Orders webhooks hmac validation not working

Orders webhooks hmac validation not working

Hellogark
Shopify Partner
4 0 0

Hello, i'm manually subscribing the user of my test app to some webhooks, like product/delete, app/uninstall, order/paid, order/created
The hmac validation works for the first two webhooks, i know that the payload is much simplier, but the process is the same.
This code (Java/SpringBoot) validation is the same for all my webhooks

@PostMapping("/ordersPaid")
public ResponseEntity<String> paidOrdersCallback(HttpServletRequest request, @RequestHeader("X-Shopify-Shop-Domain") String domain, @RequestHeader("X-Shopify-Hmac-Sha256") String hmac) throws Exception {
ServletInputStream inputStream = request.getInputStream();
byte[] requestBody = new byte[request.getContentLength()];
inputStream.read(requestBody);

String body = new String(requestBody, StandardCharsets.UTF_8);

if(shopifyServices.verifyHmac(body,hmac)){
shopiffyCallbacksApplication.orderPaid(body, domain, "order_paid");
return ResponseEntity.ok("Webhook verified.");
} else {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("HMAC invalid.");
}
}

This is the code for the hmac validation

public boolean verifyrHmac(String data, String hmac) throws Exception {
Store store = getStoreData();
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKeySpec = new SecretKeySpec(store.getSecret_key().getBytes("UTF-8"), "HmacSHA256");
mac.init(secretKeySpec);
byte[] hmacBytes = mac.doFinal(data.getBytes("UTF-8"));
String calculatedHmacBase64 = Base64.getEncoder().encodeToString(hmacBytes);
return hmac.equals(calculatedHmacBase64);
}

And this is the result of the validation, the first one is the shopify hmac and the second one is the generated one

Hellogark_0-1723925691637.png

This is a success validation of a product deleted

Hellogark_1-1723926389013.png

 

Hellogark_2-1723926539174.png

 



 

Reply 1 (1)

alex_dev2
Shopify Partner
7 0 0

have similar issues validating webhooks for a custom app. It doesn't work