Re: Setting up and Verifying a Webhook

Tristan14 · ‎04-28-2023

I am currently having issues verifying a webhook.

The webhook is set up to go to an Azure function application. This is the code that I have:

const secret = "EXAMPLESECRET"

function verifyWebhookSignature(req) {
    const signature = req.headers["x-shopify-hmac-sha256"];
    const genSig = crypto.createHmac('sha256', secret).update(JSON.stringify(req)).digest("base64");
    console.log(genSig)
    return genSig === signature;
  }

I am unsure if I should be creating an APP and using the API Secret or if I should be using the signature in this screenshot?

Currently it is set to the signature in the screenshot and the genSig never matches the x-shopify-hmac-sha256. I have been testing it with the "Send Test Notification" button in case that helps.
Am I required to create an app? currently I still receive all the information I need in the req's I just want to validate it for security reasons.

amit-dev · ‎04-29-2023

Webhooks signature needs app secrets for verification.

Refer Link

Snappy_uk · ‎10-19-2023

Hi, did you solve this because we are having a similar issue. The 'hmac' never matches doing the following with our secret key or webhook key in Remix:

export async function action({ request }) {
  const hmacHeader = request.headers.get('X-Shopify-Hmac-SHA256');

  const data = request.json();

  const SHOPIFY_APP_SECRET = process.env.SECRET; // Get Shopify secretkey from env variable

  const calculated_hmac = crypto.createHmac('sha256', SHOPIFY_APP_SECRET).update(JSON.stringify(data)).digest('base64');

  // These never match
  // hmacHeader == calculated_hmac;
  ...
}

Re: Setting up and Verifying a Webhook

How to verify a webhook in an Azure function application?

Community Blog Articles