How to veirfy Shopify webhook signature in node.js/express?

Question

Shopify provides examples in Ruby and PHP to accomplish this. In my node/express app I try:

var data = querystring.stringify(req.body);
var calculatedSha256 = crypto.createHmac("SHA256", APP_SECRET).update(new Buffer(data, 'utf8')).digest('base64');

and also

var data = req.body;
var calculatedSha256 = crypto.createHmac("SHA256", APP_SECRET).update(new Buffer(data, 'utf8')).digest('base64');

but none of them provides an identical string to the one Shopify sends as a signature.

score 6 · Answer 1 · answered Dec 17 '14 at 17:49

A bit old, but figured I'd post my solution:

var express      = require('express')
    , bodyParser = require('body-parser')
    , crypto     = require('crypto');

var app = express();

app.use(bodyParser.json({ verify: function(req, res, buf, encoding) {
  req.headers['x-generated-signature'] = crypto.createHmac('sha256', 'SHARED_SECRET')
   .update(buf)
   .digest('base64');
} }));

app.post('/webhook', function(req, res) {
  if (req.headers['x-generated-signature'] != req.headers['x-shopify-hmac-sha256']) {
    return res.status(401).send('Invalid Signature');
  }
});

score 3 · Accepted Answer · edited May 23 '17 at 12:09

3

Apparently the trick is to use the raw POST body, as described here: middleware for saving raw post data in the request object won't "next" and cause timeout

edited May 23 '17 at 12:09

Community

1
1

answered Mar 02 '14 at 12:20

shaharsol

991
2
10
31

How to veirfy Shopify webhook signature in node.js/express?

2 Answers2