How can I create a matching HMAC value to verify a Shopify WebHook in .NET?

Highlighted
New Member
2 0 2

Hi,

I have set up a WebHook and I have been able to capture the event.  My next step is to sort out security.  I have created a C# .NET Web API as the endpoint of the WebHook.  Does anyone have sample code of how our I do it?  I was following the sample on stackoverflow (http://stackoverflow.com/questions/13254907/how-can-i-create-a-matching-hmac-value-to-verify-a-shopi...) however it is not complete.  Does anyone have .NET sample code?

Thanks

Tim Bigarelli

0 Likes
Highlighted
Shopify Staff
Shopify Staff
582 0 48

It's pretty straightforward. You use your API Secret as the key for an HMAC SHA256 then take the body of the HTTP Post and run that through your HMAC. Generate a hexdigest from the result (I know in Java Crypto involves using bytes and stuff) and compare that to the included digest header that was sent in the request.

I'm working on a ruby tool and have a completely isolated aspect that verifies the integrity of a webhook. You can check it out here

0 Likes
Highlighted
New Member
2 0 2

I got the code working.  For the benefit of other ,NET devs you can use the following

 

        private static bool Validate(string sharedSecretKey)
        {
            var data = GetStreamAsText(HttpContext.Current.Request.InputStream, HttpContext.Current.Request.ContentEncoding);
            var keyBytes = Encoding.UTF8.GetBytes(sharedSecretKey);
            var dataBytes = Encoding.UTF8.GetBytes(data);

            //use the SHA256Managed Class to compute the hash
            var hmac = new HMACSHA256(keyBytes);
            var hmacBytes = hmac.ComputeHash(dataBytes);

            //retun as base64 string. Compared with the signature passed in the header of the post request from Shopify. If they match, the call is verified.
            var hmacHeader = HttpContext.Current.Request.Headers["x-shopify-hmac-sha256"];
            var createSignature = Convert.ToBase64String(hmacBytes);
            return hmacHeader == createSignature;
        }

        private static string GetStreamAsText(Stream stream, Encoding encoding)
        {
            var bytesToGet = stream.Length;
            var input = new byte[bytesToGet];
            stream.Read(input, 0, (int)bytesToGet);
            stream.Seek(0, SeekOrigin.Begin); // reset stream so that normal ASP.NET processing can read data
            var text = encoding.GetString(input);
            return text;
        }

 

2 Likes
Highlighted
Shopify Staff
Shopify Staff
582 0 48

Thanks so much Tim! That's awesome :)

0 Likes
Highlighted
Tourist
4 0 3

Chris,

I am trying to use the Shopify Webhooks feature in order to ping a custom URL that we have created, but my Shopify Webhook requests are missing the needed "x-shopify-hmac-sha256" request header in order to authenticate.

http://requestb.in/1a6b5471?inspect

These 2 requests are from using the "send test notification" feature but that header is also missing from live requests.

Do I need to activate something to see that "x-shopify-hmac-sha256" request header?  Once I see this, I can use Tim's code (thanks!) to validate the request.  Thanks for the help!

Ryan

0 Likes
Highlighted
Shopify Staff
Shopify Staff
582 0 48

Ryan,

Currently webhooks created via the Admin cannot be signed because they don't have a secret. We've been talking about this internally and are looking into some ways to solve the solution. It'll most likely be a secret associated with a shop that you can use to validate these messages.

If you want to verify messages, you can create a private app and register the webhooks with that instead. Those requests will include an HMAC

0 Likes
Highlighted
Tourist
4 0 3

OK.  So at least I'm not missing anything.  An idea: use the shared secret from a Private App.  Thus, when user is creating a webhook, optionally allow authenticating it by choosing a Private App.

How can I monitor this to know if/when an update to the webhook feature is completed?  Thanks, Chris

Ryan

0 Likes
Highlighted
Shopify Staff
Shopify Staff
582 0 48

You can subscribe to the API Announcements section. Only Shopify employees can submit articles so you shouldn't need to worry about too much spam/unrelated content from that section.

0 Likes
Highlighted
Shopify Partner
1 0 0

You rock mate! That was such an easy fix!

0 Likes