lpinca/shopify-token

Verify webhook

Closed this issue · 1 comments

AJShippify commented

Could verifyHmac be extended to support the body of the webhook request after body parser had taken effect?

Current solution

    const hmac = request.headers['x-shopify-hmac-sha256']

    const bodyMessage = JSON.stringify(request.body)
    .replace('/', '\\/')
    .replace('&', '\\u0026')

    var calculatedSignature = crypto.createHmac('sha256', shopifyApp.secret)
    .update(bodyMessage.toString('utf8'))
    .digest('base64')

    const ok = hmac === calculatedSignature
lpinca commented

I think it's out of the scope of this module but nothing prevents you from extending the exported class and add custom methods.