Created
October 10, 2015 17:37
-
-
Save joshbeckman/5c4f0244914adfd312e4 to your computer and use it in GitHub Desktop.
An example Node.js server that can verify a Shopify webhook's integrity. Run with `node index.js`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const PORT = 3000; | |
| const SECRET = 'APP_SHARED_SECRET'; | |
| var http = require('http'), | |
| crypto = require('crypto'), | |
| server; | |
| function verifyShopifyHook(req) { | |
| var digest = crypto.createHmac('SHA256', SECRET) | |
| .update(new Buffer(req.body, 'utf8')) | |
| .digest('base64'); | |
| return digest === req.headers['X-Shopify-Hmac-Sha256']; | |
| } | |
| function parseRequestBody(req, res) { | |
| req.body = ''; | |
| req.on('data', function(chunk) { | |
| req.body += chunk.toString('utf8'); | |
| }); | |
| req.on('end', function() { | |
| handleRequest(req, res); | |
| }); | |
| } | |
| function handleRequest(req, res) { | |
| if (verifyShopifyHook(req)) { | |
| res.writeHead(200); | |
| res.end('Verified webhook'); | |
| } else { | |
| res.writeHead(401); | |
| res.end('Unverified webhook'); | |
| } | |
| } | |
| server = http.createServer(parseRequestBody); | |
| server.listen(PORT, function(){ | |
| console.log("Server listening on: http://localhost:%s", PORT); | |
| }); |
+1 for @tiendq's solution
Somehow, using body-parser.json() blocked the processing of the request.
this.express = express()
.use(rawBodyGetter)
.use(bodyParser.text())
// .use(bodyParser.json())
.use(bodyParser.urlencoded({ extended: true }))const checkWebHookIntegrity = async (req: any, res: any, next: any) => {
let raw;
try {
raw = await rawBody(req);
const digest = crypto.createHmac('sha256', CONFIG.SHOPIFY_WEBHOOK_SECRET)
.update(raw)
.digest('base64');
if (digest === req.headers['x-shopify-hmac-sha256']) {
req.body = JSON.parse(raw.toString('utf-8'));
next();
} else {
console.log('Error with request', os.EOL, req.body);
return res.status(401).send();
}
} catch(e) {
console.log(e);
return res.status(500).send();
}
};
@Kushan- Thanks you!
I tried this. But not working. Am I doing anything wrong?
let jsonString = JSON.stringify(req.body);
const generated_hash = crypto
.createHmac('sha256', secret)
.update(jsonString,'utf8','hex')
.digest('base64');
It's been a long time i worked with shopify api, perhaps, uppercase secret might help, what error you are getting?
thank you for your reply. tried the uppercase approach. did not work.
got this error
0|wmbi | HASH COMPARE FAILED - Unable to verify request HMAC
0|wmbi | POST /webhook/ads-hkg - - ms - -
0|wmbi | { sp_hmac: 'aAwa1U3uPwRl4fJVLmxuLkaKMiyZRnCwlHMl3q8iDxI=',
0|wmbi | sp_topic: 'orders/create',
0|wmbi | sp_shopDomain: 'ads-api-testing.myshopify.com' }
0|wmbi | HASH COMPARE FAILED - Unable to verify request HMAC
0|wmbi | generated_hash: iiKQ9W/kInYASnwL+j2oG2cjbHBFj9CqrMlyd76yaew=
0|wmbi | sp_hmac: aAwa1U3uPwRl4fJVLmxuLkaKMiyZRnCwlHMl3q8iDxI=
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@Kushan-'s solution works perfectly, while Shopify's own express middleware did not.. but they may be modifying the request somewhere... not sure, but this works.