I facing an error on webhook error of 401

Shopify App Store
1 
public function handleOrderWebhook(Request $request)

{

// return 404;

// Raw request body

$rawBody = $request->getContent();



// Shopify HMAC header

$hmacHeader = $request->header('X-Shopify-Hmac-Sha256');



// if (empty($hmacHeader)) {

//     Log::warning('Webhook rejected: Missing HMAC header');

//     return response('Missing HMAC header', 401);

// }



// Debugging ke liye logs

Log::info('Shopify Webhook Headers', $request->headers->all());

Log::info('Shopify Raw Body', \[$rawBody\]);



// Secret key from .env (Shopify webhook signing secret)

$secret = '99111bedd1ff7bd43ccd542b0137c512bbf4481f77a88ed0d6444fa29afea17b';



// Calculate HMAC on raw body

$calculatedHmac = base64_encode(

    hash_hmac(

        'sha256',

        $rawBody,

        $secret,

        true

    )

);



// Compare securely

if (!hash_equals($hmacHeader, $calculatedHmac)) {

    Log::warning('Invalid Shopify Webhook Signature', \[

        'received'   => $hmacHeader,

        'calculated' => $calculatedHmac,

    \]);

    return response('Invalid signature', 401);

}



// Signature valid → process webhook

$data = json_decode($rawBody, true);



// Example: save order

$this->storeOrder($data);



return response()->json(\['status' => 'success'\], 200);

}

2

Please can you both edit and remove your secret key from this post and rotate your secret key in Shopify partner dashboard, as you shouldn’t include this in anything you post publicly.

I would take a look at other topics and implementations for this as others are doing this in PHP correctly for example Webhooks graphql - #11 by Josh_C

2 Likes
3

it is domy not any problem