Public App's Shared Secret and Webhook

HymnZ
Shopify Partner
399 6 48

Hi guys,

I'm creating a webhook for my public app to check app uninstalls. The webhook gets the data on uninstall but I'm unable to verify it. My hash of SHA256 is always different from the one in header.

So I figured I'm doing one of the following things wrong - (My app uses crypto js and build on nodejs/expressjs)

  1. Using wrong "Shared Secret" - I'm currently using "API secret key", where do I find the "Shared Secret" of my app?
  2. Using wrong "data" - I'm taking the complete request body in calculating the hash, is there something I need to skip?
  3. Wrong method for calculating hash - I'm using the same method I'm using for OAUTH, is there something different I need to use?

Please help!

My speciality lies in making Shopify work for your requirements, not the other way round. HMU on email: hymnz@outlook.com or on skype: hymnzzy

If you like my work, consider supporting me 🙂 https://www.buymeacoffee.com/hymnz
Replies 9 (9)

Jayvin
Shopify Partner
284 42 89

Hi HymnZ,

Here is a sample, hope it helps you out.

 

var validateWebhook = function(req) {
  var hmacHeader = req.headers['x-shopify-hmac-sha256'];
  var digest = '';
  try {
    digest = crypto.createHmac('sha256', 'WEBHOOK_SIGNKEY_FROM_SHOPIFY_DASHBOARD')
      .update(req.rawBody)
      .digest('base64');
  } catch (e) {
    console.log('Errow when creating hmac', e);
  }

  return hmacHeader == digest;
};

//the middleware parser function to update the request object
function shopifyWebhookBodyParser(req, res, next) {
  req.rawBody = '';
  req.on('data', function(chunk) {
    req.rawBody += chunk.toString('utf8');
  });

  req.on('end', function() {
    req.body = JSON.parse(req.rawBody);
    next(req, res);
  });
}

//note bodyParser is not active for this url...
app.post("/webhook-receiver-url", function(req, res) {
  shopifyWebhookBodyParser(req, res, function(req, res){
	if(validateWebhook(req)){
		//webhook is valid
	}else{
		//webhook is not valid..
	}
  }
});

 

banned

HymnZ
Shopify Partner
399 6 48

Hi Jayvin,

My code is similar to yours. No doubt.

My only question is where do it find 'WEBHOOK_SIGNKEY_FROM_SHOPIFY_DASHBOARD'

I checked every where in my partner dashboard apps section. I can't find it anywhere.

 

My speciality lies in making Shopify work for your requirements, not the other way round. HMU on email: hymnz@outlook.com or on skype: hymnzzy

If you like my work, consider supporting me 🙂 https://www.buymeacoffee.com/hymnz

Jayvin
Shopify Partner
284 42 89

Hi,

1. Login into your store admin
2. Go to settings
3. Go to notifications
4. Webhook sections

 

banned

HymnZ
Shopify Partner
399 6 48

Hi Jayvin,

What you have displayed is from the Admin settings of a store. For a public app, this will not be available and cannot be used.

 

 

My speciality lies in making Shopify work for your requirements, not the other way round. HMU on email: hymnz@outlook.com or on skype: hymnzzy

If you like my work, consider supporting me 🙂 https://www.buymeacoffee.com/hymnz

Jayvin
Shopify Partner
284 42 89

Hi,

I think there is some confusion, are you trying to validate the signature instead?

This: https://help.shopify.com/api/getting-started/authentication/oauth#verification

And this might be of help:

https://ecommerce.shopify.com/c/shopify-apps/t/how-can-i-validate-signature-coming-from-shopify-whil...

 

 

banned

HymnZ
Shopify Partner
399 6 48

Hi Jayvin,

In this guide - https://help.shopify.com/api/getting-started/webhooks under "Verify a webhook created through the API" section, the first two lines apply to webhooks created by public apps via the API.

In those two lines can you explain what "digital signature" and "app's shared secret" are and where/how I can find them?

It'll be great help.

My speciality lies in making Shopify work for your requirements, not the other way round. HMU on email: hymnz@outlook.com or on skype: hymnzzy

If you like my work, consider supporting me 🙂 https://www.buymeacoffee.com/hymnz

Jayvin
Shopify Partner
284 42 89

Hi HymnZ,

The digital signature is code that you have to calculate to validate against the "x-shopify-hmac-sha256" header.

I think the "app's shared secret" is the "API secret key".

Login in your partner dashboard > Apps > Select the app > App info > Scroll below, App credentials : API secret key

Note my use case was a bit different because I created the webhooks manually and validated it using the webhook sign key.

So you might just need to replace that "webhook sign key" with the "API secret key" in the above codes.

Hope that helps you out.

 

banned
pallavi57
Shopify Partner
5 0 2

I have the same issue .. api secret key isnt workng

Refunder
Visitor
1 0 0

We are having the same issue.

 

We got the secret from: partner portal > Apps and then in the "API keys" box we use the "API secret key".