Re: Intermittent webhook HMAC mismatch

Intermittent webhook HMAC mismatch

vomithatsteve
Shopify Partner
8 0 0

Late last week, we started receiving emails from Shopify telling us that the webhooks on one of our stores were failing.

 

We hadn't made any changes to our codebase, and only one of the dozens of stores we have using this same codebase is having this issue.

 

We double-checked the documentation and our code to ensure that everything still matched and then added some extra logging to the system.

 

Having monitored things for a few days. Some webhooks are coming through correctly. Others are being sent with the wrong HMAC signature. We're not seeing any pattern to which ones are failing and which are correct.

 

Has anyone else been experiencing this? Any idea why this might have started happening all of a sudden?

Replies 4 (4)

dnorth
Tourist
3 0 1

Did you every get to the bottom of this?  I'm just looking into the same issue where a small number of webhooks come in and get a mismatch in the hmac (yet the code is the same that computes the hmac).  By small number, it's around 20 out of 1500 received in a 30 second window (we receive a LOT of webhooks).

 

I've reviewed and re-reviewed the code but can't see anything amiss on the reception side.

vomithatsteve
Shopify Partner
8 0 0

Not yet. I got a hold of customer support, but they haven't been able to provide any new information on it.

 

aglehg
Visitor
1 0 0

This was happening to me and I understood that happened when there where special chars in the url, digging further I discovered that the documentation that describes how you generate the hmac is incomplete. It's also not enough just to concatenate the fields, sometimes you need to transform the params to another format. 

In my case, this solved it: 
https://community.shopify.com/c/Shopify-APIs-SDKs/SHA256-HMAC-Verification-on-requests-generated-by-...


dnorth
Tourist
3 0 1

I had a look at all this new info but alas I don't think that's what is happening in our case.  I took some code that independently generates an HMAC (https://gist.github.com/andjosh/5c4f0244914adfd312e4) and for the same webhook, it's generating the same HMAC as we are...but it's different from the Shopify one.  There's really only one way to format the JSON post body so I'm at a bit of a loss why the mismatch.