I got the code working.  For the benefit of other ,NET devs you can use the following

        private static bool Validate(string sharedSecretKey)
        {
            var data = GetStreamAsText(HttpContext.Current.Request.InputStream, HttpContext.Current.Request.ContentEncoding);
            var keyBytes = Encoding.UTF8.GetBytes(sharedSecretKey);
            var dataBytes = Encoding.UTF8.GetBytes(data);

            //use the SHA256Managed Class to compute the hash
            var hmac = new HMACSHA256(keyBytes);
            var hmacBytes = hmac.ComputeHash(dataBytes);

            //retun as base64 string. Compared with the signature passed in the header of the post request from Shopify. If they match, the call is verified.
            var hmacHeader = HttpContext.Current.Request.Headers["x-shopify-hmac-sha256"];
            var createSignature = Convert.ToBase64String(hmacBytes);
            return hmacHeader == createSignature;
        }

        private static string GetStreamAsText(Stream stream, Encoding encoding)
        {
            var bytesToGet = stream.Length;
            var input = new byte[bytesToGet];
            stream.Read(input, 0, (int)bytesToGet);
            stream.Seek(0, SeekOrigin.Begin); // reset stream so that normal ASP.NET processing can read data
            var text = encoding.GetString(input);
            return text;
        }

Thanks so much Tim! That's awesome 🙂

Chris,

I am trying to use the Shopify Webhooks feature in order to ping a custom URL that we have created, but my Shopify Webhook requests are missing the needed "x-shopify-hmac-sha256" request header in order to authenticate.

http://requestb.in/1a6b5471?inspect

These 2 requests are from using the "send test notification" feature but that header is also missing from live requests.

Do I need to activate something to see that "x-shopify-hmac-sha256" request header?  Once I see this, I can use Tim's code (thanks!) to validate the request.  Thanks for the help!

Ryan

Ryan,

Currently webhooks created via the Admin cannot be signed because they don't have a secret. We've been talking about this internally and are looking into some ways to solve the solution. It'll most likely be a secret associated with a shop that you can use to validate these messages.

If you want to verify messages, you can create a private app and register the webhooks with that instead. Those requests will include an HMAC

OK.  So at least I'm not missing anything.  An idea: use the shared secret from a Private App.  Thus, when user is creating a webhook, optionally allow authenticating it by choosing a Private App.

How can I monitor this to know if/when an update to the webhook feature is completed?  Thanks, Chris

Ryan

You can subscribe to the API Announcements section. Only Shopify employees can submit articles so you shouldn't need to worry about too much spam/unrelated content from that section.

You rock mate! That was such an easy fix!