Received incorrect secret key or hmac

Retired Boards Appdev Graphql Basics And Troubleshooting
1

I have an app in Node.js to provide custom shipping rates using Shopify CarrierService API. Below is my code to verify the request to check if it is coming from Shopify

...
const verifyWebhook = (payload, hmac, apiSecret) => {
  const message = JSON.stringify(payload);
  const genHash = crypto
    .createHmac('sha256', apiSecret || '')
    .update(message)
    .digest('base64');

  return genHash === hmac;
};

const router = express.Router();

router.post('/customshippingrates', async (req, res) => {
  const hmac = req.header('x-shopify-hmac-sha256');
  const storeUrl = req.header('x-shopify-shop-domain');
  const payload = req.body;

  const { store: storeRepo } = repositories;
  const stores = await storeRepo.find({
    where: { apiUrl: ILike(`https://${storeUrl}%`) },
  });

  let store;
  for (let i = 0; i < stores.length; i++) {
    let tmpStore = stores[i];
    if (tmpStore.apiSecret && verifyWebhook(payload, hmac, tmpStore.apiSecret)) {
      store = tmpStore;
      break;
    }
  }
...

The verification works for a dummy store I use for development.

But the same code failed the verification for our production store (not sure if it will make any difference, but I am using Advanced Shopify Plan here, unlike the dummy store, which is on the Free plan)

I get the secret keys from this page in both stores:

Screen Shot 2023-05-28 at 8.39.38 am.png
Screen Shot 2023-05-28 at 8.39.38 am.png3006×1584 377 KB

It is weird and confusing.

1 Like
2

Hi @ezdev you might like to reach out to our support team with the x-request-id for the failed response on the production store. Our support can check if the correct scopes are applied or if the logs show any detailed errors. Hope this helps.

3

hi @ShopifyDevSup , can you please confirm the right channel for the support team?

I can see there is “App” support, but this is our custom app that has not been published yet. Hence, I am unable to select an app on the next screen after clicking on “Apps”

Screen Shot 2023-06-03 at 11.39.48 am.png
Screen Shot 2023-06-03 at 11.39.48 am.png2180×1572 314 KB

4

Hey @ezdev ,

The best solution would be to contact our partner team directly from your Partner Dashboard under ‘Support’ while logged in. This will then give you the option to communicate via email or chat.

9f74f4a3-63bd-4f30-9b40-0fb4a34523a9.default.png
9f74f4a3-63bd-4f30-9b40-0fb4a34523a9.default.png1913×633 50.8 KB

Hope that helps!

1 Like
5

In re-testing it, x-request-id does not exist in the request header. Not sure if this is expected.

But anyway, I will contact Partner Support then. Thanks.