Node.js-Express.js-验证shopify Webhook [英] Nodejs - Expressjs - Verify shopify webhook
问题描述
我正在尝试在开发环境中验证从shopify
webhook
发送的hmac
代码.但是shopify
不会将对webhook
的发布请求发送到非活动端点,因此我正在使用 requestbin 捕获请求,然后使用postman
将该请求发送到我的本地Web服务器.
I am trying to verify the hmac
code sent from a shopify
webhook
on a dev environment. However shopify
will not send a post request for a webhook
to a non live endpoint, so I am using requestbin to capture the request and then use postman
to send it to my local webserver.
在shopify 文档中,我似乎做得很好,并且还尝试应用 node-shopify-auth中使用的方法verifyWebhookHMAC函数.但是到目前为止,这些方法都没有奏效. 密码永远不会匹配. 我在这里做什么错了?
From shopify documentation, I seem to be doing everything right and have also tried applying the method used in node-shopify-auth verifyWebhookHMAC function. But none of this has worked so far. The codes are never a match. What am I doing wrong here?
我的验证Webhook的代码:
My code to verify the webhook:
function verifyWebHook(req, res, next) {
var message = JSON.stringify(req.body);
//Shopify seems to be escaping forward slashes when the build the HMAC
// so we need to do the same otherwise it will fail validation
// Shopify also seems to replace '&' with \u0026 ...
//message = message.replace('/', '\\/');
message = message.split('/').join('\\/');
message = message.split('&').join('\\u0026');
var signature = crypto.createHmac('sha256', shopifyConfig.secret).update(message).digest('base64');
var reqHeaderHmac = req.headers['x-shopify-hmac-sha256'];
var truthCondition = signature === reqHeaderHmac;
winston.info('sha256 signature: ' + signature);
winston.info('x-shopify-hmac-sha256 from header: ' + reqHeaderHmac);
winston.info(req.body);
if (truthCondition) {
winston.info('webhook verified');
req.body = JSON.parse(req.body.toString());
res.sendStatus(200);
res.end();
next();
} else {
winston.info('Failed to verify web-hook');
res.writeHead(401);
res.end('Unverified webhook');
}
}
我收到请求的路线:
router.post('/update-product', useBodyParserJson, verifyWebHook, function (req, res) {
var shopName = req.headers['x-shopify-shop-domain'].slice(0, -14);
var itemId = req.headers['x-shopify-product-id'];
winston.info('Shopname from webhook is: ' + shopName + ' For item: ' + itemId);
});
推荐答案
我做了一些不同的操作-不确定我在哪里看到了建议,但是我在主体解析器中进行了验证. IIRC的原因之一是,我可以在其他处理人员接触裸体之前就接触裸体:
I do it a little differently -- Not sure where I saw the recommendation but I do the verify in the body parser. IIRC one reason being that I get access to the raw body before any other handlers are likely to have touched it:
app.use( bodyParser.json({verify: function(req, res, buf, encoding) {
var shopHMAC = req.get('x-shopify-hmac-sha256');
if(!shopHMAC) return;
if(req.get('x-kotn-webhook-verified')) throw "Unexpected webhook verified header";
var sharedSecret = process.env.API_SECRET;
var digest = crypto.createHmac('SHA256', sharedSecret).update(buf).digest('base64');
if(digest == req.get('x-shopify-hmac-sha256')){
req.headers['x-kotn-webhook-verified']= '200';
}
}}));
,然后任何Web挂钩都只处理经过验证的标头:
and then any web hooks just deal with the verified header:
if('200' != req.get('x-kotn-webhook-verified')){
console.log('invalid signature for uninstall');
res.status(204).send();
return;
}
var shop = req.get('x-shopify-shop-domain');
if(!shop){
console.log('missing shop header for uninstall');
res.status(400).send('missing shop');
return;
}
这篇关于Node.js-Express.js-验证shopify Webhook的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!