Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Error Verify Webhooks In Node.js - AWS Lambda

Error Verify Webhooks In Node.js - AWS Lambda

Luis45
New Member
6 0 0

Hi, I have the following issue:


App must verify the authenticity of the request from Shopify.

Expected HTTP 401 (Unauthorized), but got HTTP 403 from https://******** Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest. Learn more about verifying a webhook
 
 
the code i am using is:

 

 

var CryptoJS = require("crypto-js");

exports.handler = async (event) => {

    const { webhook_verify_hash } = process.env;
//get the header with validation hash from webhook
    const hmac = event.headers ? 
        event.headers['X-Shopify-Hmac-Sha256'] || event.headers['x-shopify-hmac-sha256']
        : "";
        
    
    var statusCode = 400;
    
    let firma = CryptoJS.HmacSHA256(event.body, "shpss_*******");
    let calculatedHmac = firma.toString(CryptoJS.enc.hex);

    if (hmac == calculatedHmac) {
        console.log("se va a obtener el token");
        statusCode = 200
    } else {
         console.log("no obtiene el token");
         statusCode = 400
    }

    const response = {
        statusCode: statusCode
    };
    return response;
};

 

 

* How can I test the mandatory webhooks and verify the response that I receive?

Replies 3 (3)

Luis45
New Member
6 0 0

to verify Hmac also used: 

 

exports.handler = async (event, context) => {
    let hmac = event.hmac;
   
    const bodyString2 = Buffer.from(event.body, "utf8").toString();
    var bodyForVerification = bodyString2.replace('/\\/g', '\\\\');

    let firma3 = CryptoJS.HmacSHA256(bodyForVerification, "****");
    var hashInBase643 = CryptoJS.enc.Base64.stringify(firma3);
    let calculatedHmacBase3 = hashInBase643.toString(CryptoJS.enc.hex);
    if(hmac == calculatedHmacBase3 {
    console.log("verificado");    
}
};

 but still the Hmac is different, HELP!!!

cdarne
Shopify Staff
30 5 14

Hey Luis45,

 

The problem could come several origins:

- the request body should not be changed

- the request body must be read using the utf8 encoding

- when you create the HMAC signature, the result must then be encoded in base64

 

I'm not a node.js specialist, but a common pattern I see in node app checking webhook is using the 'crypto' package like this:

const generatedHash = crypto.createHmac('sha256', API_SECRET_KEY)
    .update(reqBody, 'utf8')
    .digest('base64');

Also if you don't know it already, there's a npm package for shopify api and related code: https://github.com/Shopify/shopify-node-api.

There are event helpers to help deal with webhooks: https://github.com/Shopify/shopify-node-api/blob/main/docs/usage/webhooks.md#webhook-processing

 

I hope this helps you!

 

Cheers,

 

Cedric | Developer @ Shopify

To learn more visit the Shopify Help Center or the Community Blog.

Luis45
New Member
6 0 0

Hi  @cdarne ,  I'm using  the 'crypto-js' package and this  doesn't have the func "createHmac".  Search the module "'crypto" but I did not find it.  I need the module to upload it to the aws lambda