Webhook verification hmac problems

New Member
3 0 0

Be've been experiencing problems with the hmac verification since a few days; the webhooks is triggered when a new payment is placed so than we can further process data from our side. Code is similar to the PHP  one suggested here https://help.shopify.com/en/api/getting-started/webhooks#testing-webhooks

$hmac = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
$calculatedHmac = base64_encode(hash_hmac('sha256', $input, Settings::get('shopify_shared_secret'), true));

but the 2 don't $hmac and$calculatedHmac correspond. I've also tried to recreate the hash locally in my dev machine and it corresponds to the one calculated online, but different from the one we get from Shopify.

Any idea? 

0 Likes
Shopify Staff
Shopify Staff
175 26 27

Hey @LoreX75,

 

experiencing problems with the hmac verification since a few days

Was the validation working fine at one point? Have any environment variables changed/removed? Are you able to share some basic demo code that's failing?

0 Likes
New Member
3 0 0

Hi @scottydont, many thanks for your response.

 

Yes, this used to work till about 2 weeks ago; our code is quite simple:

	public function actionWebhookOnProductUpdated()
	{
		$postdata = file_get_contents("php://input");

		$this->verifyWebhookCall($postdata);
...

and the function verifyWebhookCall is this

	private function verifyWebhookCall($input) {

		$hmac = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
		$calculatedHmac =
			base64_encode(hash_hmac('sha256', $input, Settings::get('shopify_shared_secret'), true));

		if ($hmac != $calculatedHmac)
			throw new Exception(
...

I can confirm that Settings::get('shopify_shared_secret') returns the correct secret, as I've logged it t have a double check.

 

0 Likes
Highlighted
Shopify Staff
Shopify Staff
175 26 27

Interesting. If it's worked previously and the hash is calculated correctly locally, it points to a server change. Are you able to log the contents of php://input to confirm it's what you're expecting?

0 Likes
New Member
3 0 0

Actually both locally and on the server the hash has the same value but differs from the one arrived from Shopify webhook; indeed, the json we get seems to be correct but not correspond to the hash.

0 Likes
Shopify Staff
Shopify Staff
175 26 27

Hey @LoreX75,

 

I just ran a test on your store with success, I've DM'd you the details.

 

For anyone following along, I used the following code to confirm:

 

require 'rubygems'
require 'base64'
require 'openssl'

SHARED_SECRET = '<your secret from admin notifications>'
data = '<body from webhook>'

puts Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', SHARED_SECRET, data))

 

0 Likes