Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
We are having trouble validating HMAC signatures for webhook events.
We've captured a test webhook here: http://requestb.in/yafa08ya?inspect
We using the following lua code in nginx/openresty:
local hmac = require "resty.hmac"
local hmac_256 = hmac:new(hmac_signing_key, hmac.ALGOS.SHA256)
ngx.req.read_body()
local string_to_sign = ngx.req.get_body_data()
local signature = hmac_256:final(string_to_sign, true)
hmac_256:reset()
if provided_signature ~= signature then
return ngx.exit(401)
end
We've also tested using this website: http://www.freeformatter.com/hmac-generator.html
Both agree that the HMAC is: cd99fe58fa2a263f00acb624b3029793423d562a637df47459cbcb986a95efb0
However we get this singature in the X-Shopify-Hmac-Sha256 header: zZn+WPoqJj8ArLYkswKXk0I9VipjffR0WcvLmGqV77A=
Here's the raw body, in case the requestb.in expires.
{"id":"eeafa272cebfd4b22385bc4b645e762c","token":"eeafa272cebfd4b22385bc4b645e762c","line_items":[{"id":1234567,"properties":{},"quantity":3,"variant_id":1234567,"key":"1234567:f816dcc3b2e26822a28626a786eac953","title":"Example T-Shirt - ","price":"19.99","original_price":"19.99","discounted_price":"19.99","line_price":"59.97","original_line_price":"59.97","total_discount":"0.00","discounts":[],"sku":"example-shirt-s","grams":200,"vendor":"Acme","product_id":327475578523353102,"gift_card":false}]}
Our store is test-store-rc4.myshopify.com.
Any help would be appreciated.
Thanks.
Hey Eric,
When you say "test webhook", was this webhook created from the Shopify admin?
Only webhooks created by your application will validate succesfully using your application's secret key. Webhooks spawned from the Shopify admin must be validated using the shop's secret key, which is visible in the Notifications section of the admin dashboard.
To learn more visit the Shopify Help Center or the Community Blog.
I'm using the signing key displayed here.
I just figured it out. The contents of the X-Shopify-Hmac-Sha256 header are base64 encoded, but the other tool, and our code is encoding to hexadecimal. I can fix that.
Hey Eric,
Glad to hear you got it working. Thanks for sharing your solution with us.
I'll look into improvements to the relevant documentation in order to clear this up 🙂
To learn more visit the Shopify Help Center or the Community Blog.
Yeah, improving the documentation would help. The fact that the signing key is encoded as hex added to the confusion.