Webhook verification process and use bcrypt in addition to sha256

Solved

Webhook verification process and use bcrypt in addition to sha256

mmdeveloper
Tourist
9 0 0

Hi Support,

 

We have created a PHP based webhook as per shopify guidelines to check order signature. Here is the code:

 

// Verifying shopify webhook order
define('SHOPIFY_APP_SECRET', 'OUR_SECRET_CODE_HERE');

function verify_webhook($data, $hmac_header)
{
  $calculated_hmac = base64_encode(hash_hmac('sha256', $data, SHOPIFY_APP_SECRET, true));
  return hash_equals($hmac_header, $calculated_hmac);
}

$hmac_header = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256'];
$data = file_get_contents('php://input');
$verified = verify_webhook($data, $hmac_header);
Our risk assessment team reviewed the code and told that 'sha256' encryption is weak and deprecated and suggesting to use ‘bcrypt’ in addition to HMAC and provided the following URL:
 
As we are receiving signature from Shopify through webhook, is there any possibility to apply 'bcrypt' in addition to 'sha256'? Please let us know your thoughts and provide guidance on this.
Accepted Solution (1)

Shayne
Shopify Staff (Retired)
254 20 48

This is an accepted solution.

For storing passwords, bcrypt is a good option. This is what the linked stackexchange article recommends. Sha256 isn't deprecated, and for HMAC based on a secretkey, the encryption isn't considered weak.

HMAC and password storage are different problems. bcrypt is designed to be purposefully slow to prevent brute force attacks, which is a poor choice for something like webhooks, when you may be processing thousands (or tens of thousands) a second.

Shayne | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

View solution in original post

Reply 1 (1)

Shayne
Shopify Staff (Retired)
254 20 48

This is an accepted solution.

For storing passwords, bcrypt is a good option. This is what the linked stackexchange article recommends. Sha256 isn't deprecated, and for HMAC based on a secretkey, the encryption isn't considered weak.

HMAC and password storage are different problems. bcrypt is designed to be purposefully slow to prevent brute force attacks, which is a poor choice for something like webhooks, when you may be processing thousands (or tens of thousands) a second.

Shayne | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog