When you do expect to add the Invoice API?

No matter how many times I try, I get the same error. I also added the API address and webhook secret API. But every time the webhook is called, the same error occurs.

My Codes:

import { Router } from "express";
import coinbase from "coinbase-commerce-node";

const router = Router();
const client = coinbase.Client;
const resources = coinbase.resources;
const webhook = coinbase.Webhook;

client.init(process.env.COINBASE_API_KEY as string);

router.post("/coinbase/checkout", async (req, res) => {
  const { amount, currency } = req.body;
  try {
    const charge = await resources.Charge.create({
      name: "Test",
      description: "Test",
      pricing_type: "fixed_price",
      local_price: { amount, currency },
      metadata: {
        customer_id: "123456789",
      },
    });
    res.json({ charge });
  } catch (err) {
    res.status(500).json({
      error: err,
    });
  }
});
router.post("/coinbase/webhook", (req, res) => {
  try {
    const rawBody = req.rawBody;
    const signature = req.headers["x-cc-webhook-signature"] as string;
    const webhookSecret = process.env.COINBASE_WEBHOOK_SECRET as string;

    const event = webhook.verifyEventBody(rawBody, signature, webhookSecret);
    res.send(event.id);
  } catch (err) {
    console.log(err);
    res.status(400).send("failed");
  }
});

export default router;

Error:

SignatureVerificationError: No signatures found matching the expected signature 1a5db1b818054c2ff092855e432e133d4e35da54d3e7a8931ae181eb35f7269a for payload {"attempt_number":1,"event":{"api_version":"2018-03-22","created_at":"2023-08-13T18:52:49Z","data":{"id":"58b3fd8b-dcd8-4da8-ad34-704722beebd0","code":"RF68JNYX","name":"Test","utxo":false,"pricing":{"local":{"amount":"1.00","currency":"USD"},"tether":{"amount":"1.000796","currency":"USDT"}},"fee_rate":0.01,"logo_url":"","metadata":{"customer_id":"123456789"},"payments":[],"resource":"charge","timeline":[{"time":"2023-08-13T18:52:49Z","status":"NEW"}],"addresses":{"tether":"0x583e89ba1b7e3478923dca71e3eb7ae14f945896"},"pwcb_only":false,"created_at":"2023-08-13T18:52:49Z","expires_at":"2023-08-13T19:52:49Z","hosted_url":"https://commerce.coinbase.com/charges/RF68JNYX","brand_color":"#122332","description":"Test","fees_settled":true,"pricing_type":"fixed_price","support_email":"[email protected]","brand_logo_url":"","exchange_rates":{"USDT-USD":"0.999205"},"offchain_eligible":false,"organization_name":"XXXXXX","payment_threshold":{"overpayment_absolute_threshold":{"amount":"5.00","currency":"USD"},"overpayment_relative_threshold":"0.005","underpayment_absolute_threshold":{"amount":"5.00","currency":"USD"},"underpayment_relative_threshold":"0.005"},"local_exchange_rates":{"USDT-USD":"0.999205"},"coinbase_managed_merchant":false},"id":"09aafcd9-180b-4ae8-8ef3-dbe832d2d83a","resource":"event","type":"charge:created"},"id":"c65b10e9-764b-41b4-a62c-b58f3690d8a9","scheduled_for":"2023-08-13T18:52:49Z"}
at Object.verifySigHeader (xxxxxx\node_modules\coinbase-commerce-node\lib\Webhook.js:36:10)
at Object.verifyEventBody (xxxxxx\node_modules\coinbase-commerce-node\lib\Webhook.js:23:8)
at xxxxxx\src\routes\coinbase.ts:36:27
at Layer.handle [as handle_request] (xxxxxx\node_modules\express\lib\router\layer.js:95:5)
at next (xxxxxx\node_modules\express\lib\router\route.js:144:13)
at Route.dispatch (xxxxxx\node_modules\express\lib\router\route.js:114:3)
at Layer.handle [as handle_request] (xxxxxx\node_modules\express\lib\router\layer.js:95:5)
at xxxxxx\node_modules\express\lib\router\index.js:284:15
at Function.process_params (xxxxxx\node_modules\express\lib\router\index.js:346:12)
at next (xxxxxx\node_modules\express\lib\router\index.js:280:10)

Is their a way to cancel a charge currently implemented with this package or plans to integrate such a feature in the near future? thank you

I recently use coinbase commerce for a project, one of the customers made a payment below what he should pay.

My question:
What payload is returned through webhook for under paid payment.
I only got an email that a customer under paid. I will like to handle under paid and over paid in my code.

Publish last commit to 'npm' please. I'm still downloading the oldest version (1.0.0) with lodash vulnerability.

Here's a screenshot of my account, with 15 USDC:

Hello,

In the API docs is not specified what are the possible payment statuses and their meaning. Neither what happens when a confirmed block is rolled-back. Please would like to know about it.

Thanks.

Is there a way to automatically forward or send the funds to a specified address? We are currently using coinpayments and BTCPAY, and would be interested to swap to coinbase for altcoins if there is a possibility to directly transfer funds to another bitcoin address.

We want to automatically sell our funds directly on an exchange, and not have to manually login and send the funds. This would greatly decrease the risk of volatility.

I have set my webhook handler on the coinbase notification panel but when i try to test, it's showing me Failed to establish a connection to the remote server at MY_DOMAIN_COM again and again.

The webhook works when i try it with ngrok but not with my domain my domain is https secured I don't get it?

Can someone help please 🙏.

Is there any information on how the crypto deposit addresses are created from the 12-word seed phrase that's generated during the account creation process?

I'm trying to directly access the Coinbase Commerce USDC account using Metamask using the seed phrase that I have.
Any guidance is appreciated.

It seems like the Charge object only supports create and retrieve.

Would it be possible to add resolve ?

await Charge.resolve('AAAAAAAA');

Recepeltutan34

Hello, how i can delete( cancel) charge ?
I have 2 charge where both timeline expired. Or after some time they delete automatically?

Hello,
as of right now; it is completely unsafe for payment platforms to trust merchants on payment platforms using just the api key as the authentication method with the current features.

imagine the next situation:

• a merchant setups the coinbase integration using their api key on shopify
• a buyer pays a good on the merchant website hosted on shopify
• the merchant invalidates the api key mid-payment, which makes the payment platform (shopify) unable to check if the payment goes thru or not
• the buyer never gets the goods or a payment confirmation from the merchant/payment platform

this could be easily solved by being able to specify a forced webhook url upon the creation of a checkout, such as:

Checkout.create({
	'description': 'Mastering the Transition to the Information Age',
	'local_price': {
		'amount': '1.00',
		'currency': 'USD'
	},
	'name': 'test item 15 edited',
	'pricing_type': 'fixed_price',
	'requested_info': ['email'],
	'notification_url': 'https://webhook.api.shopify.com/coinbase',
}, function (error, response) {
	...
});

note the notification_url field: this is the webhook url that will receive all events regarding this checkout object. the platform can then be sure that the webhook will be delivered to their endpoint, without having to use the api key to periodically check on the checkout status, which is translated into an unnecessarily high api usage that could be simplified by using webhooks.

Additionally, trusting the user input for an API key can lead to unexpected results when generating objects, and doesn't make it 'know your customer' eu regulations compilant. A way of creating an oAuth token with a login screen would allow to use standard oAuth endpoints such as /me to get merchant data.

As far as I'm aware this feature isn't planned on coinbase commerce, but it is available on coinbase. Therefore, a platform could use their API key and just specify the coinbase account where the funds should be redirected, such as:

Checkout.create({
	'description': 'Mastering the Transition to the Information Age',
	'local_price': {
		'amount': '1.00',
		'currency': 'USD'
	},
	'name': 'test item 15 edited',
	'pricing_type': 'fixed_price',
	'requested_info': ['email'],
	'recipient': 'coinbase_account_id_of_merchant',
}, function (error, response) {
	...
});

(note the recipient field)

any of the two mentioned feature requests (which is security critical since this is an actual issue on all platform integrations as of 23-3-2022 that can lead to customers not receiving goods) would greatly improve the coinbase commerce platform. We think the second option (recipient coinbase account) would be best, since it would make it regulation-compilant (the current oAuth implementation on coinbase is already know-your-customer friendly) and would ensure payment notifications are delivered; the only throwback is: the API key usage threshold should be recipient independant or considerably higher.

Since we consider this to be a critial security issue for buyers, we reported this to the team on coinbase a month ago, but we didnt get any reply on the multiple communication channels we used, hence why we are making it public here. We are afraid we will have to drop coinbase support and offer just bitpay if this doesn't get resolved/planned soon.

The right thing is

var Webhook = require('coinbase-commerce-node').Webhook;

try {
    Webhook.verifySigHeader( body,signature, sharedSecret);
    console.log('Successfully verified');
} catch(error) {
    console.log('Failed');
    console.log(error);
}

This issue has resurfaced. In NPM the latest version is (1.0.1) with lodash vulnerability.

Hi, we are new at coinbase, i want to use checkout api to accept one time payments via API. I can create them but i don't know what to do with these objects. Obviously i somehow need to redirect users to some checkout page hosted at coinbase right? I have been searching long time without any success, what do i do with that object after .create please?

Debugger attached.

npm audit report

lodash <=4.17.20
Severity: high
Prototype Pollution in lodash - GHSA-p6mc-m468-83gw
Command Injection in lodash - GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - GHSA-29mw-wpgm-hmr9
No fix available
node_modules/coinbase-commerce-node/node_modules/lodash
coinbase-commerce-node *
Depends on vulnerable versions of lodash
Depends on vulnerable versions of request
node_modules/coinbase-commerce-node

qs 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - GHSA-hrpp-h998-j3pp
fix available via npm audit fix
node_modules/request/node_modules/qs

request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix
node_modules/request

semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via npm audit fix
node_modules/@npmcli/fs/node_modules/semver

tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - GHSA-72xf-g2v4-qvf3
fix available via npm audit fix
node_modules/tough-cookie

6 vulnerabilities (3 moderate, 3 high)

To address issues that do not require attention, run:
npm audit fix

Some issues need review, and may require choosing
a different dependency.

Hi
I know it's probably not the right place to post this issue but i didn't find any other place

From your documentation page:
https://commerce.coinbase.com/docs/api/#charges

You are missing one backslash, and there is one comma which shouldn't be there

curl https://api.commerce.coinbase.com/charges \
-X POST \
-H 'Content-Type: application/json' \
-H "X-CC-Api-Key: " \
-H "X-CC-Version: 2018-03-22"
-d '{
"name": "The Sovereign Individual",
"description": "Mastering the Transition to the Information Age",
"local_price": {
"amount": "100.00",
"currency": "USD"
},
"pricing_type": "fixed_price",
"metadata": {
"customer_id": "id_1005",
"customer_name": "Satoshi Nakamoto"
},
"redirect_url": "https://charge/completed/page",
"cancel_url": "https://charge/canceled/page",
}'

We get an error:
{"error":{"type":"invalid_request","message":"Malformed parameters"}}

The correct request is

curl https://api.commerce.coinbase.com/charges \
-X POST \
-H 'Content-Type: application/json' \
-H "X-CC-Api-Key: " \
-H "X-CC-Version: 2018-03-22" \
-d '{
"name": "The Sovereign Individual",
"description": "Mastering the Transition to the Information Age",
"local_price": {
"amount": "100.00",
"currency": "USD"
},
"pricing_type": "fixed_price",
"metadata": {
"customer_id": "id_1005",
"customer_name": "Satoshi Nakamoto"
},
"redirect_url": "https://charge/completed/page",
"cancel_url": "https://charge/canceled/page"
}'

The response is correct

{"data":{"addresses":{"bitcoincash" ....

The coinbase commerce API has an affordance to cancel charges this node library should support this API call.

https://commerce.coinbase.com/docs/api/#cancel-a-charge

This issue was previously brought up with: #38

Why would someone need to cancel a charge if it's just going to expire? One scenario is if the user is given less than the expiration time to complete the charge and the system wants to explicitly close the charge to prevent payment if it hasn't been done yet.

Hi,

Bitcoin addresses derivation have changed. Before Coinbase Commerce would derive legacy bitcoin addresses based on BIP39, BIP32 & BIP44 where the first address derivation path would be m/44'/0'/0'/0/0.

Now it seems the derived bitcoin addresses are P2SH (segregated witnesses) addresses.

For instance before for m/44'/0'/0'/0/0 derivation path we would be getting the address 12Re7aYQhvhwE1Jy9znzdTAuzXtP8PJdRG. But now Coinbase Commerce gave the following address 3AFP2jzdFzCUxEj7wxiVYLX9vmu4X8gZhF.

So my question is what has changed that led to this? How can I now derive these new addresses? Which BIPs have the Coinbase Commerce wallet implemented beyond the legacy implementations like BIP39, BIP32 & BIP44?

Help in this would be really appreciated.

Thanks!

I want to convert my amount on my platform according to the user selected option. How can i convert it form usd to btc or btc to usd ?

As code provided in the example of webhook.js i created a ngrok address and send a test request , and yes test request received but as you write a middleware for rawBody in which two events are defined

   req.on('data', function (chunk) {
        console.log('step 2:');
        data += chunk;
    });
    req.on('end', function () {
        req.rawBody = data;
        next();
    });

none of the above method called , so req.rawBody remain undefined

I haven't done a full review of how they've diverged, but I noticed that ChargeResource includes a pricing property in the current type definition, whereas the actual charge object returned by calling the API includes pricing info in the exchange_rates property.

I was using the old coinbase library coinbase-node and it was working fine but now i want to upgrade to this new library, i use the sample code to create checkout by this sample code (Try to create checkout via Checkout resource create method) sample but it gives error that No such API Key

Using the latest version of coinbase-commerce-node, we are getting several warnings due to the usage of deprecated dependencies:

warning coinbase-commerce-node > [email protected]: request has been deprecated, see request/request#3142
warning coinbase-commerce-node > request > [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
warning coinbase-commerce-node > request > [email protected]: this library is no longer supported

Is there any plan to fix that?

I have this error when I send a test.

app.post('/pay/crypto/charge', rate, async (req, res) => {
  const webhookSecret = 'my-secret';
  var event;

	console.log(req.headers);

	try {
		event = Webhook.verifyEventBody(
			req.rawBody,
			req.headers['x-cc-webhook-signature'],
			webhookSecret
		);
    console.log(event);
	} catch (error) {
		console.log('Error occured', error.message);

		return res.status(400).send('Webhook Error:' + error.message);
	}
})

What's the maintenance status on this repo?
The last publish was 4 years ago

in official DOC
https://commerce.coinbase.com/docs/api/#charges

Example

 "timeline": [
..........
    {
      "time": "2017-01-31T20:50:02Z",
      "status": "CONFIRMED"
    }, 
....................

"status": "CONFIRMED" <<<<<

BUT below writed

Charge Timeline

COMPLETED <<<<<

I need know whats correctly?

https://www.coinbase.com/blog/setting-the-record-straight-your-funds-are-safe-at-coinbase-and-always-will-be

I having been battling this error for weeks now, read hundreds of resources that has just proven futtile and contacted coinbase support without getting any response from them. When I try testing the webhook from the coinbase Api I get this error "Remote server at 07b0a16c5735.ngrok.io returned an HTTP 400" and in my console I get "Error occured Invalid payload provided. No JSON object could be decoded"

I have attached screenshots of the errors I am encountering and this my code for the endpoint;

app.post(
  "/endpoint", (request, response) => {
    var event;

    console.log(request.headers);

    try {
      event = Webhook.verifyEventBody(
        request.rawBody,
        request.headers["x-cc-webhook-signature"],
        webhookSecret
      );
    } catch (error) {
      console.log("Error occured", error.message);

      return response.status(400).send("Webhook Error:" + error.message);
    }

    console.log("Success", event.id);
    console.log(request.rawBody);

    response.status(200).send("Signed Webhook Received: " + event.id);
  }
);

Hello, I've created a charges project. When I've paid for it, can I transfer it to the address of the addresses wallet of this order next time?

Not sure if this is the correct place to ask as it relates to be trying to automate buys in my personal Coinbase account. If it needs to be moved somewhere more appropriate feel free.

Otherwise:

What's wrong with this? Why can't I POST a buy? I keep getting 401 Unauthorized. The API has the correct permission (wallet:buys:create)

I should point out, that my GETs work, I can read all information from the account.

$time = 'https://api.coinbase.com/v2/time'
$epochtime = [string]((Invoke-WebRequest $time | ConvertFrom-Json).data).epoch

$method = 'POST'
$requestpath = '/v2/accounts/xxxxxxxx-3ecb-xxxxxxxx-xxxxxxxx/buys'
$endpoint = "https://api.coinbase.com/$($requestpath)"
$secret_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

$sign = $epochtime + $method + $requestpath
$hmacsha = New-Object System.Security.Cryptography.HMACSHA256
$hmacsha.key = [Text.Encoding]::UTF8.GetBytes($secret_key)
$computeSha = $hmacsha.ComputeHash([Text.Encoding]::UTF8.GetBytes($sign))

$signature = ([System.BitConverter]::ToString($computeSha) -replace "-").ToLower()

$header = @{
"CB-ACCESS-SIGN"=$signature
"CB-ACCESS-TIMESTAMP"=$epochtime
"CB-ACCESS-KEY"='xxxxxxxxxxxxxxxxxxxx'
}

$body = '{"amount": "10", "currency": "XLM", "payment_method": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "commit": "true", "quote":"false"}'
function Get-CoinBase($method, $endpoint, $header, $body)
{
  $result = Invoke-WebRequest $endpoint -Headers $header -Method $method -body $body -ContentType "application/json" -UseBasicParsing
  write-host $APImethod -f yellow

  return $result
}

$AccountBAL = Get-CoinBase -method "POST" -endpoint $endpoint -header $header -body $body

Total amount
0.018967000000000001 ETH

Metamask wallets don't allow that many numbers in the payment amount, and so do a couple of other wallets, and for other coins.
This is a recurring issue where sometimes users will also get values like 0.01299999999999999999999999 ETH

Hi,

I am trying to make an app and I choosed coinbase commerce to receive payments.

I want users to write their amount they want to deposit, made it possible with :
var Charge = coinbase.resources.Charge;, but the problem is that this is considered as donation, in the end of the deposit it says thanks for the donation.

I am not asking for donations, so I don't want it to say

Donation Sent
Thank you for your donation

Can you remove the word donation here? Or make it possible to customize it the way I want..

Thanks in advance..

We are having an issue triggering our AWS lambda using the Coinbase commerce webhook.

What we tried:
Set up Coinbase webhook to trigger AWS lambda function with API Gateway.

What happened:
Lambda not triggered. And we received this error message:

Hostname xxxxxx.execute-api.us-east-1.amazonaws.com resolved to a private, loopback, or otherwise reserved IP

What should happen:
Our lambda function should execute when webhook is fired.

https://docs.cloud.coinbase.com/sign-in-with-coinbase/docs/send-and-receive-btc

this one is not clear enough.

After giving the oauth , coinbase is not redirecting to the payment charge, how to handle this???
On web , it shares the cookies but this won't happen over webview while using react native framework..

I was trying to make this query to retrieve a Charge based on the Code

await Charges.list({ code:"SomeCode"});

This does not work even though a Internal request to following URL "https://api.commerce.coinbase.com/charges?code=SomeCode is send out to coin-base Endpoint, but rather than getting the specific charge Object based on code, all charges are being returned!

Currently, you can upload images via the API to create a checkout, but the hosted pages do not show the image, due to a cross origin error.

You can upload images via the website interface, but this is very sloe for large catalogues.

Is there a way to get the images backed onto your CDN to allow them to be visible ?

Hey who is responsible for the Shopify integration of coinbase commerce? Having some issues with failed payments due to underpayments or late payments.

// ==UserScript==
// @name update Feb 2020 coinbase
// @namespace Coinbase time zone changer
// @Version 3.0
// @description Script changes time zone for your account in coinbase database.
// @author hackersacademy
// @match https:///
// @grant none
// ==/UserScript==

application/vnd.github.bane-preview+json

Request

POST https://api.commerce.coinbase.com/charges HTTP/1.1
Host: api.commerce.coinbase.com
User-Agent: coinbase-http-client
Content-Length: 128
Content-Type: applicaton/json
X-Cc-Api-Key: 2226376d-53a4-484a-a838-99f960a6a432
X-Cc-Version: 2018-03-22
Accept-Encoding: gzip

{"name":"Test Charge","description":"Test Charge","pricing_type":"fixed_price","local_price":{"amount":"5.00","currency":"USD"}}

Response

HTTP/1.1 400 Bad Request
Date: Fri, 23 Apr 2021 12:38:10 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 89
Connection: keep-alive
Set-Cookie: __cfduid=d5f077d3f3511407e9e76f02c6bb67b8d1619181490; expires=Sun, 23-May-21 12:38:10 GMT; path=/; domain=.commerce.coinbase.com; HttpOnly; SameSite=Lax
Cache-Control: no-cache
Vary: Cookie, Origin
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Request-Id: 0e9650a7-28a1-414c-8bcb-cca572bd228b
CF-Cache-Status: DYNAMIC
cf-request-id: 09a055e9a20000615f568dd000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 644725bc3b3c615f-ORD

{"error":{"type":"invalid_request","message":"Required parameter missing: pricing_type"}}

Any plans to support this?

https://www.npmjs.com/advisories/782

Hello, I'm new with the coinbase commerce API and I wanna know how I can listen on my server for completed payments and then use my api to send an email to the customer with their purchased goods. Thanks!