Shopify verify webhook call in Scala

1
votes

I'm implementing a simple web service for a Shopify webhook to call using Play2. I want to verify the call is from Shopify using the 'X-Shopify-Hmac-Sha256' header parameter included.

The Shopify docs only contain a Ruby and Php samples, not too hard to translate I thought. Well I seem to be struggling.

Here is my simple Scala shopify util object:

    import play.api.mvc.Request
    import play.api.mvc.AnyContent
    import javax.crypto.Mac
    import javax.crypto.spec.SecretKeySpec
    import play.api.Logger
    import javax.crypto.SecretKey
    import org.apache.commons.codec.binary.Base64

    object ShopifyUtils {
        def verifyWebhookCall(request : Request[AnyContent], secretKey: String) : Boolean = {

          if (!request.headers.get("X-Shopify-Hmac-Sha256").isDefined)
              false
          else
          {
            val headerHash = request.headers.get("X-Shopify-Hmac-Sha256").getOrElse("")
            val body = request.body.asJson.get.toString

            Logger.info("json '" + request.body.asJson.get.toString + "' = " + encode(secretKey, request.body.asJson.get.toString) );
            Logger.info("body '" + request.body.toString() + "' = " + encode(secretKey, request.body.toString) )

            Logger.info("headerHash " + headerHash);

            val calcHash = encode(secretKey, body)
            headerHash.equals(calcHash)
          }
        }

        def encode(key: String , data: String): String = {
          val sha256_HMAC = Mac.getInstance("HmacSHA256");
          val secret_key = new SecretKeySpec(key.getBytes(), "HmacSHA256");
          sha256_HMAC.init(secret_key);

          return new String( Base64.encodeBase64( sha256_HMAC.doFinal( data.getBytes ) ) ).trim
        }
    }

The hash I generate is never the same as the one Shopify sends.

Either my shared secret key is wrong (which I don't see how it can be) or I'm not hashing the same content as Shopify does (I've tried various request.body output formats).

Any tips/guides/suggestions gratefully received.

Tim

3
scalaplayframework-2.0shopifysha256

3 Answers

2
votes

Just read in the raw POST body and run verify your signature against that. By grabbing the body as JSON and turning it into a string you might be subtly manipulating the response we send you.

Here's how I've done it for a few projects where I've worked with webhooks (in ruby):

class WebhookVerifier
  attr_accessor :expected_hmac, :data
  def initialize(options = {})
    @expected_hmac = options.fetch(:expected_hmac, '')
    content = options.fetch(:content, StringIO.new)
    content.rewind
    @data = content.read
  end    

  def valid?
    digest = OpenSSL::Digest::Digest.new('sha256')
    calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, ShopifyApp.configuration.secret, data)).strip
    calculated_hmac == expected_hmac
  end
end
1
votes

Thanks to csaunders for pointing me in the right direction.

I was using the default BodyParser AnyContent that implicitly converts the response body to json when the Content-type of the request specifies 'application/json'.

I had to modify my controller object to specify the 'raw' BodyParser:

    import play.api._
    import play.api.libs.iteratee.Enumerator
    import play.api.mvc.SimpleResult
    import play.api.mvc.ResponseHeader
    import play.api.libs.json._
    import play.Application
    import play.api.mvc._

    import javax.crypto.Mac
    import javax.crypto.spec.SecretKeySpec
    import play.api.Logger
    import javax.crypto.SecretKey
    import org.apache.commons.codec.binary.Base64

    object Purchase extends Controller { 

      val shopifyAppSecretKey = "11111111111111111111111111111111"

      def processPurchase() = Action( parse.raw ) {request =>

        val bodyRaw = request.body.asBytes(3000).getOrElse(Array[Byte]())
        val calculatedHash = encodeByteArray(shopifyAppSecretKey, bodyRaw)
        val shopifyHash = request.headers.get("X-Shopify-Hmac-Sha256").getOrElse("")

        Logger.info("keys '" + shopifyHash + "' || '" + calculatedHash + "' " + calculatedHash.equals(shopifyHash))

        val json: JsValue = Json.parse( new String(bodyRaw) )

        Ok( "Ok" ).as(HTML)
      }

      def encodeByteArray(key: String , data: Array[Byte]): String = {
        val sha256_HMAC = Mac.getInstance("HmacSHA256");
        val secret_key = new SecretKeySpec(key.getBytes(), "HmacSHA256");
        sha256_HMAC.init(secret_key);

        return new String( Base64.encodeBase64( sha256_HMAC.doFinal( data ) ) ).trim
      }
    }

Using the 'raw' BodyParser means that you have to convert the byte array to a string yourself and then parse that string manually to get your json but thats no real problem.

Now all is working as expected.

Thanks,

Tim

0
votes

If you have created shopify webhook for particular event.
Here I have created a webhook event for customers/update

def ShopifyCustomerUpdateController = Action.async {
implicit request =>
  println("data=============>  "+request.body.asJson.get)
  Future(Ok(""))  
}