I am internally developing a middleware for a company and, for that end, I have been given access to a sandbox environment store, so with that being said, I am not in the possession of my own shopify partner account.
Now, at the store admin panel (found at "https://admin.shopify.com/store/{store-id}") I go to:
Settings > Notifications > Webhooks
Here I register my endpoint as the recipient of the webhooks. I also have a custom app installed with a bunch of related scopes. I've tried the following keys for the digest:
- The API-key
- The Secret API-key
- The Admin-Access token
- The sample string at the bottom of the notification-settings page.
But neither appear to be generating a signature that matches the header?
They all cause my controller to return 401.
Here's the code for my verification process, in case I did something wrong there.
private bool VerifyAuthenticity(string payloadAsJson, string hmacHeader, string shopId)
{
try
{
string validationKey = $"{_redactedKey} ";
byte[] keyAsBytes = Encoding.UTF8.GetBytes(validationKey);
byte[] payloadAsBytes = Encoding.UTF8.GetBytes(payloadAsJson);
using (HMACSHA256 hmac = new HMACSHA256(keyAsBytes))
{
byte[] digest = hmac.ComputeHash(payloadAsBytes);
string signature = Convert.ToBase64String(digest);
return String.Equals(signature, hmacHeader, StringComparison.Ordinal);
}
}
catch
{
return false;
}
}Although, I do believe I've analyzed the Python-script available at the documentation properly.
The webhooks are registered at the admin-panel and not subscribed to with an HttpRequest.
