Workflow verify Shopify webhook hmac

I guess this is a Retool Workflows feature request... we need access to the raw body (before json parsing) in order to verify Shopify webhooks.

Here's a screenshot of my workflow that will work (tested outside of Retool), when I can access the request's raw data buffer.

Note, the external library CryptoJS (deprecated) is not required, but I also wrote a version using it. I compared output to the native crypto lib, they were equal.
I also experimented with trying to encode in different formats and creating a Buffer, but nothing produces the correct hmac. There's something in that raw body missing once the data is parsed.

Some questions:

  1. What's the difference in vs They seem to be identical.
  2. I see in the inspector startTrigger.rawData exists but is private. Is this what we need? It's just not exposed to our code blocks currently?


Shopify's docs give examples: HTTPS webhook delivery

Shopify staff member confirms Node needs raw data: Solved: Re: verify webhook on nodejs - Shopify Community

This is a related existing topic:

Hi @8bitmatt, welcome to the forum! :wave:

I created a simple Workflow that just sends a response with the "startTrigger" object for us to visualize it.

Here is the workflow:

Here is the REST Api resource for it:

Note: I added a couple of headers for testing purposes.

When I make the following POST request:

The "startTrigger" object is sent back as a response, it looks like this:

With this visualization, let's jump on your questions:

  1. "" is this whole object. "" and "" are in fact the same thing. We kept the latter for backwards compatibility, the former is preferred.
  2. We currently don't expose the raw data. This may be the reason why your attempts are failing.

We just made a Feature Request to provide access to it. We'll update you when there are any news from our devs.

On the other hand, from looking at your JS block "verifyHmac," it looks like it is returning false from line 7. In line 4: const shopify_hmac = req.headers["x-shopify-hmac-sha256"], is this the correct capitalization for the key?

From looking at the doc you shared:

Perhaps the key is "X-Shopify-Hmac-SHA256"?