Hi everyone,
I’m implementing webhooks in my Shopify app (installed at [ https://laravel.***.io/]). I’ve managed to get webhooks working manually (e.g., through Postman) and they’re triggering correctly. However, during automated checks (like Shopify’s app review process), the “Implement an HMAC signature to verify webhooks” check is failing.
Here’s what I’ve done:
My app URL is: [ https://laravel.***.io/]
My Allowed redirection URL(s): [ https://laravel.***.io/shopifyGenerateToken]
I’ve implemented HMAC verification using PHP and I’m comparing the received HMAC header with a calculated one.
My code:
<?php define('CLIENT_SECRET', 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'); function verify_webhook($data, $hmac_header) { $calculated_hmac = base64_encode(hash_hmac('sha256', $data, CLIENT_SECRET, true)); return hash_equals($calculated_hmac, $hmac_header); // Consider using strcmp for basic verification } $hmac_header = $_SERVER['HTTP_X_SHOPIFY_HMAC_SHA256']; $data = file_get_contents('php://input'); $verified = verify_webhook($data, $hmac_header); if ($verified) { // Process the webhook http_response_code(200); } else { http_response_code(401); } ?>The Issue:
While manual testing works, automated checks are failing. This leads me to believe there might be a discrepancy in the way I’m handling HMAC verification, potentially related to case sensitivity or input consistency.
Questions:
Is there a known issue with HMAC verification during automated checks?
Could the case sensitivity of the HMAC signature be a factor?
Are there any best practices for handling webhook verification within automated environments?
I’d appreciate any guidance or insights on how to resolve this issue. Thanks!