Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
Hey gang,
I set up the end point to handle mandatory webhooks.
However, my app gets rejected with:
I do have the verification in place, but it works on custom webhooks (e.g. products/update).
I checked the logs on my web server and found this:
[2022-06-12 22:38:27 +0000] - (sanic.access)[INFO][103.161.250.10:16896]: GET <url> 405 789
I received it when i create a customer in my Dev store and then submitted a request for customer data.
I am puzzled as to why this is a GET request and not a POST. According to the docs, mandatory webhooks are POST.
Here's one of the end points for the mandatory webhook + the verification method:
openapi.post("/webhook/shop/redact", strict_slashes=False)
@openapi.summary("Requests to delete shop data")
@openapi.body({"application/json":ShopRedact})
async def handle_shop_redact(request: request) -> response:
# verify webhook
verified = verify_webhook(request.body, request.headers.get('X-Shopify-Hmac-SHA256'))
if not verified:
raise SanicException(status_code=401)
print("Received request to delete shop data: {} ", json.loads(request.body))
return js(status=200, body={"message": "Request received"})
# following code is from Shopify's example: https://shopify.dev/apps/webhooks/configuration/https#verify-a-webhook
def verify_webhook(data, hmac_header):
if hmac_header == None:
return False
API_SECRET_KEY = "7ae25d6aee942fbb2d2fef2d592a5eb9"
digest = hmac.new(
API_SECRET_KEY.encode("utf-8"), data, digestmod=hashlib.sha256
).digest()
computed_hmac = base64.b64encode(digest)
return hmac.compare_digest(computed_hmac, hmac_header.encode("utf-8"))
What am i doing wrong?
Solved! Go to the solution
This is an accepted solution.
it turns out that the mandatory webhook handling MUST be in the app itself. The section in the Setup screen says to provide end points, but it doesn't clarify that they can't be end points outside of the app. once i moved the handling of those mandatory webhooks to the app, using https://github.com/Shopify/shopify-node-api/issues/256 as guidance, everything worked.
to clarify, i implemented the handling of mandatory webhooks outside of the app, in the external API. but now i am thinking it needs to be done inside the app, just like a non-mandatory webhook such as product/updates. is that the case?
This is an accepted solution.
it turns out that the mandatory webhook handling MUST be in the app itself. The section in the Setup screen says to provide end points, but it doesn't clarify that they can't be end points outside of the app. once i moved the handling of those mandatory webhooks to the app, using https://github.com/Shopify/shopify-node-api/issues/256 as guidance, everything worked.