Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

coldfusion calculating HMAC256 of a getHTTPRequestData

Tags:

java

coldfusion

shopify

hmac

I'm working with Shopify at the moment and using their webhook notifications so I can save stuff to our database.

Within their webhook headers, they provide a header of: X-Shopify-Hmac-Sha256

which is:

Each Webhook request includes a X-Shopify-Hmac-SHA256 header which is generated using the app's shared secret (looks like: '267bb1719a8e6ff75c4f2d709be0ca11'), along with the data sent in the request.

This is jolly wonderful; However, I'm really struggling to calculate the value of the X-Shopify-Hmac-Sha256.

I have a .cfm page which the webhook hits and I pass through the getHTTPRequestData to a function like thus:

<cfscript>
variables.stArgs                        = {};
variables.stArgs.stWebHookData          = getHTTPRequestData();
application.stObj.stShopify.oShopifyWebHookBusiness.receiveWebHook(argumentCollection=variables.stArgs);
</cfscript>

I then stole some code from StackOverflow and Ben Nadel, but neither seem to end up giving me the value that I want. Currently I'm using Ben Nadels code like thus:

local.data = arguments.stWebHookData.toString();
local.macClass = createObject( "java", "javax.crypto.Mac" );
local.secretkeySpec = createObject( "java", "javax.crypto.spec.SecretKeySpec" ).init(toBinary(toBase64(arguments.key)),'HmacSHA256');
local.mac = local.macClass.getInstance('HmacSHA256');
local.mac.init(local.secretkeySpec );

local.hashedBytes = local.mac.doFinal(toBinary(toBase64(local.data)));
return lcase( binaryEncode( local.hashedBytes, "base64" ) );

(arguments.key is the shared secret)

Somewhere along the way, I am going wrong. Have I completely misunderstood what I am meant to be doing. This looks so easy in PHP.

like image 382
Jarede Avatar asked Oct 20 '22 16:10

Jarede

1 Answers

So, getHTTPRequestData() returns a struct with a number of members. The one we're interested is content, which will be a byte array.

The MAC classes' doFinal() method expects an array of bytes (in our case the HTTP request's content) and returns an array of bytes (the HMac of the content)

The returned byte array needs to be base-64 encoded in order to compare it to the one Shopify puts in the webhook's headers. toBase64() will do that for us.

Putting it all together, you get this: toBase64(local.mac.doFinal(getHTTPRequestData().content))

like image 157
barnyr Avatar answered Oct 27 '22 09:10

barnyr
Sign in to Comment

Related questions

Creating PNG file from int Array of RGB data
JRE bug? JTable contains certain string -> ArrayIndexOutOfBoundsException
Alternative technologies to replace applet?
For and While Loop
Comparing Thymeleaf fragments and Apache Tiles?
How does IOUtils.closeQuietly hide the "resource leak" warning?
Javassist - How to add line number to method
Is there a way to create class(not instance) dynamically?
Java 7 update 51 - Prompts user confirmation message about Publisher name every time
Is there any short way to add multiple items
Bean with multiple constructors in Java-based Spring configuration
Snapping JFrame to screen edge
Unit testing and too many mocks
Asynchronous processing with a single thread
Expose <property-placeholder> properties to the Spring Environment
JAVA Multithreading to check primality of several numbers at once is slower than single threading [duplicate]
Read from Java standard input without polling or constantly reading and without wasting resources [closed]
Spring Controller/Component Implements Serializable
Why is this line rendered without proper antialiasing?
Custom test method name in TestNG reports

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!