How can I create a matching HMAC value to verify a Shopify WebHook in .NET?

Question

I have set up an endpoint to receive webhook requests from Shopify.

The requests from Shopify include an HMAC header that is created from a shared secret key and the body of the request.

I need to calculate the HMAC on my server and match it to the value in the request header to ensure that the request is authentic.

I can't seem to create the appropriate mechanism in .NET to create a matching HMAC value.

My algorithm at this point is as follows:

public static string CreateHash(string data)
    {
        string sharedSecretKey = "MY_KEY";

        byte[] keyBytes = Encoding.UTF8.GetBytes(sharedSecretKey);
        byte[] dataBytes = Encoding.UTF8.GetBytes(data);

        //use the SHA256Managed Class to compute the hash
        System.Security.Cryptography.HMACSHA256 hmac = new HMACSHA256(keyBytes);
        byte[] hmacBytes = hmac.ComputeHash(dataBytes);

        //retun as base64 string. Compared with the signature passed in the header of the post request from Shopify. If they match, the call is verified.
        return System.Convert.ToBase64String(hmacBytes);
    }

The Shopify docs for verifying their webhooks can be found HERE but only PHP and Ruby samples are included.

Can anyone see what I might be doing wrong? Should I be just passing the entire JSON request body as a string into this method?

Answer 1

    private static bool Validate(string sharedSecretKey)
    {
        var data = GetStreamAsText(HttpContext.Current.Request.InputStream, HttpContext.Current.Request.ContentEncoding);
        var keyBytes = Encoding.UTF8.GetBytes(sharedSecretKey);
        var dataBytes = Encoding.UTF8.GetBytes(data);

        //use the SHA256Managed Class to compute the hash
        var hmac = new HMACSHA256(keyBytes);
        var hmacBytes = hmac.ComputeHash(dataBytes);

        //retun as base64 string. Compared with the signature passed in the header of the post request from Shopify. If they match, the call is verified.
        var hmacHeader = HttpContext.Current.Request.Headers["x-shopify-hmac-sha256"];
        var createSignature = Convert.ToBase64String(hmacBytes);
        return hmacHeader == createSignature;
    }

    private static string GetStreamAsText(Stream stream, Encoding encoding)
    {
        var bytesToGet = stream.Length;
        var input = new byte[bytesToGet];
        stream.Read(input, 0, (int)bytesToGet);
        stream.Seek(0, SeekOrigin.Begin); // reset stream so that normal ASP.NET processing can read data
        var text = encoding.GetString(input);
        return text;
    }

Answer 2

As you allude to in your question, you should be hashing the entire json request body in your method.

My .NET isn't too good, but Here's the part of the ruby example that shows you what to do:

post '/' do

  . . .

  data = request.body.read
  verified = verify_webhook(data, env["HTTP_X_SHOPIFY_HMAC_SHA256"])

  . . .

end

You can see that we're just grabbing the body of the request (as a string) and throwing it into the verify method verbatim. Give it a try and hopefully you'll have more luck.