Topics covering webhook creation & management, event handling, Pub/Sub, and Eventbridge, in Shopify apps.
Hello,
I'm trying to verify a webhook in my rails app according to the docs here: https://help.shopify.com/en/api/getting-started/webhooks
The code given in the docs does not seem to produce the same result as the HMAC header sent with the webhook. Are the docs outdated? What am I doing wrong here?
request.body.rewind
@data = request.body.read
calculated_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('sha256', Rails.application.secrets.shared_secret, @data))
compare = ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, hmac_header)
Figured it out. Do NOT use your app's shared secret like the docs tell you to.
Use the signature string at the bottom of your webhooks creation interface.
I implemented it with nodejs and it was working with the client secret.
Here is the code snippet.
export function verifyWebhook (request: Request, response: Response, next: NextFunction): void {
if (!clientSecret) {
throw new Error('SHOPIFY_API_SECRET environment variable not set');
}
const incomingHMAC = request.headers['x-shopify-hmac-sha256'];
//@ts-ignore
const digest = crypto.createHmac('SHA256', clientSecret).update(request.rawBody).digest('base64');
if (incomingHMAC !== digest) {
response.status(401).send();
} else {
next();
}
}
update 8/13/2023
Documentation still says use client secret. However, only thing worked for me was the hash string at the bottom of the create webhook section. Once I plugged that string in for the "Client Secret" everything validated.