Hey there shopify community!

shopify app oauth code and config issues - failing compliance webhooks and HMAC signatures

Analysis Summary

Looking at the Shopify automated checks screenshots, there are 4 issues:

Check	Status	Issue
Immediately authenticates after install	Green	Working
Immediately redirects to app UI after authentication	Yellow Warning	May need attention
Provides mandatory compliance webhooks	Red	Needs fix in Shopify Partner Dashboard
Verifies webhooks with HMAC signatures	Red	Shopify can’t verify our HMAC implementation
Uses a valid TLS certificate	Green	Working

Root Cause Analysis

After reviewing the code, I found:

1. GDPR Webhooks (Code is correct): The shopify-webhooks/index.ts function correctly handles all 3 mandatory GDPR webhooks:

   • customers/data_request (line 1035-1036)
   • customers/redact (line 1039-1040)
   • shop/redact (line 1043-1044)

2. Webhook Registration (Code is correct): The oauth-shopify/index.ts registers all webhooks including GDPR ones (lines 543-546)

3. HMAC Verification (Code is correct): Uses timing-safe comparison (lines 10-18, 21-33)

The issue is in the Shopify Partner Dashboard configuration, not the code. The Shopify automated checks are failing because:

1. Compliance webhook URLs are not configured in the Shopify Partner Dashboard under “Compliance webhooks” section
2. Shopify needs these URLs set in the app configuration (not just registered via API)

Fix: Shopify App Compliance Webhook Configuration

Problem Summary

Shopify’s automated compliance check is failing because the mandatory GDPR compliance webhook endpoints are not configured in the Shopify Partner Dashboard. While your code correctly handles these webhooks, Shopify requires them to be explicitly declared in your app configuration.

What’s Happening

Your code is correct - all 3 mandatory GDPR webhooks are implemented:

• customers/data_request - handles customer data access requests
• customers/redact - handles customer data deletion requests
• shop/redact - handles shop data deletion (48hrs after uninstall)

However, Shopify performs automated checks by looking at your app configuration in the Partner Dashboard, not your code. The webhooks must be configured in two places:

1. Registered via API (you’re doing this)
2. Declared in Partner Dashboard compliance settings (missing)

Solution

Step 1: Configure Compliance Webhooks in Shopify Partner Dashboard

Navigate to: Shopify Partners → Apps → PureProfit.ai → Configuration → Compliance webhooks

Enter these URLs for the 3 mandatory webhooks:

All three use the same endpoint because your webhook handler routes based on the x-shopify-topic header.

Step 2: Re-run Automated Checks

After saving the compliance webhook URLs in the Partner Dashboard, click “Run” on the automated checks section. The compliance webhook check should now pass.

Why This Fixes the HMAC Check Too

The “Verifies webhooks with HMAC signatures” check may be failing because Shopify couldn’t send test webhooks to verify HMAC. Once the compliance webhook URLs are configured, Shopify can:

1. Send test webhooks to your endpoint
2. Verify your endpoint returns 200 OK
3. Confirm HMAC verification is working

Your HMAC implementation is correct - it uses timing-safe comparison to prevent timing attacks as required.

No Code Changes Required

Your implementation is already correct:

GDPR Handlers (shopify-webhooks/index.ts):

• Lines 673-708: handleCustomerDataRequest()
• Lines 711-802: handleCustomerRedact()
• Lines 804-898: handleShopRedact()

HMAC Verification (shopify-webhooks/index.ts):

• Lines 10-18: Timing-safe comparison function
• Lines 20-33: HMAC verification using SHA-256
• Lines 927-937: Signature validation with 401 response on failure

Webhook Routing (shopify-webhooks/index.ts):

• Lines 952-953: GDPR topics bypass shop registration check
• Lines 1033-1045: Routes to GDPR handlers

Summary