Fail to verify HMAC x-shopify-hmac-sha256 header in C# .NET 8 Azure Functions

CSmithCTS · ‎10-18-2024

I have created a webhook in the Shopify Admin under notification settings that calls an endpoint to my Azure Functions application. I am using C# .NET 8 and I'm attempted to verify the webhook using the provided HMAC x-shopify-hmac-sha256 header.

private async Task<bool> ValidateHash(
    StringValues hmacHeader,
    Task<string> requestBodyReader,
    ILogger logger)
{
    var apiKey = Environment.GetEnvironmentVariable("secret");
    if (apiKey is null)
    {
        logger.LogError(1, "secret not defined");
        return false;
    }

    var keyBytes = Encoding.UTF8.GetBytes(apiKey);
    var data = await requestBodyReader.ConfigureAwait(false);
    var dataBytes = Encoding.UTF8.GetBytes(data);

    HMACSHA256 hmac = new(keyBytes);
    var hmacBytes = hmac.ComputeHash(dataBytes);

    string createSignature = Convert.ToBase64String(hmacBytes);
    return hmacHeader == createSignature;
}

I am using the secret provided on the webhooks page in the Shopify Admin notification settings. No matter what I do, the values are not matching.

CSmithCTS · ‎10-21-2024

Issue resolved, was testing through a localhost tunnel and I believe this was causing issues with verification due to a difference in http/https, when deployed to production there are no issues.

View solution in original post

CSmithCTS · ‎10-21-2024

Issue resolved, was testing through a localhost tunnel and I believe this was causing issues with verification due to a difference in http/https, when deployed to production there are no issues.