Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Webhook HMAC Validation

Webhook HMAC Validation

Eric77
Tourist
15 0 1

We are having trouble validating HMAC signatures for webhook events.

We've captured a test webhook here: http://requestb.in/yafa08ya?inspect

We using the following lua code in nginx/openresty:

local hmac = require "resty.hmac"
local hmac_256 = hmac:new(hmac_signing_key, hmac.ALGOS.SHA256)
ngx.req.read_body()
local string_to_sign = ngx.req.get_body_data()

local signature = hmac_256:final(string_to_sign, true)
hmac_256:reset()

if provided_signature ~= signature then
    return ngx.exit(401)
end

We've also tested using this website: http://www.freeformatter.com/hmac-generator.html

Both agree that the HMAC is: cd99fe58fa2a263f00acb624b3029793423d562a637df47459cbcb986a95efb0

However we get this singature in the X-Shopify-Hmac-Sha256 header: zZn+WPoqJj8ArLYkswKXk0I9VipjffR0WcvLmGqV77A=

Here's the raw body, in case the requestb.in expires.

{"id":"eeafa272cebfd4b22385bc4b645e762c","token":"eeafa272cebfd4b22385bc4b645e762c","line_items":[{"id":1234567,"properties":{},"quantity":3,"variant_id":1234567,"key":"1234567:f816dcc3b2e26822a28626a786eac953","title":"Example T-Shirt - ","price":"19.99","original_price":"19.99","discounted_price":"19.99","line_price":"59.97","original_line_price":"59.97","total_discount":"0.00","discounts":[],"sku":"example-shirt-s","grams":200,"vendor":"Acme","product_id":327475578523353102,"gift_card":false}]}

Our store is test-store-rc4.myshopify.com.

Any help would be appreciated.

Thanks.

Replies 5 (5)

Jamie_D_
Shopify Staff (Retired)
533 1 92

Hey Eric,

When you say "test webhook", was this webhook created from the Shopify admin?

Only webhooks created by your application will validate succesfully using your application's secret key. Webhooks spawned from the Shopify admin must be validated using the shop's secret key, which is visible in the Notifications section of the admin dashboard.

To learn more visit the Shopify Help Center or the Community Blog.

Eric77
Tourist
15 0 1

I'm using the signing key displayed here.

Eric77
Tourist
15 0 1

I just figured it out. The contents of the X-Shopify-Hmac-Sha256 header are base64 encoded, but the other tool, and our code is encoding to hexadecimal. I can fix that.

Jamie_D_
Shopify Staff (Retired)
533 1 92

Hey Eric,

Glad to hear you got it working. Thanks for sharing your solution with us.

I'll look into improvements to the relevant documentation in order to clear this up 🙂

To learn more visit the Shopify Help Center or the Community Blog.

Eric77
Tourist
15 0 1

Yeah, improving the documentation would help. The fact that the signing key is encoded as hex added to the confusion.