Note, the external library CryptoJS (deprecated) is not required, but I also wrote a version using it. I compared output to the native crypto lib, they were equal.
I also experimented with trying to encode startTrigger.data.data in different formats and creating a Buffer, but nothing produces the correct hmac. There's something in that raw body missing once the data is parsed.
Some questions:
What's the difference in startTrigger.data.data vs startTrigger.data.value. They seem to be identical.
I see in the inspector startTrigger.rawData exists but is private. Is this what we need? It's just not exposed to our code blocks currently?
I created a simple Workflow that just sends a response with the "startTrigger" object for us to visualize it.
Here is the workflow:
Here is the REST Api resource for it:
Note: I added a couple of headers for testing purposes.
When I make the following POST request:
The "startTrigger" object is sent back as a response, it looks like this:
With this visualization, let's jump on your questions:
"startTrigger.data" is this whole object. "startTrigger.data.data" and "startTrigger.data.value" are in fact the same thing. We kept the latter for backwards compatibility, the former is preferred.
We currently don't expose the raw data. This may be the reason why your attempts are failing.
We just made a Feature Request to provide access to it. We'll update you when there are any news from our devs.
On the other hand, from looking at your JS block "verifyHmac," it looks like it is returning false from line 7. In line 4: const shopify_hmac = req.headers["x-shopify-hmac-sha256"], is this the correct capitalization for the key?
