I'm implementing a simple web service for a Shopify webhook to call using Play2. I want to verify the call is from Shopify using the 'X-Shopify-Hmac-Sha256' header parameter included.

The Shopify docs only contain a Ruby and Php samples, not too hard to translate I thought. Well I seem to be struggling.

Here is my simple Scala shopify util object:

    import play.api.mvc.Request
    import play.api.mvc.AnyContent
    import javax.crypto.Mac
    import javax.crypto.spec.SecretKeySpec
    import play.api.Logger
    import javax.crypto.SecretKey
    import org.apache.commons.codec.binary.Base64

    object ShopifyUtils {
        def verifyWebhookCall(request : Request[AnyContent], secretKey: String) : Boolean = {

          if (!request.headers.get("X-Shopify-Hmac-Sha256").isDefined)
            val headerHash = request.headers.get("X-Shopify-Hmac-Sha256").getOrElse("")
            val body = request.body.asJson.get.toString

            Logger.info("json '" + request.body.asJson.get.toString + "' = " + encode(secretKey, request.body.asJson.get.toString) );
            Logger.info("body '" + request.body.toString() + "' = " + encode(secretKey, request.body.toString) )

            Logger.info("headerHash " + headerHash);

            val calcHash = encode(secretKey, body)

        def encode(key: String , data: String): String = {
          val sha256_HMAC = Mac.getInstance("HmacSHA256");
          val secret_key = new SecretKeySpec(key.getBytes(), "HmacSHA256");

          return new String( Base64.encodeBase64( sha256_HMAC.doFinal( data.getBytes ) ) ).trim

The hash I generate is never the same as the one Shopify sends.

Either my shared secret key is wrong (which I don't see how it can be) or I'm not hashing the same content as Shopify does (I've tried various request.body output formats).

Any tips/guides/suggestions gratefully received.



Thanks to csaunders for pointing me in the right direction.

I was using the default BodyParser AnyContent that implicitly converts the response body to json when the Content-type of the request specifies 'application/json'.

I had to modify my controller object to specify the 'raw' BodyParser:

    import play.api._
    import play.api.libs.iteratee.Enumerator
    import play.api.mvc.SimpleResult
    import play.api.mvc.ResponseHeader
    import play.api.libs.json._
    import play.Application
    import play.api.mvc._

    import javax.crypto.Mac
    import javax.crypto.spec.SecretKeySpec
    import play.api.Logger
    import javax.crypto.SecretKey
    import org.apache.commons.codec.binary.Base64

    object Purchase extends Controller { 

      val shopifyAppSecretKey = "11111111111111111111111111111111"

      def processPurchase() = Action( parse.raw ) {request =>

        val bodyRaw = request.body.asBytes(3000).getOrElse(Array[Byte]())
        val calculatedHash = encodeByteArray(shopifyAppSecretKey, bodyRaw)
        val shopifyHash = request.headers.get("X-Shopify-Hmac-Sha256").getOrElse("")

        Logger.info("keys '" + shopifyHash + "' || '" + calculatedHash + "' " + calculatedHash.equals(shopifyHash))

        val json: JsValue = Json.parse( new String(bodyRaw) )

        Ok( "Ok" ).as(HTML)

      def encodeByteArray(key: String , data: Array[Byte]): String = {
        val sha256_HMAC = Mac.getInstance("HmacSHA256");
        val secret_key = new SecretKeySpec(key.getBytes(), "HmacSHA256");

        return new String( Base64.encodeBase64( sha256_HMAC.doFinal( data ) ) ).trim

Using the 'raw' BodyParser means that you have to convert the byte array to a string yourself and then parse that string manually to get your json but thats no real problem.

Now all is working as expected.




Just read in the raw POST body and run verify your signature against that. By grabbing the body as JSON and turning it into a string you might be subtly manipulating the response we send you.

Here's how I've done it for a few projects where I've worked with webhooks (in ruby):

class WebhookVerifier
  attr_accessor :expected_hmac, :data
  def initialize(options = {})
    @expected_hmac = options.fetch(:expected_hmac, '')
    content = options.fetch(:content, StringIO.new)
    @data = content.read

  def valid?
    digest = OpenSSL::Digest::Digest.new('sha256')
    calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, ShopifyApp.configuration.secret, data)).strip
    calculated_hmac == expected_hmac

If you have created shopify webhook for particular event.
Here I have created a webhook event for customers/update

def ShopifyCustomerUpdateController = Action.async {
implicit request =>
  println("data=============>  "+request.body.asJson.get)
