WebHook signature check fails when using PSR-7 message header lines

[davidlung]

php version 7.4.7
stripe-php version: 7.49.0

Use case:

I'm using the stripe CLI to listen and forward webhooks to my dev application.
Before execute the webhook at my application, i have to verify the confidentiality of the requrest by passing the stripe-signature header and the webhook secret to Webhook::constructEvent.

Approach
I use a PSR-7 message object to get the http header line for stripe-signature and pass it to construct the event.

Problem
The stripe-signature header consists of multiple and comma separated values. The PSR-7 message explodes multiple header values and saves internal as array. When get the header line from PSR message, the message implodes these values back into a normalized comma separated single value, where as each comma (can) has a trailing whitespace.

e.g. from t=xxxxxx,v1=xxxxxxxx,v0=xxxxxxx to t=xxxxxx, v1=xxxxxxxx, v0=xxxxxxx

Stripe uses Stripe\WebhookSignature::getSignatures(header, scheme) to extract the header values by exploding by comma and '='. For getting the signatures, it checks for the given scheme e.g. "v1" to collect the value.

The sticking point is an prepended whitespace at the exploded value schemes. The check " v1" === "v1" fails and no signatures are collected which results in a verification error.

Solution
Use trim whitespace before compare scheme.

private static function getSignatures($header, $scheme)
{
        $signatures = [];
        $items = \explode(',', $header);

        foreach ($items as $item) {
            $itemParts = \explode('=', $item, 2);
            if (trim($itemParts[0]) === $scheme) {  // <----------- trim whitespaces
                \array_push($signatures, $itemParts[1]);
            }
        }

        return $signatures;
}

[ianjabour-stripe]

@davidlung thank you for filing this issue, we have the fix in progress.

One thing we just wanted to clarify is the use case which is causing the failure. We just want to be sure we can thoroughly reproduce this on our end.

We are wondering why PSR-7 cannot preserve formatting and how difficult it would be to bypass the tool and use the original formatting from the header.

We hesitate to merge this change because when our client libraries check the webhook signature they expect to be passed the exact raw header that they got from Stripe, and we don't want to relax this restriction without a truly compelling reason.

[davidlung]

This is not the point of PSR-7 directly, the most PSR-7 libraries (e.g. Guzzle, one of the most popular or psr-7 by Nyholm from Symfony core team) are considering the RFC for http messages which defines the following part (OWS, Optional whitespaces):

For protocol elements where optional whitespace is
preferred to improve readability, a sender SHOULD generate the
optional whitespace as a single SP

However, a lot of people using these libraries that implode multiple field values with whitespace, therefore this is not a individual issue which can be handled by the developer who uses this library.

RFC:
https://tools.ietf.org/html/rfc7230#section-3.2.3
Guzzle psr-7:
https://github.com/guzzle/psr7/blob/master/src/MessageTrait.php#L68
Nyholm:
https://github.com/Nyholm/psr7/blob/master/src/MessageTrait.php#L75

[ianjabour-stripe]

@davidlung thank you for taking the time to file this issue and provide context around PSR-7. The team decided to merge in the suggested change which should hopefully unblock you.

[ilhanby]

$event = \Stripe\Webhook::constructEvent(
$payload, $sig_header, 'example_webhook_secret', 600
);

This solved my problem, I hope it solves the problem of other people living in it.