Shopify "app/uninstalled" webhook missing "HTTP_X_SHOPIFY_HMAC_SHA256"

1
votes

I don't know what happened, but the Shopify Webhook "apps/uninstalled" is not returning a "HTTP_X_SHOPIFY_HMAC_SHA256" value. It's no where in the request. Without the HMAC, there is no way to verify the call is for Shopify.

I'm seeing my other Webhook calls are getting a HTTP_X_SHOPIFY_HMAC_SHA256 value, but its completely missing in the "apps/uninstalled" webhook.

Any ideas on what I'm doing wrong? Is Shopify just having issues right now?

thanks!

2
shopifywebhooks
Sounds like a bug to me. I'll look into it on Monday. - David Underwood
Thanks David, I appreciate it. - JoshHighland

2 Answers

3
votes

Thanks again for the headsup! This issue was introduced on Friday evening.

We have confirmed exactly 50 api permissions deleted since then that did not send the HMAC header for the "app/uninstall" webhook subscription. We fixed the issue today and resent the "app/uninstall" webhook notification for all affected apps.

Let us know in case you're still seeing any unexpected irregularities!

Best, Dennis Technical Support Engineer Shopify

0
votes

Confirmed that this is a legit regression. We’re investigating/fixing.