Secure Webhooks with Stripe

Setting up secure webhooks with Stripe on Xano is crucial to ensure that the data you receive from Stripe hasn't been tampered with or modified by attackers. In this guide, we'll walk you through the process step-by-step, including how to create a secure webhook, verify the signature, and implement a custom function for added security.

Prerequisites

Before you begin, make sure you've followed the instructions in our Payments Documentation to set up an integration between Stripe and Xano. This will provide you with the basic information needed to use this snippet.

Step 1: Create a Test Webhook

Let's start by creating a test webhook to ensure that your webhook is firing and receiving information correctly.

1. Go to the "Stripe checkout API group" in your Xano workspace and locate the "Webhooks test" end node.
2. Publish the latest changes to this end node.
3. Copy the endpoint URL from the "Webhooks test" end node.
4. In your Stripe Developer account, go to "Developers" > "Webhooks" > "Add an endpoint" and paste the copied URL.
5. Select the events you want to listen for (e.g., `checkout.session.completed`, `checkout.session.failed`).
6. In your Xano workspace, go to the "Payments" area, copy a payment link, and complete a test transaction using fake credit card information (e.g., 4242 4242 4242 4242).
7. Check the "Request History" in the "Webhooks test" end node to verify that the webhook has been fired and received.

Step 2: Set Up a Secure Webhook

Now that you've confirmed your webhook is working, let's set up a secure webhook to verify the signature and ensure data integrity.

1. In your Xano workspace, go to the "Stripe checkout API group" and locate the "Webhooks secure" end node.
2. Copy the endpoint URL from the "Webhooks secure" end node.
3. In your Stripe Developer account, go to "Developers" > "Webhooks" > "Add an endpoint" and paste the copied URL.
4. Select the same events you chose for the test webhook (e.g., `checkout.session.completed`, `checkout.session.failed`).
5. Complete another test transaction using a payment link.
6. In your Stripe Developer account, navigate to the webhook you just created, reveal the "Signing secret," and copy it.
7. In your Xano workspace, go to "Settings" and paste the copied "Signing secret" into the "Webhook secure secret" environment variable.

Step 3: Verify the Signature

With the secure webhook set up and the signing secret in place, let's verify the signature to ensure data integrity.

1. In your Xano workspace, open the "Webhooks secure" end node.
2. This end node contains several steps to extract the timestamp, signature, and fake signature from the Stripe header, concatenate them with the payload, and hash the result using HMAC SHA-256 with the webhook secure secret as the key.
3. The end node also adds a record to the "Capture output" table, which logs the input, header, signature, timestamp, signed payload, signed HMAC, and webhook secret for each webhook request.
4. Check the "Capture output" table to ensure the "SIG1" (Stripe's signature) and "SIGHMAC" (your calculated signature) match.

Step 4: Implement the Secure Webhook Function (Optional)

While the "Webhooks secure" end node verifies the signature, you may want to implement an additional layer of security by using the "Webhook secure func" custom function.

1. In your Xano workspace, go to the "Stripe checkout API group" and locate the "Webhook secure func" custom function.
2. This custom function performs the same signature verification process as the "Webhooks secure" end node but includes a precondition that checks if the calculated signature matches Stripe's signature.
3. If the signatures don't match, the function returns an "Access denied" message, preventing further execution.
4. To use this custom function, you can add it before any webhook endpoint you create. For example, if you have a "Purchases" endpoint that should only process valid webhooks from Stripe, you can add the "Webhook secure func" custom function before any other functions in that endpoint.

By following these steps, you'll have a secure webhook integration with Stripe on Xano, ensuring that the data you receive hasn't been tampered with and maintaining the integrity of your application.