C# SHA-256 Validation

Solved
Highlighted
Shopify Partner
19 1 1

I'm trying to validate a webhook request and going by the RUBY/PHP/Python examples I tried this in C# .Net Core 2.2

 

string myContent = Convert.ToString(content);
byte[] myKey = Encoding.UTF8.GetBytes("MySigningSecret");
byte[] myBody = Encoding.UTF8.GetBytes(myContent);

string computed;

using (HMACSHA256 hmac = new HMACSHA256(key: myKey))
{
byte[] rawcomp = hmac.ComputeHash(myBody);
computed = Convert.ToBase64String(hmac.ComputeHash(myBody));
}

 

It never matches the header Base64 value, the content is converted to string because on the initial call the webhook the JSON is set to a dynamic type. Any ideas?

0 Likes
Highlighted
Shopify Partner
1689 207 339

Can't spot any issue with the code. Pretty much the same as the IsAuthenticWebhook method in https://github.com/nozzlegear/ShopifySharp/blob/ffc1ea7701e52e8074e6bf0d500f240ff4ace493/ShopifyShar...

 

Are you sure the the value of MySigningSecret is correct and matches the one setup with the app?

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
0 Likes
Highlighted
Shopify Partner
19 1 1
Yep, I've quadruple checked the secret. And to expand, this is a web hook set up under the notifications in the store settings. I'm wondering if the conversion from a dynamic to a string is doing something. I noticed when the content is converted it contains returns and new lines. I've tried leaving them there and removing them, all to no positive effect.
0 Likes
Highlighted
Shopify Partner
1689 207 339

This is an accepted solution.

I doubt the conversion is having an impact, but you can check that debugging and watching the value you get as body request and compare with what you get from calling Convert.toString()

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
0 Likes
Highlighted
Shopify Partner
19 1 1

This is an accepted solution.

Well, visually I couldn't tell a difference. But length wise when I compared the two (the converted vs the raw body) the converted content was 33% larger ~6k vs ~9k, so I took the raw stream and read that into a byte array. Comparing the computed hash from the raw it matched.  Thank you Sergui for your input!

0 Likes