Join us for an upcoming Shopify Partner webinar on February 27, 2024. Discover the latest Checkout Extensibility features, and deep dive on improvements to Shopify Functions and Web Pixels. Register now for either the 10am EST or 2pm EST sessions.

Webhook HMAC format is different?

George_Utsin
Visitor
2 0 0

Hey,

So I've been trying to set up webhook authentication but I have been running into an issue that I suspect is due to formatting of the hmac digest.

 

The http header that I extract (from "X-Shopify-Hmac-SHA256") tends to look something like:

YXM730947gKEWm/26s9z/sCdKWNPTNN1qMRNFhdOBFQ=

(with an equals sign at the end, typically 44 characters long and alphanum+symbols).

 

The hexdigests that I generate in python using

hmac.new("secret here", data, sha256).hexdigest()

tend to be 64 characters long and consist only of numbers+[A-F].

 

  • To create the hmac on my server (during testing with the manually created webhooks through the admin) I use the secret from the notifications page so I don't think that should be an issue.
  • I'm hashing the secret with the json payload as a string (aka request.data).
  • I've tried the "digest()" instead of "hexdigest()" function for generating the hmac string but that format is also different from what's supplied in the headers.

Again, I don't think the issue is with the hmac that I'm generating since the overall format of the hmac provided in the headers by Shopify is different.

 

Does anybody have any insight as to what's going on or what I could do differently?

 

Replies 3 (3)

Josh
Shopify Staff
1134 84 233

Hey George, 

Have you had a look at our documentation/example ruby code for verifying webhooks? I think it would be worth taking a peek at in this case. 

At a glance, it sounds like you're just missing the step where you base64 encode the signature - if you could test that out it should do the trick! 

Josh | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

George_Utsin
Visitor
2 0 0

Thanks Josh,

 

That did the trick, must have missed that part; the python library I was using didn't have an explicit base64 call so my fix ended up being to take the hex_string.decode("hex").encode("base64").replace('\n', '') and compare (for anybody else running into the same issue).

 

Is there any particular reason the authentication digest is hex while the webhook one is base64? Also, I was wondering if it possible to edit the documentation to make this difference more explicit to avoid this in the future. Maybe something like:

```

Each Webhook request includes a X-Shopify-Hmac-SHA256 header which is generated using the app's shared secret, along with the data sent in the request. Unlike the HMAC field used in granting permissions to the application which is encoded in hex, the Webhook HMAC is encoded in base64, as shown by the code snippets below.

```

Josh
Shopify Staff
1134 84 233

Hey George, 

I'll bring this up with the powers that be (our documentation team), I suppose that could be a bit more clear since you wouldn't know otherwise unless you read the code example. Thanks for bringing it to our attention!

Josh | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog