A space to discuss GraphQL queries, mutations, troubleshooting, throttling, and best practices.
I am trying to verify incoming webhook signatures in C# using the following code.
public async Task<bool> Validate(string sharedSecretKey, HttpRequest request)
{
Solved! Go to the solution
This is an accepted solution.
Hi,
Managed to resolve the issue, it seems I needed to change the way I was getting the value from the hmac header.
private async Task<bool> ValidateShopifySignature(HttpRequest req, string clientSecret)
{
Microsoft.Extensions.Primitives.StringValues header;
req.Headers.TryGetValue("X-Shopify-Hmac-Sha256", out header);
string? hmacHeader = header.FirstOrDefault();
if (!string.IsNullOrWhiteSpace(hmacHeader))
{
var sharedSignatureBytes = Encoding.UTF8.GetBytes(clientSecret);
using var hmac = new HMACSHA256(sharedSignatureBytes);
// Copy the request body to a memory stream then convert it to a byte[].
using MemoryStream dataStream = new();
await req.Body.CopyToAsync(dataStream);
var dataBytes = dataStream.ToArray();
// Compute a hash of the body based on the signature.
var generatedHmacHashBytes = hmac.ComputeHash(dataBytes);
var generatedSignature = Convert.ToBase64String(generatedHmacHashBytes);
// Compare that signature to the one that Shopify generated and sent over.
return hmacHeader == generatedSignature;
}
else
{
return false;
}
}
Hey, sorry to hear about this problem. Before digging further can you please checkout this issue and see if the suggestions made here solve the problem you're facing?
Thanks,
Alex
To learn more visit the Shopify Help Center or the Community Blog.
Hi, I am confident the value being used for the secret does not contain any spaces or quotes and it the same value used during the integration creation. My only idea at the moment is the encoding of the request but the docs do not provide a C# example and I have tried many different approaches to this and get the same outcome.
Thanks
Hi,
your code looks good. The only things I can think of that could be wrong:
- you're using the wrong key
- you're using the wrong encoding (i.e. it's not UTF-8 for some reason)
Maybe you could debug and actually look incoming body.
To learn more visit the Shopify Help Center or the Community Blog.
This is an accepted solution.
Hi,
Managed to resolve the issue, it seems I needed to change the way I was getting the value from the hmac header.
private async Task<bool> ValidateShopifySignature(HttpRequest req, string clientSecret)
{
Microsoft.Extensions.Primitives.StringValues header;
req.Headers.TryGetValue("X-Shopify-Hmac-Sha256", out header);
string? hmacHeader = header.FirstOrDefault();
if (!string.IsNullOrWhiteSpace(hmacHeader))
{
var sharedSignatureBytes = Encoding.UTF8.GetBytes(clientSecret);
using var hmac = new HMACSHA256(sharedSignatureBytes);
// Copy the request body to a memory stream then convert it to a byte[].
using MemoryStream dataStream = new();
await req.Body.CopyToAsync(dataStream);
var dataBytes = dataStream.ToArray();
// Compute a hash of the body based on the signature.
var generatedHmacHashBytes = hmac.ComputeHash(dataBytes);
var generatedSignature = Convert.ToBase64String(generatedHmacHashBytes);
// Compare that signature to the one that Shopify generated and sent over.
return hmacHeader == generatedSignature;
}
else
{
return false;
}
}