FROM CACHE - en_header
Promotion image

Verifying a webhook received from shopify using hmac.

Verifying a webhook received from shopify using hmac.

goutham_kishore
Shopify Partner
5 0 0
‎06-08-2023 05:16 AM

I am trying to verify the webhook using this function. The webhook is created through the API and shopifyApiSecret is the Client Secret for our app.

 

async function validateHmac(req: Request) {
let shopifyApiSecret=config.shopifyAppSecret;

let hmac:any = req.headers['x-shopify-hmac-sha256'];
const message = JSON.stringify(req.body);
const generatedHash = crypto
.createHmac('sha256', shopifyApiSecret)
.update(message)
.digest('base64');
console.log({message,generatedHash,hmac})

const signatureOk = crypto.timingSafeEqual( Buffer.from(generatedHash),Buffer.from(hmac));
if (signatureOk) {
return true;
} else {
return false;
}
}

 

 

But the function always returns false and the generatedHash and hmac are not equal on inspection.   
Can anyone let me know if there is anything wrong with the implementation? Thanks in advance.

277 Views
0 Likes
Report
Replies 0 (0)

Community Blog Articles

shopp-e-1741972742895593780274096851.png
Canadian merchants: Update account details by March 24, 2025 to continue us...

Shopify and our financial partners regularly review and update verification requiremen...

By Jacqui Mar 14, 2025
Shopify_0-1741780029041.png
New learning path from Shopify Academy: How to create a digital marketing s...

Unlock the potential of marketing on your business growth with Shopify Academy's late...

By Shopify Mar 12, 2025
CRO-Community-Promo.jpg
Expert insights on conversion rate optimization (CRO) from Shopify Academy ...

Learn how to increase conversion rates in every stage of the customer journey by enroll...

By Shopify Mar 5, 2025
Terms of Service Privacy Policy