Hi,
I am trying to integrate webhook validation flow found here :
https://shopify.dev/apps/webhooks/configuration/https#:~:text=To%20verify%20that%20the%20request%20c...
but the hmac that i calculate is not matching with the hamc sent in header, i have few questions regarding that, our app is PUBLIC app. Please help us with these questions:
1 - The secret key that I am using is the API secret key that we got prom out public apps dashboard, it looks something like this `cf188XXXXXXXXXXXXXXXXXXX7`, should i use this key or some other key.
2- As i can see from the documentation that the secret is not encoded(python example), but we need to encode the secret otherwise it throws a error that `a byte or bytearray objcet is expected`.
3- The data that we need to send is the whole body including the headers and all, or only some part of the body should be sent.
4 - Below is our code implementation (This is always returning 401 unauthorized):
import base64
import hashlib
import hmac
def verify_webhook_1(data, hmac_header, SECRET):
digest = hmac.new(SECRET.encode('utf-8'), data.encode('utf-8'), hashlib.sha256).digest()
computed_hmac = base64.b64encode(digest)
return hmac.compare_digest(computed_hmac, hmac_header.encode('utf-8'))
try:
if not verify_webhook_1(msg.body, shopify_headers['x-shopify-hmac-sha256'],
env('SHOPIFY_HMAC_SECRET')):
raise AuthenticationFailed()
except Exception as ex:
pass
Shopify Discussion
Partners and Developers