In Shopify, webhooks can be created for certain events that take place in the admin such as updating a product and they provide a note that says:
Your webhooks will be signed with
6574fb9832abafa73b29d30f6f200264b063669592b993b23369a2793a3db8e6
According to the Shopify docs for validating a webhook, it gives the following example:
app.post('/webhooks', express.text({type: '*/*'}), async (req, res) => {
const {valid, topic, domain} = await shopify.webhooks.validate({
rawBody: req.body, // is a string
rawRequest: req,
rawResponse: res,
});
if (!valid) {
// This is not a valid request!
res.send(400); // Bad Request
}
// Run my webhook-processing code here
});
If we don’t want to use Shopify’s library for this, and instead use a Netlify serverless function, node:crypto can be imported, and the request contains an x-shopify-hmac-sha256 header which has the following format.
'x-shopify-hmac-sha256': 'rgru9agBDpdwRFeKtp0+ez3PXj9yL7J0YMfsn8f0bBs='
import crypto from 'node:crypto'
export default async (req) => {
const secret = '6574fb9832abafa73b29d30f6f200264b063669592b993b23369a2793a3db8e6'
const shopifyHmac = req.headers.get('x-shopify-hmac-sha256')
}
How can we validate the webhook given the x-shopify-hmac-sha256 and secret?