FROM CACHE - en_header
Promotion image
Solved

How to pass headers in shopify webhooks API

sangeetha_logu
Visitor
3 0 1
‎01-23-2020 04:24 AM

I need to pass username and password for authentication to my destination address which will be hit when the web hook is triggered. how to pass these username and password as headers to destination address?? and also i need the usage of fields in web hook payload and when& where it will be used??
Any solution regarding this issue are welcomed.!
Thanks in advance!

3,099 Views
1 Like
Report
Accepted Solution (1)
In response to SBD_

angeloghiotto
Shopify Partner
36 4 8
‎01-28-2020 04:15 PM

This is an accepted solution.

As @SBD_ said, the webhook already come with a good way to verify is origin, i got here a little function to you, so you can verify easily, using php.

 

The HMAC ($hmac) comes through this header: "X-Shopify-Hmac-SHA256".

The shared secret ($shared_secret) is yours app secret key.

the $data is the raw input stream ( you could get it through file_get_contents("php://input") for ex.)

 

so this is the function:

 

function hashHMAC($hmac, $data, $shared_secret)
    {
        $hmac = bin2hex(base64_decode($hmac));
        $computed_hmac = hash_hmac('sha256', $data, $shared_secret);

        return hash_equals($hmac, $computed_hmac);
    }

So, if it returns TRUE its from Shopify, otherwise nope.

 

I hope that helps you.

 

 

View solution in original post

3,038 Views
2 Likes
Report
Replies 4 (4)

SBD_
Shopify Staff
1829 269 406
‎01-28-2020 01:32 AM

Hey @sangeetha_logu,

 

Which credentials are you referring to? Could you store them on the server that's listening for webhooks? If you're just trying to verify the webhook originated from Shopify, here's how you can do that.

 

and also i need the usage of fields in web hook payload and when& where it will be used

By specifying fields, you can reduce the size of the payload. E.g. "when a product is updated, only send me the product title". More info here.

Scott | Developer Advocate @ Shopify 

3,056 Views
1 Like
Report
In response to SBD_

angeloghiotto
Shopify Partner
36 4 8
‎01-28-2020 04:15 PM

This is an accepted solution.

As @SBD_ said, the webhook already come with a good way to verify is origin, i got here a little function to you, so you can verify easily, using php.

 

The HMAC ($hmac) comes through this header: "X-Shopify-Hmac-SHA256".

The shared secret ($shared_secret) is yours app secret key.

the $data is the raw input stream ( you could get it through file_get_contents("php://input") for ex.)

 

so this is the function:

 

function hashHMAC($hmac, $data, $shared_secret)
    {
        $hmac = bin2hex(base64_decode($hmac));
        $computed_hmac = hash_hmac('sha256', $data, $shared_secret);

        return hash_equals($hmac, $computed_hmac);
    }

So, if it returns TRUE its from Shopify, otherwise nope.

 

I hope that helps you.

 

 

3,039 Views
2 Likes
Report
In response to angeloghiotto

sangeetha_logu
Visitor
3 0 1
‎01-28-2020 11:39 PM

Thanks @angeloghiotto.  Can you provide solution without using php. since i am not going to use any controllers.

3,023 Views
0 Likes
Report
In response to sangeetha_logu

angeloghiotto
Shopify Partner
36 4 8
‎01-29-2020 01:15 PM

It is a simple function, it can be used as pure PHP, do not required any architectural pattern or framework.

 

Anyway, you can check out the functions on PHP official web site and "translate" it to your current language if you are not using PHP, and, @SBD_ linked "how to do the verify" that have a Ruby implementation, that also can help you to figure out it in the programming language that you are using.

3,000 Views
0 Likes
Report
Terms of Service Privacy Policy