Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
I believe I have configured my mandatory webhooks correctly. But the automated webhook HMAC signature verification which is done when submitting an app for the store listing review keeps failing for me.
I have verified that the webhook works as expected in two ways:
1- When I install my app in a test store, and uninstall it, after around 2 days I get a call to my webhook for data removal, as expected. It is processed normally and returns a 200 as documented.
2- If I call the webhook e.g. using cURL with an invalid payload containing a wrong signature, I get a 401 as expected.
3- I can see my webserver logs for both cases.
However, when running the automated shopify verification, I can't see any logs. It simply fails after a 5-15mins with no specific error or anything. So I can't really troubleshoot what's going on, as it doesn't seem that Shopify is actually calling my webhooks with any data. How exactly is this verification being done then?
Solved! Go to the solution
This is an accepted solution.
I keep getting notifications from here and I already provided the answer, I don't understand what is the difficulty. The "App URL" that you configure in the app settings also have to implement HMAC verification, because that's the URL that users are redirected to after they click the "install app" button
to test this, go to your app dashboard and click on "Test on development store", and then click "Install App" on one of the stores. You will notice it will redirect you to the "App URL" configured above, with HMAC and other parameters. You need to validate that in order to pass the automated test.
I have the same issue.
Have you any new information?
Yes, turns out the "webhook verifier" not only verifies webhooks, but also verifies the installation page. You need to implement HMAC validation there too. And also on the "open app" page even though that one wasn't checked by the "webhook verifier", but probably will in the future. That one has an extra query parameter `session` that isn't documented anywhere I could find...
How can i do it? Can you help me?
i have the same problem ,how to solve?
installation page?where is?
Can you give us more details please ?
This is has been an absolute joke. Implemented my shopify app with with @Shopify/shopify-app for node. The hmac works through the cli trigger but its just this app submission that keeps failing. Anybody find a fix? I tried the installation page as well didn't fix.
Same issue here, we need help from shopify people, documentation is really unclear and we have no logs to know what's wrong.
I also configured the mandatory webhooks with hmac verification but it's not working.
Did anyone find a solution please ?
I resolved this issue. We need to verify HMAC URL from config
I already verify hmac signature. What do you mean by verify hmac url please ?
You can write a log in index file check request.
Later run the test and check this log, it will show the URL needs to be verified
Can you be more clear? I'm checking for hmac on my webhook path. when i test locally via cli its working. its just this app submission
Ex php:
1. add code file_put_contents('/var/www/html/var/log/test.log', json_encode($_SERVER), FILE_APPEND); to file index.php
2. click the button re-run
3. view file /var/www/html/var/log/test.log. URI has a URL that needs to be verified
I got this same problem. my php code via Laravel Framework. and configuration "Mandatory compliance webhooks", For example ,https://www.xxx.com/shopify/shopRedact. use chrome browser visit https://www.xxx.com/shopify/shopRedact,it work fine. but run the automated webhook HMAC signature verification ,it's always hints error. then I open the index.php(it's in Laravel framework dir public/index.php),and use following code,it's pass automated signature verification.hope it can help you.
php code:
I am facing same issue.do you get any solution please tell me.
This is an accepted solution.
I keep getting notifications from here and I already provided the answer, I don't understand what is the difficulty. The "App URL" that you configure in the app settings also have to implement HMAC verification, because that's the URL that users are redirected to after they click the "install app" button
to test this, go to your app dashboard and click on "Test on development store", and then click "Install App" on one of the stores. You will notice it will redirect you to the "App URL" configured above, with HMAC and other parameters. You need to validate that in order to pass the automated test.
Validated this and still didn't pass the test. Anybody using shopify-api-js and figure this out?
Hi, Below is the app url and Allowed redirection URL(s) i've added
APP URL : https://laravel.***.io/
Allowed redirection URL(s) : https://laravel.***.io/shopifyGenerateToken
When I'm clicking the test on development store then I can able to install the app and then redirect to app page in admin.shopify.com
Below is HMAC verification code I've added in each complience webhooks functions.
I could solve this issue adding a middleware for the root route (/) as this is my config url route. This is the code I used in the middleware to solve the issue and finally complete the tests for app submission.
So in case your App URL is https://your-url.example.com/ you need to configure the / route.
{
try {
const query = req.query;
const parameters = [];
for (const key in query) {
if (key != 'hmac') {
parameters.push(key + '=' + query[key]);
}
}
const message = parameters.sort().join('&');
const digest = crypto
.createHmac('sha256', 'your-secret-here')
.update(message)
.digest('hex');
if (digest === query.hmac) {
return next();
}
res.sendStatus(401);
} catch (e) {
res.sendStatus(401);
}
}