validating webhook using HMAC in PHP

emn · ‎08-28-2015

$body = file_get_contents("php://input");

$ourhmac = base64_encode(hash_hmac('sha256', $body, 'my-DOUBLE-CHECKED-secret', true));
$theirhmac = $app->request->headers->get('X-Shopify-Hmac-Sha256');

// $ourhmac == OGNlMmMyOTI2OWVjMDAyOTE3MTQ4NDQ0ZTE5YTIxZjg4YWZhMTZkOWE0NmE3Mzg2ZjdjMTc1M2EzODdhZWI1YQ==
// $theirhmac == Dj/bSPIDPyhYpjzodjhH/RxxdXTmvKddJJdxhcJ9vNM=

Hi, the example provided in your docs is not working for me, could you please update it or let me know how to validate the webhook?

Thanks.

Appifiny · ‎08-31-2015

The following works for me. Check your error log to see if it works for you.

function verify_webhook($data, $hmac_header) {
	$calculated_hmac = base64_encode(hash_hmac('sha256', $data, SHOPIFY_SECRET, true));
	return ($hmac_header == $calculated_hmac);
}

if (isset($_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'])) {
	$hmac_header = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
	$data = file_get_contents('php://input');
	$verified = verify_webhook($data, $hmac_header);
	error_log('Webhook verified: '. var_export($verified, true)); //check error.log to see the result
} else {
	error_log('Request not from shopify');
}

Try the best recent order app for Shopify free for 7 days: https://apps.shopify.com/recently

John_Haley · ‎09-04-2015

I'm having the same problem. Here's my PHP code (pretty much copied and pasted from the API docs)

function verifyWebhook($data, $hmacHeader)
{
    $calculatedHmac = base64_encode(hash_hmac('sha256', $data, SHOPIFY_SECRET, true));
    error_log('$hmacHeader = ' . $hmacHeader);
    error_log('$calculatedHmac = ' . $calculatedHmac);
    return ($hmacHeader == $calculatedHmac);
}


$hmacHeader = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
$data = file_get_contents('php://input');

$verified = verifyWebhook($data, $hmacHeader);

if (false === $verified)
{
    error_log('HMAC HASH not verified, exiting.'); //check error.log to see the result
    exit;
}

Here's what my error log outputs:

[04-Sep-2015] $hmacHeader = xr0Ycgs/jmADJgPKi0qNCMbYl/J47E6AJx/UAZF/+sU=
[04-Sep-2015] $calculatedHmac = i2HdJvOj8LF8ycdn3SPwI2EXgXQR8l04XAburqsCdhg=
[04-Sep-2015] HMAC HASH not verified, exiting.

Completely different. I'm using PHP 5.6.2 if that's relevant.

Any idea what it could be that I'm missing?

Appifiny · ‎09-05-2015

Have you defined SHOPIFY_SECRET?

Have you tried my code above instead of using the code from the docs?

Try the best recent order app for Shopify free for 7 days: https://apps.shopify.com/recently

John_Haley · ‎09-05-2015

Yes SHOPIFY_SECRET is defined. I use it all the time to make API requests which work no problem.

Your code is exactly the same as the example code in the API docs (https://docs.shopify.com/api/webhooks/using-webhooks#verify-webhook) except for one difference - the IF statement checking the header has been set.

For what it's worth, I added that check to my code but it didn't help because I can see the header is being sent from Shopify correctly. If you look at my code you can see I output both the hmac header and the calculated hmac. And you can see they do not match.

I've no doubt it works for you, so I wonder what mistake I'm making? Such a small amount of code it's crazy that I'm getting different results. It must be something else...

Appifiny · ‎09-05-2015

Other than verifying that the shopify hmac header is set I see no difference.

Try the best recent order app for Shopify free for 7 days: https://apps.shopify.com/recently

John_Haley · ‎09-05-2015

Okay, sometimes knowing I'm on the right track is good enogh! Thanks for the help, I'll track this sucker down eventually 🙂