Coming across a weird problem. When I receive the webhook for orders/create, the HMAC checks out fine and I can verify the webhook. I'm also getting a refunds/create event for a refund where the HMAC doesn't check out. It's always incorrect. The function to calculate the HMAC I have is below:
def verify_webhook(data, hmac_header):
hash = hmac.new(settings.SHOPIFY_API_SECRET, data, hashlib.sha256)
calculated_hmac = base64.b64encode(hash.digest())
return calculated_hmac == hmac_header
Any ideas why these two events would behave differently?
Your HMAC verify code certainly looks fine, is the calculated hmac very different from the header one?
Yup, that seems to be the case. I forgot that you can configure webhooks through the admin. From the documentation:
Webhooks created manually through the Shopify admin cannot be verified using the following technique.
|an hour ago|