Issue
I have set up an endpoint to receive webhook requests from Shopify.
The requests from Shopify include an HMAC header that is created from a shared secret key and the body of the request.
I need to calculate the HMAC on my server and match it to the value in the request header to ensure that the request is authentic.
I can't seem to create the appropriate mechanism in .NET to create a matching HMAC value.
My algorithm at this point is as follows:
public static string CreateHash(string data)
{
string sharedSecretKey = "MY_KEY";
byte[] keyBytes = Encoding.UTF8.GetBytes(sharedSecretKey);
byte[] dataBytes = Encoding.UTF8.GetBytes(data);
//use the SHA256Managed Class to compute the hash
System.Security.Cryptography.HMACSHA256 hmac = new HMACSHA256(keyBytes);
byte[] hmacBytes = hmac.ComputeHash(dataBytes);
//retun as base64 string. Compared with the signature passed in the header of the post request from Shopify. If they match, the call is verified.
return System.Convert.ToBase64String(hmacBytes);
}
The Shopify docs for verifying their webhooks can be found HERE but only PHP and Ruby samples are included.
Can anyone see what I might be doing wrong? Should I be just passing the entire JSON request body as a string into this method?
Solution
As you allude to in your question, you should be hashing the entire json request body in your method.
My .NET isn't too good, but Here's the part of the ruby example that shows you what to do:
post '/' do
. . .
data = request.body.read
verified = verify_webhook(data, env["HTTP_X_SHOPIFY_HMAC_SHA256"])
. . .
end
You can see that we're just grabbing the body of the request (as a string) and throwing it into the verify method verbatim. Give it a try and hopefully you'll have more luck.
Answered By - David Underwood Answer Checked By - Senaida (PHPFixing Volunteer)
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.