Fixed Verify webhook with signing secret is required, but UI implies it is optional


Well-known member
Affected version
If the "Verify webhook with signing secret" option for a stripe profile is not filled enabled and filled in, then any webhook will be rejected with; "Webhook received from Stripe could not be verified as being valid"

The wording and UX behaviour implies this would be optional, instead it causes the webhook to always fail verification.

Chris D

XenForo developer
Staff member
Oops :rolleyes:
if (empty($paymentProfile->options['signing_secret']) || empty($state->signature))
   return false;
Changing to:
if (empty($paymentProfile->options['signing_secret']))
   return true; // not enabled so pass

if (empty($state->signature))
   return false; // enabled but signature missing so fail

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue. It has now been resolved and we are aiming to include it in a future XF release (2.1.3).

Change log:
If a webhook signing signature is not entered, skip verifying the provided signature.
Any changes made as a result of this issue being resolved may not be rolled out here until later.