Solved

Seeking Assistance in Verifying Shopify Webhook

Cesi_EG
Tourist
3 1 0

I am seeking assistance in verifying a test shopify webhook for a private app in ASP.NET MVC. When generating/calculating the digital signature hash, it creates a value that conflicts with the expected result. We have tried implementing code from this link here to create the matching values for the verification process. https://community.shopify.com/c/Shopify-APIs-SDKs/How-can-I-create-a-matching-HMAC-value-to-verify-a...

 

Attached below is a trimmed down version of the code we use that goes over all of the relevant parts. If anything seems omitted that might cause such issues, any help to address those would be greatly appreciated. 

 

//begin code

var inputStream = HttpContext.Current.Request.InputStream;
inputStream.Position = 0;
string requestBody = await new StreamReader(inputStream).ReadToEndAsync();
Log.Error("read the request body");
Log.Error(requestBody);
var hmacHeaderValues = Request.Headers.FirstOrDefault(kvp => kvp.Key.Equals("X-Shopify-Hmac-SHA256", StringComparison.OrdinalIgnoreCase)).Value;
if (hmacHeaderValues.Count() < 1)
{
    Log.Error("could not find X-Shopify-Hmac-SHA256");
return false;
}
string hmacHeader = hmacHeaderValues.First();
HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(System.Configuration.ConfigurationManager.AppSettings["AppSecret"]));
 
string hash = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(requestBody)));
 
Log.Error("Generated: " + hash);
Log.Error("Comparing to: " + hmacHeader);
 
if (hash != hmacHeader)
{
    Log.Error("Given and generated hash values did not match");
return false;
}
 
return true;
//end code
Accepted Solution (1)

Cesi_EG
Tourist
3 1 0

This is an accepted solution.

Issue was resolved. The wrong token was being used. The right token was under the test webhook. The token that was originally used was the admin shared token in the private apps page. 

View solution in original post

Replies 5 (5)

Cesi_EG
Tourist
3 1 0

This is an accepted solution.

Issue was resolved. The wrong token was being used. The right token was under the test webhook. The token that was originally used was the admin shared token in the private apps page. 

Ufi
Shopify Partner
11 0 0

Hi,

I am using nuget package library ShopifySharp that has all the methods covert for Shopify API

ShopifySharp

 

toguknives
New Member
7 0 0

@Cesi_EG I am having a similar issue, and I suspect I may be using the wrong token as well. Could you describe where you found the correct one in a little more detail?

 

Thanks!

Cesi_EG
Tourist
3 1 0

It's been a while since I had to look at this particular section of my code but I can certainly try to refresh my memory. If I recall based on my posts, the value I should have been trying to get was noted around the bottom of the page in Settings > Notifications. You should see a section titled Webhooks there. When I used the phrasing "under the webhook" in my solution, I meant under the webhook section on the Shopify admin page > Settings > Notifications as pictured here. The place where the arrow points is where the token you want to get for verification is.  shopify.PNG

 

pallavi57
Shopify Partner
5 0 2

I am facing similar issue.. The webhook is successful using the signature at the bottom of notification page in the settings page of the shop store. But how can we run this in production. the app is supposed to be installed in various stores