search

gnikyt / laravel-shopify

A full-featured Laravel package for aiding in Shopify App development
MIT License
1.24k stars 374 forks source link

Invalid webhook signature #552

Closed lexmagnus closed 4 years ago

lexmagnus commented 4 years ago

For bug reporting only! If you're posting a feature request or discussion, please ignore.

Expected Behavior

return $next($request);

Current Behavior

return Response::make('Invalid webhook signature.', 401);

Failure Information

I need more information about "Invalid webhook signature" error. I already try everything but when I Test webhooks configured using the Shopify admin (https://shopify.dev/tutorials/manage-webhooks#verify-webhook) I got this error/exception. I put everything right.

x-shopify-hmac-sha256 is not empty (see logs) $data is not empty $this->getConfig('api_secret') is not empty and contains the valid api secret (equals to shopify partners page config app) $shop is not empty

someone can help me?

This is the handle function:

` public function handle(Request $request, Closure $next) { $hmac = $request->header('x-shopify-hmac-sha256') ?: ''; $shop = $request->header('x-shopify-shop-domain'); $data = $request->getContent(); $hmacLocal = createHmac(['data' => $data, 'raw' => true, 'encode' => true], $this->getConfig('api_secret'));

    Log::info("Iniciando Verificação...");
    Log::info("hmac recebido : ".$hmac);
    Log::info("hmac Local: ".$hmacLocal);
    Log::info("api_secret: ".$this->getConfig('api_secret'));
    Log::info("Loja: ".$shop);
    Log::info("Autenticado: ".(hash_equals($hmac, $hmacLocal) ? "TRUE" : "FALSE"));

    if (!hash_equals($hmac, $hmacLocal) || empty($shop)) {
        // Issue with HMAC or missing shop header
        return Response::make('Invalid webhook signature.', 401);
    }

    // All good, process webhook
    return $next($request);

} `

Context

Failure Logs

[2020-08-15 11:19:50] alpha.INFO: Iniciando Verificação... [2020-08-15 11:19:50] alpha.INFO: hmac recebido : oCDxL1YgqUaPmWF2DdVCIAEp7JjAdeVgoy9KdWkOO7I= [2020-08-15 11:19:50] alpha.INFO: hmac Local: DaoGVgKJn+iCNOlPc+3OCf6VdFBeL1p4A3Jl4PkiyBM= [2020-08-15 11:19:50] alpha.INFO: api_secret: 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 [2020-08-15 11:19:50] alpha.INFO: Loja: some-shop.myshopify.com [2020-08-15 11:19:50] alpha.INFO: Autenticado: FALSE

gnikyt commented 4 years ago

The admin settings screen uses its own secret, the package is expecting to use the app's secret. Not designed to work with admin webhooks from admin panel.