Automated webhook check failing on HMAC verification for mandatory webhooks

gpkcaminha
Shopify Partner
2 0 0

I believe I have configured my mandatory webhooks correctly. But the automated webhook HMAC signature verification which is done when submitting an app for the store listing review keeps failing for me.

 

I have verified that the webhook works as expected in two ways:

1- When I install my app in a test store, and uninstall it, after around 2 days I get a call to my webhook for data removal, as expected. It is processed normally and returns a 200 as documented.

2- If I call the webhook e.g. using cURL with an invalid payload containing a wrong signature, I get a 401 as expected.

3- I can see my webserver logs for both cases.

 

However, when running the automated shopify verification, I can't see any logs. It simply fails after a 5-15mins with no specific error or anything. So I can't really troubleshoot what's going on, as it doesn't seem that Shopify is actually calling my webhooks with any data. How exactly is this verification being done then?

Screenshot 2024-03-14 at 15.52.01.png

Replies 5 (5)

daoduc
Shopify Partner
1 0 0

I have the same issue.

Have you any new information?

gpkcaminha
Shopify Partner
2 0 0

Yes, turns out the "webhook verifier" not only verifies webhooks, but also verifies the installation page. You need to implement HMAC validation there too. And also on the "open app" page even though that one wasn't checked by the "webhook verifier", but probably will in the future. That one has an extra query parameter `session` that isn't documented anywhere I could find...

Cober
Shopify Partner
1 0 0

How can i do it? Can you help me?

 

lvjun
Shopify Partner
4 0 0

i have the same problem ,how to solve?

lvjun
Shopify Partner
4 0 0

installation page?where is?