Make sure you are hashing strings and not full objects

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the algorithms category.

Last Updated: 2021-05-15

When trying to get Stripe signature verification working in Laravel, I faced an issue where the signature verification kept failing.

Here was how the signature was computed:


private static function computeSignature($payload, $secret)
    return \hash_hmac('sha256', $payload, $secret);

As for the $payload parameter, I passed in the following to a function way up the abstraction ladder:

$request->input() // Laravel parses this into a PHP array. 

Anyway when I inspected what went down to computeSignature() it was Array - the literal word array.

What I should have done was taken the raw string input and passed that down.




When working with code that takes the hash of things, the exact object/type is as important as the content. Usually it should be a string.