Compliance webhooks - 400/401 validation response status code

Webhooks and Events
1

Hi!

I just want to confirm the correct status code for the compliance webhook validation. Can you confirm if a 400 or 401 should be returned when the HMAC header is invalid?

Here (Privacy law compliance) Shopify states:

If a mandatory compliance webhook sends a request with an invalid Shopify HMAC header, then the app must return a 401 Unauthorized HTTP status.

On this page Shopify states a 400 status code should be returned:

app.post('/webhooks', express.text({type: '*/*'}), async (req, res) => {
  const {valid, topic, domain} = await shopify.webhooks.validate({
    rawBody: req.body, // is a string
    rawRequest: req,
    rawResponse: res,
  });

  if (!valid) {
    // This is not a valid request!
    res.send(400); // Bad Request
  }

  // Run my webhook-processing code here
});

Or does it even matter?

Thanks!

2

Hi @RAD
After reading the shopify source code, 401 and 400 are both error codes returned by validating hmac exceptions.
First of all, in the header to get the parameters that need to be verified:
apiVersion, domain, hmac and other parameters, if the parameter is missing or parameter verification failure will return an error, when the error type for hmac verification failure, return 400, otherwise return 401

1 Like