Shopoify API status=401 Unauthorized error

rs
Tourist
23 0 1

I keep receiving emails about a 401 - Unauthorized error even though the inital webhook was successful.

I am always rendering a 'json: {success: true} '  so im not sure why it keeps retrying these webhooks

Everything is working fine on the app im just afraid that shopify might flag me because it keeps sending unsuccessful webhooks.

am i fine or is there something i might be missing thats causing this?

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 305

Hey there,

Are you ensuring that you are sending a 200 response to the webhook requests? Anything outside the 200 range will not be interpreted as successful.

Cheers.

0 Likes
rs
Tourist
23 0 1

yes i am, the webhook comes in succeful and sometimes it comes with a 401 unauthorized check these logs that were minutes apart 

2017-09-21T15:25:10.304333+00:00 heroku[router]: at=info method=POST path="/hooks/checkout_update" host=shopify.***********.io request_id=******* fwd="*******" dyno=web.1 connect=1ms service=34ms status=200 bytes=395 protocol=https
2017-09-21T15:19:36.152043+00:00 heroku[router]: at=info method=POST path="/hooks/checkout_update" host=shopify.*******.io request_id=******** fwd="*********" dyno=web.1 connect=0ms service=12ms status=200 bytes=290 protocol=https

 

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 305

Hey again,

If it isn't too much to ask, can I ask for your target host URL? I can check our logs for webhooks being fired in that direction to see what's up from our perspective.

Cheers.

0 Likes
rs
Tourist
23 0 1

sure, its shopify.contactflow.io

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 305

Hey,

I can't say exactly why your client is reponding with a 401 request but I can see that clear as day in our logs to confirm. Are you validating by calculating the digital signature? If I had to guess, maybe you're returning a 401 if the hmac does not calculate properly? This appears to be entirely on your end.

Cheers.

0 Likes
tomasdelaveau
Tourist
16 0 1

Hey Alex, I'm having the same issue even though the webhook is successfully hitting my development machine, and the hmac is being verified.

class Api::V1::ShopifyWebhooksController < Api::V1::BaseController

  skip_before_filter :verify_authenticity_token, only: %i[product_update]

  before_action :check_signature

  def check_signature
    verify_webhook(request)
  end

  def verify_webhook(request)
    domain = request.headers["X-Shopify-Shop-Domain"]
    header_hmac = request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"]
    digest = OpenSSL::Digest.new("sha256")
    request.body.rewind
    calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, ENV['WEBHOOKS_TOKEN'], request.body.read)).strip

    puts "header hmac: #{header_hmac}"
    puts "calculated hmac: #{calculated_hmac}"

    puts "Verified:#{ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, header_hmac)}"
  end

  def product_update

    c = ShopConnection.find_by(shopify_pid: params["id"])
    if c
      master = c.master
      master.get_shopify_data
    end

    respond_to do |format|
      msg = { :status => "ok", :message => "Success!", bleh: params }
      format.json  { render :json => msg } # don't do msg.to_json

      # @webhook_data.process_tags
    end
  end

end
0 Likes