Automated webhook check failing on HMAC verification for mandatory webhooks

Solved

Automated webhook check failing on HMAC verification for mandatory webhooks

gpkcaminha
Shopify Partner
4 1 1

I believe I have configured my mandatory webhooks correctly. But the automated webhook HMAC signature verification which is done when submitting an app for the store listing review keeps failing for me.

 

I have verified that the webhook works as expected in two ways:

1- When I install my app in a test store, and uninstall it, after around 2 days I get a call to my webhook for data removal, as expected. It is processed normally and returns a 200 as documented.

2- If I call the webhook e.g. using cURL with an invalid payload containing a wrong signature, I get a 401 as expected.

3- I can see my webserver logs for both cases.

 

However, when running the automated shopify verification, I can't see any logs. It simply fails after a 5-15mins with no specific error or anything. So I can't really troubleshoot what's going on, as it doesn't seem that Shopify is actually calling my webhooks with any data. How exactly is this verification being done then?

Screenshot 2024-03-14 at 15.52.01.png

Accepted Solution (1)

gpkcaminha
Shopify Partner
4 1 1

This is an accepted solution.

I keep getting notifications from here and I already provided the answer, I don't understand what is the difficulty. The "App URL" that you configure in the app settings also have to implement HMAC verification, because that's the URL that users are redirected to after they click the "install app" button

 

gpkcaminha_0-1714471535804.png

 

to test this, go to your app dashboard and click on "Test on development store", and then click "Install App" on one of the stores. You will notice it will redirect you to the "App URL" configured above, with HMAC and other parameters. You need to validate that in order to pass the automated test.

gpkcaminha_1-1714471765882.png

 

View solution in original post

Replies 19 (19)

daoduc
Shopify Partner
4 0 0

I have the same issue.

Have you any new information?

gpkcaminha
Shopify Partner
4 1 1

Yes, turns out the "webhook verifier" not only verifies webhooks, but also verifies the installation page. You need to implement HMAC validation there too. And also on the "open app" page even though that one wasn't checked by the "webhook verifier", but probably will in the future. That one has an extra query parameter `session` that isn't documented anywhere I could find...

Cober
Shopify Partner
1 0 0

How can i do it? Can you help me?

 

lvjun
Shopify Partner
4 0 2

i have the same problem ,how to solve?

lvjun
Shopify Partner
4 0 2

installation page?where is?

FyRo
Shopify Partner
9 0 4

Can you give us more details please ? 

throwaway-12
Shopify Partner
5 0 1

This is has been an absolute joke. Implemented my shopify app with with @Shopify/shopify-app for node. The hmac works through the cli trigger but its just this app submission that keeps failing. Anybody find a fix? I tried the installation page as well didn't fix.

FyRo
Shopify Partner
9 0 4

Same issue here, we need help from shopify people, documentation is really unclear and we have no logs to know what's wrong.
I also configured the mandatory webhooks with hmac verification but it's not working.
Did anyone find a solution please ?

daoduc
Shopify Partner
4 0 0

daoduc_0-1713979870539.png

I resolved this issue. We need to verify HMAC URL from config

FyRo
Shopify Partner
9 0 4

I already verify hmac signature. What do you mean by verify hmac url please ?

daoduc
Shopify Partner
4 0 0

You can write a log in index file check request.
Later run the test and check this log, it will show the URL needs to be verified

throwaway-12
Shopify Partner
5 0 1

Can you be more clear? I'm checking for hmac on my webhook path. when i test locally via cli its working. its just this app submission

daoduc
Shopify Partner
4 0 0

Ex php:
1. add code file_put_contents('/var/www/html/var/log/test.log', json_encode($_SERVER), FILE_APPEND); to file index.php
2. click the button re-run
3. view file /var/www/html/var/log/test.log. URI has a URL that needs to be verified

bigking2024
Shopify Partner
1 0 1

I got this same problem. my php code via Laravel Framework. and configuration  "Mandatory compliance webhooks", For example ,https://www.xxx.com/shopify/shopRedact. use chrome browser visit https://www.xxx.com/shopify/shopRedact,it work fine. but run the automated webhook HMAC signature verification ,it's always hints error. then I open the index.php(it's in Laravel framework dir public/index.php),and use following code,it's pass automated signature verification.hope it can help you.

 

php code:

 
function verify_webhook($data, $hmac_header)
{
    $CLIENT_SECRET = "your share secret";
    $calculated_hmac = base64_encode(hash_hmac('sha256', $data, $CLIENT_SECRET, true));
    return hash_equals($calculated_hmac, $hmac_header);
}

$hmac_header =  isset($_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256']) ? $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'] : '';
if ($hmac_header != '') {
    $data = file_get_contents('php://input');

    $verified = verify_webhook($data, $hmac_header);

    if ($verified) {
        # Process webhook payload
        # ...

        http_response_code(200);
        exit;
    } else {
        http_response_code(401);
        exit;
    }
}
bloomxuniverse
Shopify Partner
1 0 0

I am facing same issue.do you get any solution please tell me.

 

gpkcaminha
Shopify Partner
4 1 1

This is an accepted solution.

I keep getting notifications from here and I already provided the answer, I don't understand what is the difficulty. The "App URL" that you configure in the app settings also have to implement HMAC verification, because that's the URL that users are redirected to after they click the "install app" button

 

gpkcaminha_0-1714471535804.png

 

to test this, go to your app dashboard and click on "Test on development store", and then click "Install App" on one of the stores. You will notice it will redirect you to the "App URL" configured above, with HMAC and other parameters. You need to validate that in order to pass the automated test.

gpkcaminha_1-1714471765882.png

 

throwaway-12
Shopify Partner
5 0 1

Validated this and still didn't pass the test. Anybody using shopify-api-js and figure this out?

hashcrypthash
Shopify Partner
3 0 0

Hi,  Below is the app url and Allowed redirection URL(s) i've added

APP URL : https://laravel.***.io/
Allowed redirection URL(s)https://laravel.***.io/shopifyGenerateToken

When I'm clicking the test on development store then I can able to install the app and then redirect to app page in admin.shopify.com

Below is HMAC verification code I've added in each complience webhooks functions.

<?php
define('CLIENT_SECRET', '8d2810e9cf2076c0a1e25ca217605638');
function verify_webhook($data, $hmac_header)
{
  $calculated_hmac = base64_encode(hash_hmac('sha256', $data, CLIENT_SECRET, true));
  return hash_equals($calculated_hmac, $hmac_header);
}

$hmac_header = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
$rlog = fopen('response.json','W') or die('cant open file');
fwrite($rlog, $hmac_header);
fclose($rlog);
$data = file_get_contents('php://input');
$verified = verify_webhook($data, $hmac_header);
if ($verified) {
  $response = $data;
  $log = fopen('orders.json','W') or die('cant open file');
    fwrite($log, $response);
    fclose($log);
    http_response_code(200);
} else {
    http_response_code(401);
}
?>

When I'm creating webhooks for customer/delete topic through postman. and Then I'm deleting the customer from store then webhook trigger that webhook of customer/delete and getting 200 status code.

But When doing automated checks for webhook then "Implement an HMAC signature to verify webhooks" is failing.

Screenshot 2024-06-12 150943.png
Please provide appropriate solution for the same.

miguelcabgil
Shopify Partner
14 0 8

I could solve this issue adding a middleware for the root route (/) as this is my config url route. This is the code I used in the middleware to solve the issue and finally complete the tests for app submission.

So in case your App URL is https://your-url.example.com/ you need to configure the / route.

{
    try {
      const query = req.query;
      const parameters = [];
      for (const key in query) {
        if (key != 'hmac') {
          parameters.push(key + '=' + query[key]);
        }
      }
      const message = parameters.sort().join('&');

      const digest = crypto
        .createHmac('sha256', 'your-secret-here')
        .update(message)
        .digest('hex');

      if (digest === query.hmac) {
        return next();
      }
      res.sendStatus(401);
    } catch (e) {
      res.sendStatus(401);
    }
  }