验证Shopify webhook [英] Verify Shopify webhook
问题描述
我相信要让Shopify webhook与Rails应用程序集成,Rails应用程序需要禁用默认的 verify_authenticity_token 方法,并使用 X_SHOPIFY_HMAC_SHA256 标头实现自己的身份验证。 Shopify文档说只需使用 request.body.read 。所以,我这样做了:
I believe that to have a Shopify webhook integrate with a Rails app, the Rails app needs to disable the default verify_authenticity_token method, and implement its own authentication using the X_SHOPIFY_HMAC_SHA256 header. The Shopify docs say to just use request.body.read. So, I did that:
def create
verify_webhook(request)
# Send back a 200 OK response
head :ok
end
def verify_webhook(request)
header_hmac = request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"]
digest = OpenSSL::Digest.new("sha256")
request.body.rewind
calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, SHARED_SECRET, request.body.read)).strip
puts "header hmac: #{header_hmac}"
puts "calculated hmac: #{calculated_hmac}"
puts "Verified:#{ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, header_hmac)}"
end
Shopify webhook被定向到正确的URL和路由将其提供给上面显示的控制器方法。但是当我发送测试通知时,输出不正确。两个HMAC不相等,因此未经验证。我很确定问题是Shopify使用整个请求作为身份验证哈希,而不仅仅是POST内容。所以,我需要原始的,未触及的HTTP请求,除非我弄错了。
The Shopify webhook is directed to the correct URL and the route gives it to the controller method shown above. But when I send a test notification, the output is not right. The two HMACs are not equal, and so it is not verified. I am fairly sure that the problem is that Shopify is using the entire request as their seed for the authentication hash, not just the POST contents. So, I need the original, untouched HTTP request, unless I am mistaken.
这个问题似乎是在至少一个小时的搜索之后互联网上唯一有希望的事情。这正是我所要求的,它有30个upvotes接受的答案。但他的回答......很荒谬。它吐出了各种不可理解的乱码。我错过了一些明显的东西吗?
This question seemed like the only promising thing on the Internet after at least an hour of searching. It was exactly what I was asking and it had an accepted answer with 30 upvotes. But his answer... is absurd. It spits out an unintelligible, garbled mess of all kinds of things. Am I missing something glaring?
此外,这篇文章似乎暗示我正在寻找的东西是不可能的。看起来Rails从来没有得到过纯粹的请求,但在它进入Rails之前,它被Rack拆分成不同的部分。如果是这样,我想我可能会尝试重新组装它,但我甚至必须得到标题的顺序正确的哈希工作,所以我无法想象这是可能的。
Furthermore, this article seemed to suggest that what I am looking for is not possible. It seems that Rails is never given the unadulterated request, but it is split into disparate parts by Rack, before it ever gets to Rails. If so, I guess I could maybe attempt to reassemble it, but I would have to even get the order of the headers correct for a hash to work, so I can't imagine that would be possible.
我想我的主要问题是,我完全搞砸了吗?
I guess my main question is, am I totally screwed?
推荐答案
问题在于我SHARED_SECRET。我认为这是API密钥,因为几天前它在Shopify管理页面中被称为共享密钥。但现在我在通知页面的底部看到一个小段落,上面写着:
The problem was in my SHARED_SECRET. I assumed this was the API secret key, because a few days ago it was called the shared secret in the Shopify admin page. But now I see a tiny paragraph at the bottom of the notifications page that says,
所有的webhook都将用--- MY_REAL_SHARED_SECRET签名---所以
你可以验证他们的完整性。
All your webhooks will be signed with ---MY_REAL_SHARED_SECRET--- so you can verify their integrity.
这是我需要用来验证webhooks的秘密。为什么有两个,我不知道。
This is the secret I need to use to verify the webhooks. Why there are two of them, I have no idea.
这篇关于验证Shopify webhook的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
