New Shopify Certification now available: Liquid Storefronts for Theme Developers

Error Verify Webhooks In Node.js - AWS Lambda

Luis45
New Member
6 0 0

Hi, I have the following issue:


App must verify the authenticity of the request from Shopify.

Expected HTTP 401 (Unauthorized), but got HTTP 403 from https://******** Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest. Learn more about verifying a webhook
 
 
the code i am using is:

 

 

var CryptoJS = require("crypto-js");

exports.handler = async (event) => {

    const { webhook_verify_hash } = process.env;
//get the header with validation hash from webhook
    const hmac = event.headers ? 
        event.headers['X-Shopify-Hmac-Sha256'] || event.headers['x-shopify-hmac-sha256']
        : "";
        
    
    var statusCode = 400;
    
    let firma = CryptoJS.HmacSHA256(event.body, "shpss_*******");
    let calculatedHmac = firma.toString(CryptoJS.enc.hex);

    if (hmac == calculatedHmac) {
        console.log("se va a obtener el token");
        statusCode = 200
    } else {
         console.log("no obtiene el token");
         statusCode = 400
    }

    const response = {
        statusCode: statusCode
    };
    return response;
};

 

 

* How can I test the mandatory webhooks and verify the response that I receive?

Replies 3 (3)
Luis45
New Member
6 0 0

to verify Hmac also used: 

 

exports.handler = async (event, context) => {
    let hmac = event.hmac;
   
    const bodyString2 = Buffer.from(event.body, "utf8").toString();
    var bodyForVerification = bodyString2.replace('/\\/g', '\\\\');

    let firma3 = CryptoJS.HmacSHA256(bodyForVerification, "****");
    var hashInBase643 = CryptoJS.enc.Base64.stringify(firma3);
    let calculatedHmacBase3 = hashInBase643.toString(CryptoJS.enc.hex);
    if(hmac == calculatedHmacBase3 {
    console.log("verificado");    
}
};

 but still the Hmac is different, HELP!!!

cdarne
Shopify Staff
Shopify Staff
30 5 14

Hey Luis45,

 

The problem could come several origins:

- the request body should not be changed

- the request body must be read using the utf8 encoding

- when you create the HMAC signature, the result must then be encoded in base64

 

I'm not a node.js specialist, but a common pattern I see in node app checking webhook is using the 'crypto' package like this:

const generatedHash = crypto.createHmac('sha256', API_SECRET_KEY)
    .update(reqBody, 'utf8')
    .digest('base64');

Also if you don't know it already, there's a npm package for shopify api and related code: https://github.com/Shopify/shopify-node-api.

There are event helpers to help deal with webhooks: https://github.com/Shopify/shopify-node-api/blob/main/docs/usage/webhooks.md#webhook-processing

 

I hope this helps you!

 

Cheers,

 

Cedric | Developer @ Shopify

To learn more visit the Shopify Help Center or the Community Blog.

Luis45
New Member
6 0 0

Hi  @cdarne ,  I'm using  the 'crypto-js' package and this  doesn't have the func "createHmac".  Search the module "'crypto" but I did not find it.  I need the module to upload it to the aws lambda