Group Group Group Group Group Group Group Group Group

Crypto - Shopify webhook validation

Hi all…
Looking for help translating the requirements for Shopify webhook validation with Vapor please.
I’ve built the API for receiving the webhook post - all good. I need to perform some crypto / hash operations on the content and compare with the header and the shared secret.

Here is the documentation for webhook verification process that I am trying to code…

Webhooks created through the API by a Shopify App are verified by calculating a digital signature. Each webhook request includes a base64-encoded X-Shopify-Hmac-SHA256 header, which is generated using the app's shared secret along with the data sent in the request.

Webhooks created through the Shopify admin are verified using the secret displayed in the Webhooks section of the Notifications page.

To verify that the request came from Shopify, compute the HMAC digest according to the following algorithm and compare it to the value in the X-Shopify-Hmac-SHA256 header. If they match, then you can be sure that the webhook was sent from Shopify.

Is this something that I can handle with the Crypto module in Vapor?

Thanks very much

@0xtim Can you please help with this when you get a chance? Thank you - much appreciated! :]

Vapor’s Crypto library contains both SHA and HMAC functions that it looks like you need so you should be good to go!