Implement an HMAC signature to verify webhooks Issue

hussaintaha
Shopify Partner
1 0 1

Hello,

I am trying to submit an app for the App Review process but I am getting the issue "Implement an HMAC signature to verify webhooks" regarding the HMAC signature. See the screenshot below.



Screenshot from 2024-04-04 17-52-14.png


I have read the documentation and implemented the logic to verify the webhook.
See the screenshot below.
I am using the Shopify Express CLI.
 

Screenshot from 2024-04-04 18-03-56.png


Not sure what I am doing wrong. Can anyone help me out with this issue?

Thank You.

Replies 3 (3)

supplyq
Shopify Partner
4 0 1

I'd like to second having an issue with this for my submission.  

 

I have the HMAC signature within my webhooks required by Shopify.  Not sure if I need a separate webhook independent that doesn't listen for the specific requests Shopify requires.

 

@router.post("/shopify/customers/data-request")
async def handle_customer_data_request(request: Request, payload: ShopifyCustomerDataRequest_Hook):
    hmac_header = request.headers.get("X-Shopify-Hmac-SHA256")
    if not hmac_header:
        raise HTTPException(status_code=400, detail="HMAC header missing")

    webhook_data = await request.body()
    calculated_hmac = base64.b64encode(
        hmac.new(
            SHOPIFY_WEBHOOK_SECRET.encode("utf-8"),
            webhook_data,
            hashlib.sha256,
        ).digest()
    ).decode("utf-8")

    if not hmac.compare_digest(calculated_hmac, hmac_header):
        raise HTTPException(status_code=401, detail="HMAC verification failed")

    logging.info(f"Received customer data request: {payload}")

somin
Shopify Partner
7 0 0

Hello, I was getting the same problem like you. 

to solve this i've used followed code in my server file. Hope this helps 🙂

// Middleware to verify all webhooks call from Shopify
async function verifyShopifyWebhooks(req, res, next) {
  const hmac = req.query.hmac;

  if (!hmac) {
    return res.status(401).send("Webhook must originate from Shopify!");
  }

  const genHash = crypto
    .createHmac("sha256", process.env.SHOPIFY_API_SECRET)
    .update(JSON.stringify(req.body))
    .digest("base64");

  if (genHash !== hmac) {
    return res.status(401).send("Couldn't verify incoming Webhook request!");
  }

  next();
}
app.use(verifyShopifyWebhooks);

app.post(
  shopify.config.webhooks.path,
  shopify.processWebhooks({ webhookHandlers: GDPRWebhookHandlers })
);

 

Somin Parate

supplyq
Shopify Partner
4 0 1

I don't think this is your issue, since your TLS is set upm but for others experiencing issues... what ended up working for me was confirming the SSL chain on my server.  Originally my SSL certificate was  just my cert.pem.  When I updated it to fullchain.pem - the TLS passed as well as the HMAC handshake.