Paddle Webhook Verification (using raw $_POST informartion (PHP))

jonbzode · August 17, 2024, 1:14pm

Hi All,
Hopefully someone can help / point me in the right direction?

I'm trying to custom verify webhook resonses from Paddle (Verify webhook signatures - Paddle Developer)
All is going well except for not being able to extract/use the raw $_POST response to use for hashing. ( [3. Build signed payload])
No matter what I try in server connect flow I just keep getting a 500 error response. I can access individual $_post variables fine but not the raw response.
I'm using wappler local server for testing (PHP v 8.0.13) so I can't use the paddle php sdk for this function as it requires PHP 8.1

Also found this on the PHP site:

If you want to receive application/json post data in your script you can not use $_POST. $_POST does only handle form data.
Read from php://input instead. You can use fopen or file_get_contents.

Example:

<?php $json = file_get_contents('php://input'); ?>

(Although I can seem to access the individual $_POST variable just fine?)

The question is how do i go about doing this in wappler?
I would build a custom extension but struggled to find a thorough tutorial / explanation of the process from start to finish.

Any help would be gratefully appreciated,
(using php and ngrok for receiving webhooks back to my local dev machine)
Many Thanks Jon

Apple · August 17, 2024, 1:24pm

May I suggest you JSON encode $_POST and use that resulting string to compute the hash? Unless you find a way to get the raw body of the request (which is preferable). Just check if the encode operation matches the raw body, so the hash is the same.

Wappler does request body processing so $_POST variables are already populated though a JSON decode operation, that's why you see variables even though Paddle's documentation says otherwise:

Couldn't you use an older version?

Edit: If this is too difficult you could just use a static secret in your webhook URL

jonbzode · August 17, 2024, 1:40pm

Thanks for the quick response
I like the idea of a static secret in the URL - That would be hidden/encypted info over HTTPS traffic would'nt it

the picture shows how using the $_post throws a 500

Apple · August 17, 2024, 1:48pm

Yes

It's best if you post the exact error message, error 500 is not very specific, though if I were to guess it's probably the toString formatter is not implemented for that variable type (Object), can you search the forum for a JSON encode formatter? It's not visible in Wappler editor. I also don't know if it's available in PHP or just NodeJS, though it's always an easy fix writing a custom formatter, but if you were to write a custom formatter you could probably get the raw body that way anyway.

You're welcome!

jonbzode · August 17, 2024, 1:53pm

I've been trying to find the full error code but not sure where the built in PHP server logs are!
Because it's a webhook callback I can't just look in browser developer tools for more info.
Thanks again

Apple · August 17, 2024, 2:21pm

Ngrok has a web interface where you can see past requests and replay, have you checked it?

jonbzode · August 18, 2024, 10:14am

Hadn't looked at that, have just been using the terminal app.
A wealth of information from this community - thanks

Apple · August 18, 2024, 7:39pm

The link is there in the terminal! It's a local web interface.

You're welcome!

Edit:

Maybe they're not written to a file, but just available here: