Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
Hey there,
I’m building a Shopify public app and I’m having trouble with the HMAC verification process. Despite using the Shopify Secret from the Dashboard of my app at partners.shopify.com, I can’t get the computed HMAC and the received HMAC to match. This always results in a failed verification.
I’ve tried various combinations, but nothing seems to work—they never match. There might be something I’m missing. I hope someone here has a solution.
Code snippet :
def verify_webhook(data, hmac_header): digest = hmac.new(SHOPIFY_SECRET.encode('utf-8'), data, digestmod=hashlib.sha256).digest() computed_hmac = base64.b64encode(digest) return hmac.compare_digest(computed_hmac, hmac_header.encode('utf-8'))
@app.post('/webhook/customer/data_request') async def customer_data_request_webhook(request: Request): try: data = await request.body() print('DATAAAAAAA',data) hmac_header = request.headers.get('X-Shopify-Hmac-SHA256') verified = verify_webhook(data, hmac_header) if not verified: raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="HMAC verification failed") return Response(status_code=HTTP_200_OK) except Exception as e: print("Error processing customer data request webhook:") print(e) return Response(status_code=HTTP_500_INTERNAL_SERVER_ERROR)
By the way, here are some logs.
DATA b'{"shop_id":60225617942,"shop_domain":"app-security.myshopify.com"}'
HEADER {'host': 'unanimityaiapp-1.onrender.com', 'user-agent': 'Ruby', 'content-length': '66', 'accept': '*/*', 'accept-encoding': 'gzip', 'cdn-loop': 'cloudflare; subreqs=1', 'cf-connecting-ip': '34.23.252.48', 'cf-ew-via': '15', 'cf-ipcountry': 'US', 'cf-ray': '88f83610910badb0-ATL', 'cf-visitor': '{"scheme":"https"}', 'cf-worker': 'onrender.com', 'content-type': 'application/json', 'render-proxy-ttl': '4', 'rndr-id': '4e79bfd2-668d-4233', 'traceparent': '00-61fe6df471212a349f78bfef3aeb53bb-b94c865665aa5ace-01', 'true-client-ip': '34.23.252.48', 'x-cloud-trace-context': '61fe6df471212a349f78bfef3aeb53bb/13352194700877650638;o=1', 'x-forwarded-for': '34.23.252.48, 10.216.35.99', 'x-forwarded-proto': 'https', 'x-request-start': '1717674903202354', 'x-shopify-api-version': '2022-10', 'x-shopify-hmac-sha256': '4Apq2emHXH+wFrY3yTP9u+XUAMrb/pOl/HE0OMmqf1E=', 'x-shopify-shop-domain': 'app-security.myshopify.com', 'x-shopify-test': 'true', 'x-shopify-topic': 'shop/redact', 'x-shopify-trace-context': '61fe6df471212a349f78bfef3aeb53bb/13352194700877650638;o=1', 'x-shopify-trace-hint': 'true', 'x-shopify-triggered-at': '2024-06-06T11:55:03.059362171Z', 'x-shopify-webhook-id': '3c7cc95f-e354-46f4-87b4-8da946b988df'}
HMAC HEADER 4Apq2emHXH+wFrY3yTP9u+XUAMrb/pOl/HE0OMmqf1E=
SECRET: b'***********************'
DATA (raw): b'{"shop_id":60225617942,"shop_domain":"app-security.myshopify.com"}'
DIGEST (binary): b':\x00\xe2\x01\xf5\x88\x8c\xfb,H\\\x88\x9a\xe6\xd7\xaa\x13\x18M\xd2\xcdY\x00\x16L\x12\xda\xbf-\x88N\x16'
COMPUTED HMAC (base64): OgDiAfWIjPssSFyImubXqhMYTdLNWQAWTBLavy2IThY=
RECEIVED HMAC (header): 4Apq2emHXH+wFrY3yTP9u+XUAMrb/pOl/HE0OMmqf1E=