When integrating with a 3rd party via webhooks, you always want to make sure that incoming requests are actually coming the service you're integrating with.
Otherwise bad actors can impersonate e.g. Shopify and spam your system with useless or fraudulent data.
We can validate that incoming webhooks are from Shopify by checking the signature of their requests. To do this, we first need to grab Shopify's signature secret.
There are two places where you might get the signature secret from:
If you set up your webhooks using Shopify's UI for a single store, then you should use the signature secret displayed at the bottom of your store's notification settings:
If your webhooks are for a Shopify app that is used by multiple stores, you will need to use the "Shared Secret" from your app's settings page:
The following Express middleware can be used for incoming webhooks from Shopify and validate that they were actually made by Shopify.
It assumes that your signature secret is stored in an environment variable called
const crypto = require('crypto')const SHOPIFY_SIGNATURE_SECRET = process.env.SHOPIFY_SIGNATURE_SECRETif (!SHOPIFY_SIGNATURE_SECRET) {throw new Error('Please provide process.env.SHOPIFY_SIGNATURE_SECRET')}function validateShopifySignature() {return async (req, res, next) => {try {const rawBody = req.rawBodyif (typeof rawBody == 'undefined') {throw new Error('validateShopifySignature: req.rawBody is undefined. Please make sure the raw request body is available as req.rawBody.')}const hmac = req.headers['x-shopify-hmac-sha256']const hash = crypto.createHmac('sha256', SHOPIFY_SIGNATURE_SECRET).update(rawBody).digest('base64')const signatureOk = crypto.timingSafeEqual(Buffer.from(hash),Buffer.from(hmac))if (!signatureOk) {res.status(403)res.send('Unauthorized')return}next()} catch (err) {next(err)}}}
In order to get this middleware to work, there is one last step required:
The middleware above accesses req.rawBody
which doesn't exist on Express' request-object
by default.
Most Express APIs have the following line of code (or similar) somewhere:
app.use(express.json({ limit: '50mb' }))
We need to modify so that it keeps the raw HTTP request body around:
app.use(express.json({limit: '50mb',verify: (req, res, buf) => {req.rawBody = buf}}))
You can now use the middleware introduced in this article to validate incoming Shopify webhooks. This way you can be sure that those requests actually come from Shopify and not somebody else. :)
app.post('/webhooks/shopify/product-creation',validateShopifySignature(),(req, res, next) => {// ...})
Hi, I’m Max! I'm a fullstack JavaScript developer living in Berlin.
When I’m not working on one of my personal projects, writing blog posts or making YouTube videos, I help my clients bring their ideas to life as a freelance web developer.
If you need help on a project, please reach out and let's work together.
To stay updated with new blog posts, follow me on Twitter or subscribe to my RSS feed.