-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Could not validate webhook HMAC. #64
Comments
Hi @katielgc, unfortunately, that feature for manually dispatching a webhook call won't work with apps. Because it's a store feature, it will create an HMAC signature using that key you mentioned, rather than the app's secret key (which is what the app would expect). In order to be able to test your app webhook for order creation, you'd need to create an order in your development store, and Shopify will automatically fire the webhook to your app. Since this is not a bug in the library code, I'm closing the issue, but please feel free to open a new issue if you have any further problems. |
Thanks @paulomarg for your quick response I see what you mean and appreciate you letting me know 🥇 |
Hi @paulomarg I couldn't understand the reason why the key used during the test notification will be different. However, what I understood from your response is that ideally if the order was created from the development store, it should have validated. And, based on this understanding, I did create a few orders through the Bogus payment gateway. However, even then the validation is failing. However, when I looked at the sample codes on shopify dev docs: https://shopify.dev/apps/webhooks/configuration/https#step-5-verify-the-webhook In the PHP code, verify_webhook function uses "hash_equals" function rather than the !== on line 282 So, I am a bit confused where I am getting this wrong. A little bit of help in this would be very helpful. |
you can find in .myshopify.com/admin/settings/notifications page under Webhooks section that says "All your webhooks will be signed with <key> so you can verify their identity." You can use key as API_SECRET_KEY to validate HMAC |
Issue summary
Could not validate webhook HMAC.
This is via a web hook for when an order is created.
It looks like the HMAC is not being validated via the shopify-api package.
Expected behavior
I should see a process log in my error log when sending a test webhook from the Shopify admin.
![image](https://user-images.githubusercontent.com/32128119/143903515-ff109bf0-b852-4022-a4ab-556db21f5454.png)
Actual behavior
I am getting an error which suggests the validateProcessHmac function is not happy with the HMAC but I cannot see any docs on how to fix this.
I have not done anything with this from the admin -- could not see docs on this and please forgive me this is my first app install for Shopify.
Steps to reproduce the problem
The text was updated successfully, but these errors were encountered: