Could not validate webhook HMAC.

[katielgc]

Issue summary

Could not validate webhook HMAC.

This is via a web hook for when an order is created.

It looks like the HMAC is not being validated via the shopify-api package.

Expected behavior

I should see a process log in my error log when sending a test webhook from the Shopify admin.

Actual behavior

I am getting an error which suggests the validateProcessHmac function is not happy with the HMAC but I cannot see any docs on how to fix this.

I have not done anything with this from the admin -- could not see docs on this and please forgive me this is my first app install for Shopify.

Steps to reproduce the problem

1. Install a fresh app
2. and the webhook within settings > notifications like so https://example.co.uk/webhooks on the order creation event.
3. Click Send test notification
4. View logs and see output

[paulomarg]

Hi @katielgc, unfortunately, that feature for manually dispatching a webhook call won't work with apps. Because it's a store feature, it will create an HMAC signature using that key you mentioned, rather than the app's secret key (which is what the app would expect).

In order to be able to test your app webhook for order creation, you'd need to create an order in your development store, and Shopify will automatically fire the webhook to your app.

Since this is not a bug in the library code, I'm closing the issue, but please feel free to open a new issue if you have any further problems.

[katielgc]

Thanks @paulomarg for your quick response I see what you mean and appreciate you letting me know 🥇

[amitavroy]

Hi @paulomarg I couldn't understand the reason why the key used during the test notification will be different.

However, what I understood from your response is that ideally if the order was created from the development store, it should have validated. And, based on this understanding, I did create a few orders through the Bogus payment gateway. However, even then the validation is failing.

However, when I looked at the sample codes on shopify dev docs: https://shopify.dev/apps/webhooks/configuration/https#step-5-verify-the-webhook

In the PHP code, verify_webhook function uses "hash_equals" function rather than the !== on line 282
https://github.com/Shopify/shopify-api-php/blob/main/src/Webhooks/Registry.php#L282

So, I am a bit confused where I am getting this wrong. A little bit of help in this would be very helpful.

[thaild]

Hi @paulomarg I couldn't understand the reason why the key used during the test notification will be different.

However, what I understood from your response is that ideally if the order was created from the development store, it should have validated. And, based on this understanding, I did create a few orders through the Bogus payment gateway. However, even then the validation is failing.

However, when I looked at the sample codes on shopify dev docs: https://shopify.dev/apps/webhooks/configuration/https#step-5-verify-the-webhook

In the PHP code, verify_webhook function uses "hash_equals" function rather than the !== on line 282 https://github.com/Shopify/shopify-api-php/blob/main/src/Webhooks/Registry.php#L282

So, I am a bit confused where I am getting this wrong. A little bit of help in this would be very helpful.

you can find in .myshopify.com/admin/settings/notifications page under Webhooks section that says "All your webhooks will be signed with <key> so you can verify their identity."

You can use key as API_SECRET_KEY to validate HMAC