Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
Hello,
I am trying to submit an app for the App Review process but I am getting the issue "Implement an HMAC signature to verify webhooks" regarding the HMAC signature. See the screenshot below.
I have read the documentation and implemented the logic to verify the webhook.
See the screenshot below.
I am using the Shopify Express CLI.
Not sure what I am doing wrong. Can anyone help me out with this issue?
Thank You.
I'd like to second having an issue with this for my submission.
I have the HMAC signature within my webhooks required by Shopify. Not sure if I need a separate webhook independent that doesn't listen for the specific requests Shopify requires.
@router.post("/shopify/customers/data-request")
async def handle_customer_data_request(request: Request, payload: ShopifyCustomerDataRequest_Hook):
hmac_header = request.headers.get("X-Shopify-Hmac-SHA256")
if not hmac_header:
raise HTTPException(status_code=400, detail="HMAC header missing")
webhook_data = await request.body()
calculated_hmac = base64.b64encode(
hmac.new(
SHOPIFY_WEBHOOK_SECRET.encode("utf-8"),
webhook_data,
hashlib.sha256,
).digest()
).decode("utf-8")
if not hmac.compare_digest(calculated_hmac, hmac_header):
raise HTTPException(status_code=401, detail="HMAC verification failed")
logging.info(f"Received customer data request: {payload}")
Hello, I was getting the same problem like you.
to solve this i've used followed code in my server file. Hope this helps 🙂
// Middleware to verify all webhooks call from Shopify
async function verifyShopifyWebhooks(req, res, next) {
const hmac = req.query.hmac;
if (!hmac) {
return res.status(401).send("Webhook must originate from Shopify!");
}
const genHash = crypto
.createHmac("sha256", process.env.SHOPIFY_API_SECRET)
.update(JSON.stringify(req.body))
.digest("base64");
if (genHash !== hmac) {
return res.status(401).send("Couldn't verify incoming Webhook request!");
}
next();
}
app.use(verifyShopifyWebhooks);
app.post(
shopify.config.webhooks.path,
shopify.processWebhooks({ webhookHandlers: GDPRWebhookHandlers })
);
I don't think this is your issue, since your TLS is set upm but for others experiencing issues... what ended up working for me was confirming the SSL chain on my server. Originally my SSL certificate was just my cert.pem. When I updated it to fullchain.pem - the TLS passed as well as the HMAC handshake.