Skip to content
This repository was archived by the owner on Apr 11, 2024. It is now read-only.

webhook.process validation fails in custom apps #772

Closed
SuperKXT opened this issue Mar 13, 2023 · 4 comments · Fixed by #822 or #830
Closed

webhook.process validation fails in custom apps #772

SuperKXT opened this issue Mar 13, 2023 · 4 comments · Fixed by #822 or #830

Comments

@SuperKXT
Copy link

Issue summary

The HMAC sent in the HTTP webhook header validates against the passed apiSecretKey. In a custom app, the documentation indicates using the shared secret instead.
This is the relevant line.

shopify-api-js/lib/webhooks/process.ts

Line 53 in 2e01ac6

if (await validateOkWebhook(config.apiSecretKey, rawBody, hmac)) {

  • @shopify/shopify-api version: 6.2.0
  • Node version: 19.7.0
  • Operating system: Pop!_OS 22.04 LTS x86_64

Expected behavior

webhook.process should validate the HMAC correctly

Actual behavior

webhook validation fails.
I'm side-stepping the issue by manually setting apiSecretKey to the sharedSecret just before validation. This works but feels like an unnecessary hack.

SHOPIFY.config.apiSecretKey = CONFIG.shopify.sharedSecret;
await SHOPIFY.webhooks
	.process({
		rawBody: request.body,
		rawRequest: request,
		rawResponse: response,
	})
	.catch((error) => {
		LOGGER.error(`Error in webhook handler: ${getErrorMessage(error)}`);
	})
	.finally(() => {
		SHOPIFY.config.apiSecretKey = CONFIG.shopify.accessToken;
	});
@mkevinosullivan
Copy link
Contributor

For a store-specific custom app (which I think you're referring to here), the apiSecretKey should be set to the API Admin Access Token ... is this what you're referring to as the shared secret?

https://github.com/Shopify/shopify-api-js/blob/main/docs/guides/custom-store-app.md

@SuperKXT
Copy link
Author

I have used the accessToken as the apiSecretKey. The issue is with webhook validation, where you're supposed to use the shared secret for webhooks registered from the application.
https://community.shopify.com/c/shopify-apis-and-sdks/webhooks-difference-between-shared-secret-and-signature-string/td-p/1243740

@lynndylanhurley
Copy link

We're having the same issue.

@SuperKXT thank you for sharing your hack. I can confirm that when using the hack, everything works as expected.

@aidantjones
Copy link

Same issue here. I initially tried passing a custom config object to the process method, but the code is set to use the config object attached to the shopify library object. I didn't think to reset the values there. So, yes @SuperKXT 's solution worked great. Thank you!

I spent half a day getting to this point, though. This issue seems like a major oversight. This is my first time using this library, so forgive me if I'm missing something. But I'm not sure how webhooks were validated with private apps in the past few years within this library since it's currently impossible to input the shared secret into the process method.

@Crunchyman-ralph Crunchyman-ralph mentioned this issue Apr 6, 2023
Closed
@mkevinosullivan mkevinosullivan mentioned this issue Apr 13, 2023
Merged
6 tasks
mkevinosullivan added a commit that referenced this issue Apr 13, 2023
@mkevinosullivan
Add adminApiAccessToken property to config
1faed52 
Add `adminApiAccessToken` parameter to `config` for when
`isCustomStoreApp` is `true`.  This is then used for authenticating API
requests, instead of using `apiSecretKey` which was previously set to
the Admin API access token for custom store apps.

`apiSecretKey` must now be set to the custom store app's API secret key,
which is used to validate the HMAC of webhook events received from
Shopify for a custom store app.

Fixes #772, #800
mkevinosullivan added a commit that referenced this issue Apr 13, 2023
@mkevinosullivan
Add adminApiAccessToken property to config
3e9258b 
Add `adminApiAccessToken` parameter to `config` for when
`isCustomStoreApp` is `true`.  This is then used for authenticating API
requests, instead of using `apiSecretKey` which was previously set to
the Admin API access token for custom store apps.

`apiSecretKey` must now be set to the custom store app's API secret key,
which is used to validate the HMAC of webhook events received from
Shopify for a custom store app.

Fixes #772, #800
mkevinosullivan added a commit that referenced this issue Apr 13, 2023
@mkevinosullivan
Add adminApiAccessToken property to config
9e56c6e 
Add `adminApiAccessToken` parameter to `config` for when
`isCustomStoreApp` is `true`.  This is then used for authenticating API
requests, instead of using `apiSecretKey` which was previously set to
the Admin API access token for custom store apps.

`apiSecretKey` must now be set to the custom store app's API secret key,
which is used to validate the HMAC of webhook events received from
Shopify for a custom store app.

Fixes #772, #800
mkevinosullivan added a commit that referenced this issue Apr 14, 2023
@mkevinosullivan
Add adminApiAccessToken property to config
7dcecb6 
Add `adminApiAccessToken` parameter to `config` for when
`isCustomStoreApp` is `true`.  This is then used for authenticating API
requests, instead of using `apiSecretKey` which was previously set to
the Admin API access token for custom store apps.

`apiSecretKey` must now be set to the custom store app's API secret key,
which is used to validate the HMAC of webhook events received from
Shopify for a custom store app.

Fixes #772, #800
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@lynndylanhurley @aidantjones @SuperKXT @mkevinosullivan