FROM CACHE - en_header
Promotion image
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

We're moving the community! Starting July 7, the current community will be read-only for approx. 2 weeks. You can browse content, but posting will be temporarily unavailable. Learn more

Public App's Shared Secret and Webhook

Public App's Shared Secret and Webhook

HymnZ
Shopify Partner
399 6 48
‎10-09-2017 04:13 PM

Hi guys,

I'm creating a webhook for my public app to check app uninstalls. The webhook gets the data on uninstall but I'm unable to verify it. My hash of SHA256 is always different from the one in header.

So I figured I'm doing one of the following things wrong - (My app uses crypto js and build on nodejs/expressjs)

  1. Using wrong "Shared Secret" - I'm currently using "API secret key", where do I find the "Shared Secret" of my app?
  2. Using wrong "data" - I'm taking the complete request body in calculating the hash, is there something I need to skip?
  3. Wrong method for calculating hash - I'm using the same method I'm using for OAUTH, is there something different I need to use?

Please help!

My speciality lies in making Shopify work for your requirements, not the other way round. HMU on email: hymnz@outlook.com or on skype: hymnzzy

If you like my work, consider supporting me 🙂 https://www.buymeacoffee.com/hymnz
6,374 Views
0 Likes
Report
Replies 9 (9)

Jayvin
Shopify Partner
284 42 89
‎10-09-2017 07:37 PM

Hi HymnZ,

Here is a sample, hope it helps you out.

 

var validateWebhook = function(req) {
  var hmacHeader = req.headers['x-shopify-hmac-sha256'];
  var digest = '';
  try {
    digest = crypto.createHmac('sha256', 'WEBHOOK_SIGNKEY_FROM_SHOPIFY_DASHBOARD')
      .update(req.rawBody)
      .digest('base64');
  } catch (e) {
    console.log('Errow when creating hmac', e);
  }

  return hmacHeader == digest;
};

//the middleware parser function to update the request object
function shopifyWebhookBodyParser(req, res, next) {
  req.rawBody = '';
  req.on('data', function(chunk) {
    req.rawBody += chunk.toString('utf8');
  });

  req.on('end', function() {
    req.body = JSON.parse(req.rawBody);
    next(req, res);
  });
}

//note bodyParser is not active for this url...
app.post("/webhook-receiver-url", function(req, res) {
  shopifyWebhookBodyParser(req, res, function(req, res){
	if(validateWebhook(req)){
		//webhook is valid
	}else{
		//webhook is not valid..
	}
  }
});

 

banned
6,374 Views
0 Likes
Report

HymnZ
Shopify Partner
399 6 48
‎10-10-2017 07:13 AM

Hi Jayvin,

My code is similar to yours. No doubt.

My only question is where do it find 'WEBHOOK_SIGNKEY_FROM_SHOPIFY_DASHBOARD'

I checked every where in my partner dashboard apps section. I can't find it anywhere.

 

My speciality lies in making Shopify work for your requirements, not the other way round. HMU on email: hymnz@outlook.com or on skype: hymnzzy

If you like my work, consider supporting me 🙂 https://www.buymeacoffee.com/hymnz
6,374 Views
0 Likes
Report

Jayvin
Shopify Partner
284 42 89
‎10-10-2017 10:18 AM

Hi,

1. Login into your store admin
2. Go to settings
3. Go to notifications
4. Webhook sections

 

banned
6,373 Views
0 Likes
Report
SignKey.png
35 KB

HymnZ
Shopify Partner
399 6 48
‎10-10-2017 10:24 AM

Hi Jayvin,

What you have displayed is from the Admin settings of a store. For a public app, this will not be available and cannot be used.

 

 

My speciality lies in making Shopify work for your requirements, not the other way round. HMU on email: hymnz@outlook.com or on skype: hymnzzy

If you like my work, consider supporting me 🙂 https://www.buymeacoffee.com/hymnz
6,373 Views
0 Likes
Report

Jayvin
Shopify Partner
284 42 89
‎10-10-2017 10:42 AM

Hi,

I think there is some confusion, are you trying to validate the signature instead?

This: https://help.shopify.com/api/getting-started/authentication/oauth#verification

And this might be of help:

https://ecommerce.shopify.com/c/shopify-apps/t/how-can-i-validate-signature-coming-from-shopify-whil...

 

 

banned
6,373 Views
0 Likes
Report

HymnZ
Shopify Partner
399 6 48
‎10-10-2017 07:08 PM

Hi Jayvin,

In this guide - https://help.shopify.com/api/getting-started/webhooks under "Verify a webhook created through the API" section, the first two lines apply to webhooks created by public apps via the API.

In those two lines can you explain what "digital signature" and "app's shared secret" are and where/how I can find them?

It'll be great help.

My speciality lies in making Shopify work for your requirements, not the other way round. HMU on email: hymnz@outlook.com or on skype: hymnzzy

If you like my work, consider supporting me 🙂 https://www.buymeacoffee.com/hymnz
6,373 Views
0 Likes
Report

Jayvin
Shopify Partner
284 42 89
‎10-10-2017 07:33 PM

Hi HymnZ,

The digital signature is code that you have to calculate to validate against the "x-shopify-hmac-sha256" header.

I think the "app's shared secret" is the "API secret key".

Login in your partner dashboard > Apps > Select the app > App info > Scroll below, App credentials : API secret key

Note my use case was a bit different because I created the webhooks manually and validated it using the webhook sign key.

So you might just need to replace that "webhook sign key" with the "API secret key" in the above codes.

Hope that helps you out.

 

banned
6,373 Views
0 Likes
Report
In response to Jayvin

pallavi57
Shopify Partner
5 0 2
‎05-07-2022 12:06 PM

I have the same issue .. api secret key isnt workng

2,847 Views
1 Like
Report
In response to pallavi57

Refunder
Visitor
1 0 0
‎07-11-2022 03:43 PM

We are having the same issue.

 

We got the secret from: partner portal > Apps and then in the "API keys" box we use the "API secret key".

2,678 Views
0 Likes
Report
Terms of Service Privacy Policy