How to verify a webhook in an Azure function application?

Tristan14
Visitor
1 0 0

I am currently having issues verifying a webhook. 

The webhook is set up to go to an Azure function application. This is the code that I have:

const secret = "EXAMPLESECRET"

function verifyWebhookSignature(req) {
    const signature = req.headers["x-shopify-hmac-sha256"];
    const genSig = crypto.createHmac('sha256', secret).update(JSON.stringify(req)).digest("base64");
    console.log(genSig)
    return genSig === signature;
  }

I am unsure if I should be creating an APP and using the API Secret or if I should be using the signature in this screenshot?

Tristan14_0-1682734781221.png

Currently it is set to the signature in the screenshot and the genSig never matches the x-shopify-hmac-sha256. I have been testing it with the "Send Test Notification" button in case that helps.
Am I required to create an app? currently I still receive all the information I need in the req's I just want to validate it for security reasons. 

 

Replies 2 (2)

amit-dev
New Member
19 0 0

Webhooks signature needs app secrets for verification. 

 

Refer Link 

DomSnap
Shopify Partner
6 0 2

Hi, did you solve this because we are having a similar issue. The 'hmac' never matches doing the following with our secret key or webhook key in Remix:

 

export async function action({ request }) {
  const hmacHeader = request.headers.get('X-Shopify-Hmac-SHA256');

  const data = request.json();

  const SHOPIFY_APP_SECRET = process.env.SECRET; // Get Shopify secretkey from env variable

  const calculated_hmac = crypto.createHmac('sha256', SHOPIFY_APP_SECRET).update(JSON.stringify(data)).digest('base64');

  // These never match
  // hmacHeader == calculated_hmac;
  ...
}