Have your say in Community Polls: What was/is your greatest motivation to start your own business?
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Shopify Webhook Verification returning 'Filter chain halted as :verify_request rendered or redirected'

Shopify Webhook Verification returning 'Filter chain halted as :verify_request rendered or redirected'

rs
Tourist
23 0 1

I setup my app to receive Shopify webhooks. I followed the guide here

I made my own controller using

  include ShopifyApp::WebhookVerification

to authenticate the webhooks and my app

I set up my Shopify_app.rb file to send the webhooks to the correct route like this

    config.webhooks = [
    {topic: 'customers/create', address: 'https://*******.ngrok.io/webhooks/new_contact'}, 
    {topic: 'checkouts/update', address: 'https://*******.ngrok.io/webhooks/checkout_update'},
    {topic: 'orders/create', address: 'https://*******.ngrok.io/webhooks/orders_create'}
  ]

Im receiving the Webhooks but i keep getting the message

Filter chain halted as :verify_request rendered or redirected
Replies 11 (11)

Alex
Shopify Staff
1561 81 343

Hey there.

Can you post your full stacktrace somewhere like pasteb.in and maybe show what your controller looks like? This might be a better question for Stack Overflow but I'll see what I can do.

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

rs
Tourist
23 0 1

Hey, i made a SO questions where i added what you requested -> https://stackoverflow.com/questions/48525713/shopify-webhook-verification-returning-filter-chain-hal...

i thought maybe it had to do with my apps authentication but 

  include ShopifyApp::WebhookVerification

already handles the skip_before_action :verify_authenticity_token, when i remove 

include ShopifyApp::WebhookVerification

it goes into my method new_contact so the issue has to be something with the 

include ShopifyApp::WebhookVerification
 

Alex
Shopify Staff
1561 81 343

Hey again,

Nice work on the SO post!

I was thinking about this and I'm wondering if perhaps you are overloading the WebhooksController class which ships with shopify_app. Does the same behaviour occur when you don't use `include ShopifyApp::WebhookVerification` perhaps (as not to technically include it twice).

Edit

Thinking more about it, include isn't supposed to trigger twice in Ruby, but the same sort of idea might apply!

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

rs
Tourist
23 0 1

If i remove that i get 

Can't verify CSRF token authenticity.
Completed 401 Unauthorized in 1ms (ActiveRecord: 0.0ms)

so i guess its not loading it twice since now its not running '  skip_before_action :verify_authenticity_token' and my app is trying to authenticate. I tried renaming my controller and redoing my routes too since you said that shopify_app comes with a class that has that name already but no luck

rs
Tourist
23 0 1

Im trying to verify the HMAC from the request myself using this code:

      header_hmac = request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"]
  digest = OpenSSL::Digest.new("sha256")
  request.body.rewind
  calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, ENV['SHOPIFY_SECRET_KEY'], request.body.read)).strip

  puts "header hmac: #{header_hmac}"
  puts "calculated hmac: #{calculated_hmac}"

  puts "Verified:#{ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, header_hmac)}"

And the verification comes back false, I'm using the correct API private key for my application i'm not sure if maybe theres a 3rd key that i need?

Alex
Shopify Staff
1561 81 343

Hey again,

Regarding webhook verification:

The documentation there could be adjusted. I believe all newline characters need to be stripped out of the base64 string. strip removes the trailing \n character and encode64 inserts a newline character every 60 characters and a final one on the end; so maybe try using Base64::strict_encode64 and omit the strip method called on the Base64 output. If you have a long webhook body, then that's what could be going on.

Otherwise it looks like you're doing it properly at a glance. I would recommend using a debugging tool like pry to put breakpoints in your logic so you can check variables during runtime.

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

rs
Tourist
23 0 1

I tried what you said but no luck, when i send webhooks via 

Webhooks in the shop settings i and i use the key shown where it say:

All your webhooks will be signed with {key} so you can verify their integrity.

im able to authenticate the webhook. But when im using my private key for the app im developing i get an authentication error. This means im authenticaing correctly but the key im using is incorrect? is there another key besides the public and private keys supplied in the App Credentials? because those are the ones im utilizing... i even tried creating a new key and no luck still am i using the wrong key maybe?

rs
Tourist
23 0 1

I see in the documentation it says 

Each Webhook request includes a X-Shopify-Hmac-SHA256 header which is generated using the app's shared secret, along with the data sent in the request.

where do i get this 'shared secret' key?

Alex
Shopify Staff
1561 81 343

The shared secret is your API secret key, which can be acquired from your app's page in your partner account or the private app's page in the admin depending on what kind of api client you're building.

https://help.shopify.com/api/getting-started/authentication/oauth#step-1-get-the-clients-credentials

In shopify_app, this secret can be placed in /config/initializers/shopify_app.rb, the code example assumes it is a constant set in the simplified app file.

As the doc says, if it's a manually created webhook you're verifying (one created in settings/notifications), then the shared secret is actualy that which is found on the page on which the webhook was created.

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

rs
Tourist
23 0 1

Im using that key and its stored in an enviornment variable, i have it set in /config/initializers/shopify_app.rb which is where omniauth is getting it from too, i even tried hard coding it into my verifyWebhook method and it still doesn't work.

It cant be that im handling anything coming in wrong if it works with a manually created webhook, so if im using the correct key what could it be? I even tried creating a new app in the developer portal with a fresh set of keys and nothing... 

rs
Tourist
23 0 1

I just realized that the webhooks i created in Shopify_app.rb aren't working

 

  config.webhooks = [
    {topic: 'customers/create', address: 'https://*****.ngrok.io/shopify_webhooks/new_contact'}, 
    {topic: 'checkouts/update', address: 'https://*****.ngrok.io/shopify_webhooks/checkout_update'},
    {topic: 'orders/create', address: 'https://*****.ngrok.io/shopify_webhooks/orders_create'}
  ]

the webhooks i was recieveing were from the notifications section of the store, thats why the HMAC calulations never matched... is there any reason why these webhooks aren't being created? does it have to do with my app not being embedded into shopify? i saw that i could make webhooks via post requests is the route that i have to take?