Join us for an upcoming Shopify Partner webinar on February 27, 2024. Discover the latest Checkout Extensibility features, and deep dive on improvements to Shopify Functions and Web Pixels. Register now for either the 10am EST or 2pm EST sessions.

Stuck on 'App must verify the authenticity of the request from Shopify' with app submission

javioverflow
Visitor
2 0 0

I really don't know how to fix this, I've submitted my app in the past without any issues.

 

  1. App must verify the authenticity of the request from Shopify.
    Your app's HTTPS webhook endpoints must validate the HMAC digest of each request, and return an HTTP 401 (Unauthorized) response when rejecting a request that has an invalid digest.Learn more about verifying a webhook
  2. App must be served over HTTPS.
    There was an error connecting to your app. Make sure itsApp URL and Allowed redirection URLwork correctly.

I can even see the Shopify test requests in my backend logs, and they all seem fine to me.

 

(1) Feb 09 10:36:16 - GET /shopify/token HTTP/1.1 401 43 - 0.982 ms

 

(2) Feb 09 10:09:35 - GET /shopify/install?hmac=XXXXbfd03f0e9970be6d907a69d24d19ca1fda1db092d6cd0a2e3ba92cb547b2&host=XXXXYnJpZGdldGVzdHNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&session=XXXXcb5baa6de89cb480de8b89c238d860c3c9eb96d0059d68c4580d4907d395&shop=cambridgetestshop.myshopify.com&timestamp=XXXX401375 HTTP/1.1 302 950 - 0.727 ms


(3) Feb 09 10:09:36 - GET /shopify/token?code=XXXX45dba979629298c10f422397b834&hmac=XXXXcdb4881cbbdd12fd2b434dcb404bab493df57094ec90aea561ba4b67d17c&host=XXXXYnJpZGdldGVzdHNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=cambridgetestshop.myshopify.com&state=XXXX8a99-5d44-41c1-b237-f464ffb1663f&timestamp=XXXX401376 HTTP/1.1 302 364 - 634.158 ms

I've tried the same requests changing the hmac and it successfully return 401.

 

I can't see any requests being made for subscribed webhooks, but I tested them myself and they work just fine. What is going on?

 

I really don't know what else to do or who to talk with...

 

Replies 5 (5)

csam
Shopify Staff (Retired)
267 40 51

Hi 

 

@javioverflow I would recommend reaching out to partner support to find out what the issue is, and if needed we can provide additional support.

 

Regards,

To learn more visit the Shopify Help Center or the Community Blog.

Sharan_oapps
Shopify Partner
35 1 6

Hi Csam!

Myself also getting the following Requirements,

Requirements that must be met before initial screening

  1. App must set security headers to protect against clickjacking.
    Your app url's host is invalid.
  2. Your partner account requires an emergency developer contact.
    The app is missing a developer emergency contact phone and email.
  3. App must verify the authenticity of the request from Shopify.
    Your app url's host is invalid.
  4. App must be served over HTTPS.
    Your app url's host is invalid.

Please help me out how to fix this ..

atulatgupshup
Shopify Partner
2 0 0

Hey @Sharan_oapps , Is you issue fixed, can you please let me know, I am facing same issue

qingfu
Shopify Partner
2 0 0
let { hmac, host, shop, timestamp } = req.query;
const sign = (content, secret) => {
return crypto.createHmac("sha256", secret).update(content).digest("hex");
};

 

if (sign(`host=${host}&shop=${shop}&timestamp=${timestamp}`, config.shopifyPartner.secret) != hmac) {
res.status(401).send();
}

hassanharoon86
Shopify Partner
6 0 0

Hi, if you're working in ruby on rails.

You can try including WebhookVerification module from shopify app gem by adding the following line to your webhooks controller:

include ShopifyApp::WebhookVerification


This module has a before action which verifies the requests against the hmac header and returns 401 unauthorized in case request wasn't sent from shopify.