HMAC signature is undefined

Peter_Nyboer
New Member
1 0 0

I have a nodejs app that gets order callbacks from our shopify store. It is working fine, but I've gotten several errors today from orders that come in and the signature (result from req.get('X-Shopify-Hmac-Sha256'); ) is "undefined".

Why would this be? What is this source of this POST request? Here's a code snippet.

 

// We'll compare the hmac to our own hash
    hmac = req.get('X-Shopify-Hmac-Sha256');
    console.log(`signature from order post: ${hmac}`);
    // Use raw-body to get the body (buffer)
    const body = JSON.stringify(req.body);
    if(SENDJSON===true){
      sendOrderEmail(body);
    }
    // Create a hash using the body and our key
    hash = crypto
      .createHmac('sha256', SHOPSECRET)
      .update(req.rawbody, 'utf8', 'hex')
      .digest('base64');

 

The log is showing this:

signature from order post: undefined

 

where it would normally show the actual signature. 
Anybody ever see this in their apps? Clearly I'm getting posts that are unsigned, would would indicate some sort of bad actor doing bad things! Any recommendations on what action I might want to take here? 

0 Likes