Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
I setup my app to receive Shopify webhooks. I followed the guide here
I made my own controller using
include ShopifyApp::WebhookVerification
to authenticate the webhooks and my app
I set up my Shopify_app.rb file to send the webhooks to the correct route like this
config.webhooks = [
{topic: 'customers/create', address: 'https://*******.ngrok.io/webhooks/new_contact'},
{topic: 'checkouts/update', address: 'https://*******.ngrok.io/webhooks/checkout_update'},
{topic: 'orders/create', address: 'https://*******.ngrok.io/webhooks/orders_create'}
]
Im receiving the Webhooks but i keep getting the message
Filter chain halted as :verify_request rendered or redirected
Hey there.
Can you post your full stacktrace somewhere like pasteb.in and maybe show what your controller looks like? This might be a better question for Stack Overflow but I'll see what I can do.
Cheers.
Alex | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Hey, i made a SO questions where i added what you requested -> https://stackoverflow.com/questions/48525713/shopify-webhook-verification-returning-filter-chain-hal...
i thought maybe it had to do with my apps authentication but
include ShopifyApp::WebhookVerification
already handles the skip_before_action :verify_authenticity_token, when i remove
include ShopifyApp::WebhookVerification
it goes into my method new_contact so the issue has to be something with the
include ShopifyApp::WebhookVerification
Hey again,
Nice work on the SO post!
I was thinking about this and I'm wondering if perhaps you are overloading the WebhooksController class which ships with shopify_app. Does the same behaviour occur when you don't use `include ShopifyApp::WebhookVerification` perhaps (as not to technically include it twice).
Edit
Thinking more about it, include isn't supposed to trigger twice in Ruby, but the same sort of idea might apply!
Cheers.
Alex | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
If i remove that i get
Can't verify CSRF token authenticity.
Completed 401 Unauthorized in 1ms (ActiveRecord: 0.0ms)
so i guess its not loading it twice since now its not running ' skip_before_action :verify_authenticity_token' and my app is trying to authenticate. I tried renaming my controller and redoing my routes too since you said that shopify_app comes with a class that has that name already but no luck
Im trying to verify the HMAC from the request myself using this code:
header_hmac = request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"]
digest = OpenSSL::Digest.new("sha256")
request.body.rewind
calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, ENV['SHOPIFY_SECRET_KEY'], request.body.read)).strip
puts "header hmac: #{header_hmac}"
puts "calculated hmac: #{calculated_hmac}"
puts "Verified:#{ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, header_hmac)}"
And the verification comes back false, I'm using the correct API private key for my application i'm not sure if maybe theres a 3rd key that i need?
Hey again,
Regarding webhook verification:
The documentation there could be adjusted. I believe all newline characters need to be stripped out of the base64 string. strip removes the trailing \n character and encode64 inserts a newline character every 60 characters and a final one on the end; so maybe try using Base64::strict_encode64 and omit the strip method called on the Base64 output. If you have a long webhook body, then that's what could be going on.
Otherwise it looks like you're doing it properly at a glance. I would recommend using a debugging tool like pry to put breakpoints in your logic so you can check variables during runtime.
Cheers.
Alex | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
I tried what you said but no luck, when i send webhooks via
Webhooks in the shop settings i and i use the key shown where it say:
All your webhooks will be signed with {key} so you can verify their integrity.
im able to authenticate the webhook. But when im using my private key for the app im developing i get an authentication error. This means im authenticaing correctly but the key im using is incorrect? is there another key besides the public and private keys supplied in the App Credentials? because those are the ones im utilizing... i even tried creating a new key and no luck still am i using the wrong key maybe?
I see in the documentation it says
Each Webhook request includes a X-Shopify-Hmac-SHA256 header which is generated using the app's shared secret, along with the data sent in the request.
where do i get this 'shared secret' key?
The shared secret is your API secret key, which can be acquired from your app's page in your partner account or the private app's page in the admin depending on what kind of api client you're building.
https://help.shopify.com/api/getting-started/authentication/oauth#step-1-get-the-clients-credentials
In shopify_app, this secret can be placed in /config/initializers/shopify_app.rb, the code example assumes it is a constant set in the simplified app file.
As the doc says, if it's a manually created webhook you're verifying (one created in settings/notifications), then the shared secret is actualy that which is found on the page on which the webhook was created.
Cheers.
Alex | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Im using that key and its stored in an enviornment variable, i have it set in /config/initializers/shopify_app.rb which is where omniauth is getting it from too, i even tried hard coding it into my verifyWebhook method and it still doesn't work.
It cant be that im handling anything coming in wrong if it works with a manually created webhook, so if im using the correct key what could it be? I even tried creating a new app in the developer portal with a fresh set of keys and nothing...
I just realized that the webhooks i created in Shopify_app.rb aren't working
config.webhooks = [
{topic: 'customers/create', address: 'https://*****.ngrok.io/shopify_webhooks/new_contact'},
{topic: 'checkouts/update', address: 'https://*****.ngrok.io/shopify_webhooks/checkout_update'},
{topic: 'orders/create', address: 'https://*****.ngrok.io/shopify_webhooks/orders_create'}
]
the webhooks i was recieveing were from the notifications section of the store, thats why the HMAC calulations never matched... is there any reason why these webhooks aren't being created? does it have to do with my app not being embedded into shopify? i saw that i could make webhooks via post requests is the route that i have to take?