should instead, pass in the "raw body" to the function.

See this comment

[deve-sh]

@abhijit-hota That's absolutely correct. The issue was that even after using the raw body the signatures weren't matching and that was when I noticed this code snippet in the SDK. There was an issue with the signature that came from the webhook itself.

[abhijit-hota]

There was an issue with the signature that came from the webhook itself.

Ah, I see. Actually I'm facing the same issue now. I don't know what's happening but the signatures aren't matching.

Any pointers on how you resolved it?

[deve-sh]

No resolution yet. I simply setup idempotency for now and validate whether the data that's sent in the request is actually valid data that exists on Razorpay's servers using their APIs.

[ankitdas13]

@deve-sh I apologize for the long delay and the issue you encountered, could you please let us know is this issue was resolved or not ?

[ankitdas13]

For now, I am closing this issue as I have not received any response. If you need any assistance, please let us know.