Verifying Shopify Webhooks for Public apps

Solved
Highlighted
Shopify Partner
16 0 0

Hi, 

I have been looking for documentation on how to verify webhooks for public apps and I am unable to find any. From, what I have gathered, private apps use a WEBHOOK_SIGNED_KEY available at the store admin level. I thought using API Key / API Secret could be an alternative for public apps, but that doesn't seem to be the case. The below code is what I have tried up till now. Thank you. 

def verify_hmac(secret, body, shopify_hmac):  
    hash_code = hmac.new(secret.encode('utf-8'), body, hashlib.sha256)  
    computed_hmac = base64.b64encode(hash_code.digest()).decode()
    return computed_hmac == shopify_hmac

@csrf_exempt
def save_webook_payload(request):
    if request.method == 'POST':

        shopify_hmac = request.headers.get('X-Shopify-Hmac-Sha256')  
        if verify_hmac(SHOPIFY_API_SECRET, request.body, shopify_hmac):  
            return JsonResponse( { 'data': 'Payload Recieved'}, safe = False )
        else:
            raise Http404("No such Page")

    raise Http404("No such Page")

 

0 Likes
Highlighted
Shopify Partner
648 46 130

This is an accepted solution.

If you refer to this link, there's a Ruby version of the routine to validate the HMAC signature sent with the webhook request --> https://shopify.dev/tutorials/manage-webhooks. You should be able to use that as a basis for your Python code. Hope this helps!

0 Likes
Highlighted
Shopify Partner
16 0 0

Thanks, still can't get computed_hmac and shopify_hmac to match. I have tried the app API secret key.  

0 Likes
Highlighted
New Member
2 0 0

Hi, i have same issue, can you resolve it ?

Tks in advance.

0 Likes
Highlighted
Shopify Partner
16 0 0

Sure, let me know what your problem is. 

0 Likes