HMAC calculation correct on orders/create but wrong on refunds/create

Shopify Partner
2 0 0

Coming across a weird problem. When I receive the webhook for orders/create, the HMAC checks out fine and I can verify the webhook. I'm also getting a refunds/create event for a refund where the HMAC doesn't check out. It's always incorrect. The function to calculate the HMAC I have is below: 

    def verify_webhook(data, hmac_header):
        hash = hmac.new(settings.SHOPIFY_API_SECRET, data, hashlib.sha256)
        calculated_hmac = base64.b64encode(hash.digest())

        return calculated_hmac == hmac_header

Any ideas why these two events would behave differently?

0 Likes
Excursionist
70 0 14

Your HMAC verify code certainly looks fine, is the calculated hmac very different from the header one?

Product Customizer - Creating extremely customizable products within Shopify is no longer a hassle! BlogFeeder - Automatically pull updates from any RSS feed into your Shopify blog Happy Ending - Personalize your thank you page
0 Likes
Shopify Staff
Shopify Staff
582 0 45

If you could add some logging to your request handlers, you could pull out the X-Request-Id from the header. All our requests are logged like that so we can get some really deep insight into what is going on and can work on the exact same data you had when the request came in.

0 Likes
Shopify Partner
2 0 0

I think I figured it out. The hooks configured in the admin UI isn't verifiable while the hooks configured via API and installed apps checks out fine. Is that the correct understanding?

0 Likes
Excursionist
70 0 14

Yup, that seems to be the case.  I forgot that you can configure webhooks through the admin.  From the documentation:

Webhooks created manually through the Shopify admin cannot be verified using the following technique.

http://docs.shopify.com/api/tutorials/using-webhooks#verify-webhook

Product Customizer - Creating extremely customizable products within Shopify is no longer a hassle! BlogFeeder - Automatically pull updates from any RSS feed into your Shopify blog Happy Ending - Personalize your thank you page
0 Likes
Highlighted
Shopify Staff
Shopify Staff
582 0 45

We are working on fixing that right now. As you can see, the admin created webhooks are now being signed. There will be a change going out that will expose that signing key to you. I'll also update the documentation appropriately.

0 Likes