Make sure you are hashing strings and not full objects

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the algorithms category.

Last Updated: 2021-05-15

When trying to get Stripe signature verification working in Laravel, I faced an issue where the signature verification kept failing.

Here was how the signature was computed:

<?php

private static function computeSignature($payload, $secret)
{
    return \hash_hmac('sha256', $payload, $secret);
}

As for the $payload parameter, I passed in the following to a function way up the abstraction ladder:

<?php 
$request->input() // Laravel parses this into a PHP array. 

Anyway when I inspected what went down to computeSignature() it was Array - the literal word array.

What I should have done was taken the raw string input and passed that down.

<?php

$request->getContent()

Lesson

When working with code that takes the hash of things, the exact object/type is as important as the content. Usually it should be a string.