HMACs different between manually-generated and API-generated webhooks

Solved

HMACs different between manually-generated and API-generated webhooks

Daniel71
Tourist
8 2 0

When I create a webhook using the UI, I am able to receive and validate the webhook using the hmac. However, the same isn't working for webhooks I create using the API. Using a very simple webhook (collections/delete), I was able to demonstrate that the hmacs being generated by the two webhooks - both firing off the same event - are different. Here are the requests:

 

Manually created:

 

POST /api/webhook/shopify HTTP/1.1
Content-Type: application/json
X-Shopify-Topic: collections/delete
X-Shopify-Shop-Domain: mysite.myshopify.com
X-Shopify-Collection-Id: 84385726550
X-Shopify-Hmac-Sha256: nEGA/M31XeT24ZQy/zKylj2cmfamlUMO+Xm1uZ2odNs=
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept: */*
User-Agent: Ruby
Content-Length: 42
Connection: close
Host: mysite.ngrok.io
X-Forwarded-Proto: https
X-Forwarded-For: 35.226.161.123

{"id":84385726550,"published_scope":"web"}

Created through API:

 

 

POST /api/webhook/shopify HTTP/1.1
Host: mysite.ngrok.io
User-Agent: Shopify-Captain-Hook
Content-Length: 42
Accept: */*
Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Content-Type: application/json
X-Shopify-Collection-Id: 84385726550
X-Shopify-Hmac-Sha256: Qi2OOF3ZoHRWEvhUsCzrsvvmbzYksQhTYAN9itZMZsM=
X-Shopify-Shop-Domain: mysite.myshopify.com
X-Shopify-Topic: collections/delete
Connection: close
X-Forwarded-Proto: https
X-Forwarded-For: 35.237.40.160

{"id":84385726550,"published_scope":"web"}

Any ideas on why these two hmacs would be different? My first thought was that maybe the API-generated webhooks had a different signing key, but I haven't found a reference to this.

 

Any ideas on what might be going wrong?

 

Accepted Solution (1)

Daniel71
Tourist
8 2 0

This is an accepted solution.

Arg, so, this is solved. Here's the relevant section from the documentation:

 

Webhooks created through the API by a Shopify App are verified by calculating a digital signature. Each webhook request includes a base64-encoded X-Shopify-Hmac-SHA256 header, which is generated using the app's shared secret along with the data sent in the request.


So indeed, it's a different signing key.

View solution in original post

Reply 1 (1)

Daniel71
Tourist
8 2 0

This is an accepted solution.

Arg, so, this is solved. Here's the relevant section from the documentation:

 

Webhooks created through the API by a Shopify App are verified by calculating a digital signature. Each webhook request includes a base64-encoded X-Shopify-Hmac-SHA256 header, which is generated using the app's shared secret along with the data sent in the request.


So indeed, it's a different signing key.