search

Shopify / shopify-app-template-php

280 stars 90 forks source link

Got invalid webhook request for topic 'orders/create': Could not validate webhook HMAC #504

Closed RohanKambleDev closed 4 months ago

RohanKambleDev commented 4 months ago

Issue summary

I have created a Shopify Custom app through Partner's Dashboard and installed it on my development store.

I am using the App's Client Credentials from the Partner's Dashboard image

In the custom app I want to develop a feature that fires a 3rd party API call whenever an order is created on Shopify for that I created a webhook here - https://admin.shopify.com/store/**your-store-name**/settings/notifications/webhooks - (refer to attached image) image

Expected behaviour

This works well if I use SHOPIFY_WEBHOOK_SECRET on line number 42 of the below file https://github.com/Shopify/shopify-app-template-php/blob/main/web/app/Providers/AppServiceProvider.php here SHOPIFY_WEBHOOK_SECRET=f4aa6d1997c24f65f20b05eaac7234eba1be5c82ef73f28e2f603f7f081df20b which is please refer to attached image image

but if I use the above key then the actual app stops working - that means the custom app does other things as well they stop working due to below error

[2024-05-24 16:27:03] development.ERROR: Signature verification failed {"exception":"[object] (Firebase\\JWT\\SignatureInvalidException(code: 0): Signature verification failed at /Users/RohanKamble/Sites/work/try/shopify-apps/veeva-vault/web/vendor/firebase/php-jwt/src/JWT.php:150)

because the app was created on Partner's Dashboard and so the client credentials needed for the App to correctly function should come from Partner's Dashboard

With this, can we say that there is a bug to validate webhook HMAC in the repo that can be fixed by making some changes on - web/vendor/shopify/shopify-api/src/Webhooks/Registry.php - Line number 286 - we can update the function validateProcessHmac with the correct key for the webhooks to validate

Actual behaviour

Now for testing, we can trigger this webhook by clicking "Sent test" here (refer to attached image) image

but we get below error

[2024-05-24 02:04:20] development.ERROR: Got invalid webhook request for topic 'orders/create': Could not validate webhook HMAC

Now as per this issue - https://github.com/Shopify/shopify-app-template-php/issues/64 I get it what @paulomarg mentioned in the comment here - https://github.com/Shopify/shopify-app-template-php/issues/64#issuecomment-982793615

so I tried creating an order via the actual process of purchasing the product from the storefront image

but still, I get the same error

[2024-05-24 15:54:23] development.ERROR: Got invalid webhook request for topic 'orders/create': Could not validate webhook HMAC

Steps to reproduce the problem

  1. Create a webhook on your store - https://admin.shopify.com/store/**your-store-name**/settings/notifications/webhooks
  2. Select the required Event "Order creation" & correct URL - https://<your-custom-app-url>/api/webhooks (you can get it from your app's toml file)
  3. select Webhook API version - 2024-04 (Latest)
  4. click on 3 horizontal dots and then click "Sent test" - image
  5. check the logs in your terminal by going on your app and firing this command tail -f web/storage/logs/laravel.log
  6. you will see the error as development.ERROR: Got invalid webhook request for topic 'orders/create': Could not validate webhook HMAC
  7. You can also try to create an order by following a user journey on the storefront to buy a product, that webhook will get triggered and you will get the same error

Reduced test case

Checklist

floressandra commented 4 months ago

Hi team, we received a follow up request for this issue, do we have any updates? Thank you!

lizkenyon commented 4 months ago

Hi there 👋

I see that you have pretty much figured out the issue, that you are getting this error because the webhooks are signed with a different key than the app expects.

The app is expecting to receive webhooks that's subscriptions were created by the app, and signed with the apps key.

Instead of creating the webhook subscriptions in the Admin UI, you will want to create the webhook subscriptions programatically with the App.

You can see an example of programatically creating the webhook subscription in the provided app code here.

lizkenyon commented 3 months ago

Hey @RohanKambleDev

I would also like to point out that it is important to keep your secret keys secret. Revealing your secret keys could mean that someone else could send webhooks to your app as if they were Shopify.

Please review the following documentation.