如何创建匹配的HMAC值以验证.NET中的Shopify WebHook? [英] How can I create a matching HMAC value to verify a Shopify WebHook in .NET?

问题描述

我已经设置了一个端点来接收来自Shopify的Webhook请求.

I have set up an endpoint to receive webhook requests from Shopify.

来自Shopify的请求包括一个HMAC头，该头是根据共享密钥和请求的主体创建的.

The requests from Shopify include an HMAC header that is created from a shared secret key and the body of the request.

我需要在服务器上计算HMAC并将其与请求标头中的值匹配，以确保请求是真实的.

I need to calculate the HMAC on my server and match it to the value in the request header to ensure that the request is authentic.

我似乎无法在.NET中创建适当的机制来创建匹配的HMAC值.

I can't seem to create the appropriate mechanism in .NET to create a matching HMAC value.

这时我的算法如下:

public static string CreateHash(string data)
    {
        string sharedSecretKey = "MY_KEY";

        byte[] keyBytes = Encoding.UTF8.GetBytes(sharedSecretKey);
        byte[] dataBytes = Encoding.UTF8.GetBytes(data);

        //use the SHA256Managed Class to compute the hash
        System.Security.Cryptography.HMACSHA256 hmac = new HMACSHA256(keyBytes);
        byte[] hmacBytes = hmac.ComputeHash(dataBytes);

        //retun as base64 string. Compared with the signature passed in the header of the post request from Shopify. If they match, the call is verified.
        return System.Convert.ToBase64String(hmacBytes);
    }

可以在 HERE 中找到用于验证其Webhooks的Shopify文档，但仅包含PHP和Ruby示例.

The Shopify docs for verifying their webhooks can be found HERE but only PHP and Ruby samples are included.

谁能看到我可能做错了什么?我是否应该将整个JSON请求主体作为字符串传递给此方法?

Can anyone see what I might be doing wrong? Should I be just passing the entire JSON request body as a string into this method?

推荐答案

正如您在问题中提到的那样，您应该在方法中对整个json请求主体进行哈希处理.

As you allude to in your question, you should be hashing the entire json request body in your method.

我的.NET不太好，但这是ruby示例的一部分，向您展示了如何做:

My .NET isn't too good, but Here's the part of the ruby example that shows you what to do:

post '/' do

  . . .

  data = request.body.read
  verified = verify_webhook(data, env["HTTP_X_SHOPIFY_HMAC_SHA256"])

  . . .

end

您可以看到我们只是在抓取请求的主体(作为字符串)，并将其逐字地扔入verify方法.试试看，希望您会遇到更多的运气.

You can see that we're just grabbing the body of the request (as a string) and throwing it into the verify method verbatim. Give it a try and hopefully you'll have more luck.

这篇关于如何创建匹配的HMAC值以验证.NET中的Shopify WebHook?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！