Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
Hi, I have the following issue:
App must verify the authenticity of the request from Shopify.Expected HTTP 401 (Unauthorized), but got HTTP 403 from https://******** Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest. Learn more about verifying a webhook
var CryptoJS = require("crypto-js");
exports.handler = async (event) => {
const { webhook_verify_hash } = process.env;
//get the header with validation hash from webhook
const hmac = event.headers ?
event.headers['X-Shopify-Hmac-Sha256'] || event.headers['x-shopify-hmac-sha256']
: "";
var statusCode = 400;
let firma = CryptoJS.HmacSHA256(event.body, "shpss_*******");
let calculatedHmac = firma.toString(CryptoJS.enc.hex);
if (hmac == calculatedHmac) {
console.log("se va a obtener el token");
statusCode = 200
} else {
console.log("no obtiene el token");
statusCode = 400
}
const response = {
statusCode: statusCode
};
return response;
};
* How can I test the mandatory webhooks and verify the response that I receive?
to verify Hmac also used:
exports.handler = async (event, context) => {
let hmac = event.hmac;
const bodyString2 = Buffer.from(event.body, "utf8").toString();
var bodyForVerification = bodyString2.replace('/\\/g', '\\\\');
let firma3 = CryptoJS.HmacSHA256(bodyForVerification, "****");
var hashInBase643 = CryptoJS.enc.Base64.stringify(firma3);
let calculatedHmacBase3 = hashInBase643.toString(CryptoJS.enc.hex);
if(hmac == calculatedHmacBase3 {
console.log("verificado");
}
};
but still the Hmac is different, HELP!!!
Hey Luis45,
The problem could come several origins:
- the request body should not be changed
- the request body must be read using the utf8 encoding
- when you create the HMAC signature, the result must then be encoded in base64
I'm not a node.js specialist, but a common pattern I see in node app checking webhook is using the 'crypto' package like this:
const generatedHash = crypto.createHmac('sha256', API_SECRET_KEY)
.update(reqBody, 'utf8')
.digest('base64');
Also if you don't know it already, there's a npm package for shopify api and related code: https://github.com/Shopify/shopify-node-api.
There are event helpers to help deal with webhooks: https://github.com/Shopify/shopify-node-api/blob/main/docs/usage/webhooks.md#webhook-processing
I hope this helps you!
Cheers,
Cedric | Developer @ Shopify
To learn more visit the Shopify Help Center or the Community Blog.
Hi @cdarne , I'm using the 'crypto-js' package and this doesn't have the func "createHmac". Search the module "'crypto" but I did not find it. I need the module to upload it to the aws lambda