Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
I need to pass username and password for authentication to my destination address which will be hit when the web hook is triggered. how to pass these username and password as headers to destination address?? and also i need the usage of fields in web hook payload and when& where it will be used??
Any solution regarding this issue are welcomed.!
Thanks in advance!
Solved! Go to the solution
This is an accepted solution.
As @SBD_ said, the webhook already come with a good way to verify is origin, i got here a little function to you, so you can verify easily, using php.
The HMAC ($hmac) comes through this header: "X-Shopify-Hmac-SHA256".
The shared secret ($shared_secret) is yours app secret key.
the $data is the raw input stream ( you could get it through file_get_contents("php://input") for ex.)
so this is the function:
function hashHMAC($hmac, $data, $shared_secret) { $hmac = bin2hex(base64_decode($hmac)); $computed_hmac = hash_hmac('sha256', $data, $shared_secret); return hash_equals($hmac, $computed_hmac); }
So, if it returns TRUE its from Shopify, otherwise nope.
I hope that helps you.
Hey @sangeetha_logu,
Which credentials are you referring to? Could you store them on the server that's listening for webhooks? If you're just trying to verify the webhook originated from Shopify, here's how you can do that.
and also i need the usage of fields in web hook payload and when& where it will be used
By specifying fields, you can reduce the size of the payload. E.g. "when a product is updated, only send me the product title". More info here.
Scott | Developer Advocate @ Shopify
This is an accepted solution.
As @SBD_ said, the webhook already come with a good way to verify is origin, i got here a little function to you, so you can verify easily, using php.
The HMAC ($hmac) comes through this header: "X-Shopify-Hmac-SHA256".
The shared secret ($shared_secret) is yours app secret key.
the $data is the raw input stream ( you could get it through file_get_contents("php://input") for ex.)
so this is the function:
function hashHMAC($hmac, $data, $shared_secret) { $hmac = bin2hex(base64_decode($hmac)); $computed_hmac = hash_hmac('sha256', $data, $shared_secret); return hash_equals($hmac, $computed_hmac); }
So, if it returns TRUE its from Shopify, otherwise nope.
I hope that helps you.
Thanks @angeloghiotto. Can you provide solution without using php. since i am not going to use any controllers.
It is a simple function, it can be used as pure PHP, do not required any architectural pattern or framework.
Anyway, you can check out the functions on PHP official web site and "translate" it to your current language if you are not using PHP, and, @SBD_ linked "how to do the verify" that have a Ruby implementation, that also can help you to figure out it in the programming language that you are using.