What's your biggest current challenge? Have your say in Community Polls along the right column.
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Re: Webhook Verification Not Working

Webhook Verification Not Working

strocode
Shopify Partner
8 1 5

Hello,

I'm trying to verify a webhook in my rails app according to the docs here: https://help.shopify.com/en/api/getting-started/webhooks

The code given in the docs does not seem to produce the same result as the HMAC header sent with the webhook. Are the docs outdated? What am I doing wrong here?
 

request.body.rewind

@data = request.body.read

calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', Rails.application.secrets.shared_secret, @data))

compare = ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, hmac_header)

 

Replies 3 (3)

strocode
Shopify Partner
8 1 5

Figured it out. Do NOT use your app's shared secret like the docs tell you to.

Use the signature string at the bottom of your webhooks creation interface.

piyushbeli
Shopify Partner
1 0 0

I implemented it with nodejs and it was working with the client secret.

Here is the code snippet.

 

export function verifyWebhook (request: Request, response: Response, next: NextFunction): void {
    if (!clientSecret) {
        throw new Error('SHOPIFY_API_SECRET environment variable not set');
    }
    const incomingHMAC = request.headers['x-shopify-hmac-sha256'];
    //@ts-ignore
    const digest = crypto.createHmac('SHA256', clientSecret).update(request.rawBody).digest('base64');
    if (incomingHMAC !== digest) {
        response.status(401).send();
    } else {
        next();
    }
}
ferdware
Shopify Partner
5 0 0

update 8/13/2023

Documentation still says use client secret. However, only thing worked for me was the hash string at the bottom of the create webhook section. Once I plugged that string in for the "Client Secret" everything validated.