Hi @Merouane, the code snippets provided look like they should work. I created the following small python app with Flask, added a webhook subscription for orders/create and products/update to my shop and was able to receive webhooks and validate the HMAC. In the snippet below you will need to update the SHOPIFY_API_SECRET with your client secret:
from flask import Flask, request
import hmac
import hashlib
import base64
import logging
logging.basicConfig(level=logging.DEBUG)
logger = logging.getLogger(__name__)
SHOPIFY_API_SECRET = "YOUR_CLIENT_SECRET_KEY"
app = Flask(__name__)
@app.route('/', methods=['POST'])
def receive_post():
headers = request.headers
hmac_header = request.headers.get('X-Shopify-Hmac-SHA256', "")
body = request.data.decode('utf-8')
data = request.get_data()
body_hash = hmac.new(
bytes(SHOPIFY_API_SECRET, "utf-8"), data, hashlib.sha256
)
b64_hash = base64.b64encode(body_hash.digest()).decode('utf-8')
logger.debug("Header HMAC: " + hmac_header + " calculated: " + b64_hash)
hmac_match = b64_hash == hmac_header
if not hmac_match:
logger.debug("Invalid HMAC!")
return 'Invalid signature', 401
logger.debug("HMAC successfully validated!")
return 'Received', 200
if __name__ == '__main__':
app.run(debug=True)
