C# SHA-256 Validation

Solved
Highlighted
Shopify Partner
17 1 0

I'm trying to validate a webhook request and going by the RUBY/PHP/Python examples I tried this in C# .Net Core 2.2

 

string myContent = Convert.ToString(content);
byte[] myKey = Encoding.UTF8.GetBytes("MySigningSecret");
byte[] myBody = Encoding.UTF8.GetBytes(myContent);

string computed;

using (HMACSHA256 hmac = new HMACSHA256(key: myKey))
{
byte[] rawcomp = hmac.ComputeHash(myBody);
computed = Convert.ToBase64String(hmac.ComputeHash(myBody));
}

 

It never matches the header Base64 value, the content is converted to string because on the initial call the webhook the JSON is set to a dynamic type. Any ideas?

0 Likes
Shopify Partner
839 82 125

Can't spot any issue with the code. Pretty much the same as the IsAuthenticWebhook method in https://github.com/nozzlegear/ShopifySharp/blob/ffc1ea7701e52e8074e6bf0d500f240ff4ace493/ShopifyShar...

 

Are you sure the the value of MySigningSecret is correct and matches the one setup with the app?

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
0 Likes
Shopify Partner
17 1 0
Yep, I've quadruple checked the secret. And to expand, this is a web hook set up under the notifications in the store settings. I'm wondering if the conversion from a dynamic to a string is doing something. I noticed when the content is converted it contains returns and new lines. I've tried leaving them there and removing them, all to no positive effect.
0 Likes

Success.

Shopify Partner
839 82 125

I doubt the conversion is having an impact, but you can check that debugging and watching the value you get as body request and compare with what you get from calling Convert.toString()

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
0 Likes

Success.

Shopify Partner
17 1 0

Well, visually I couldn't tell a difference. But length wise when I compared the two (the converted vs the raw body) the converted content was 33% larger ~6k vs ~9k, so I took the raw stream and read that into a byte array. Comparing the computed hash from the raw it matched.  Thank you Sergui for your input!

0 Likes