Carrier Service Webhook Hmac validation failing in php

Carrier Service Webhook Hmac validation failing in php

jason90
Shopify Partner
15 2 2

Hi,

EDIT: I should have specified that this is specifically for the carrier service hook. The other webhooks and their hmac validation are working fine.

 

I have a shopify app using php 8.1 and symfony as a framework. For the various webhooks I make use of in the app, none of my calculated hmac headers are matching the expected hmac from the headers. Here's a sample of my code for validating webhooks:

 

 

 

// symfony sample code
// $this->secret refers to the app api secret key from the partners dashboard
$hmac = $event->getRequest()->headers->get('X-Shopify-Hmac-Sha256');
$content = $event->getRequest()->getContent();//webhook body as JSON
$calculatedHmac = base64_encode(hash_hmac('sha256', $content, $this->secret, true));

if($hmac != $calculatedHmac) {
    throw new HttpException(200, 'Invalid hash.');
}

 

 

 

Im following the guidelines as defined in the documentation here: https://shopify.dev/apps/webhooks/configuration/https#step-5-verify-the-webhook

 

I am going through some logs where we store the headers and request bodies for webhooks going through our app and that's what im using as samples. I am also using my production keys to try and replicate these requests as best as I can but I still can't validate the hmacs properly, everything request fails.

 

Did something change in the hmac validation process? As far as I can see, im doing everything by the book based on what the documentation is showing so im at a loss here as to why this isn't working.

 

Any help on this matter would be appreciated. Thank you.

Reply 1 (1)

Alan
Shopify Staff
129 15 25

Hey @jason90 - thanks for getting in touch. I was able to do a bit of looking into this for you on our end - this HMAC verification error mentioned above isn't expected, so I'd be happy to look into this further with you. This is definitely an odd error for sure.

 

Would you be able to share a webhook ID (the x-shopify-webhook-id)

from your logs related to one of the hooks that returned this specific error? This would allow us to search the logs on our end to see if we can find any extra information about the webhook subscription in general and to see what could be triggering the validation failure. 

 

Let me know if I can clarify anything here on our end - hope to hear from you soon so we can look into this further. 

 

Cheers!

Alan | API Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog