当前位置: 代码迷 >> java >> 如何验证 Shopify 网络钩子?
  详细解决方案

如何验证 Shopify 网络钩子?

热度:30   发布时间:2023-07-17 20:12:16.0

有人可以帮助我如何在 Java 中验证 Shopify webhook,目前我正在使用以下代码,但我无法验证

@RequestMapping(value = "/order", method = RequestMethod.POST)
    public ResponseEntity<Object> getWebhookOrder(@RequestBody String payload, @RequestHeader Map map) {

    try {

        String secretKey = "xxxxxxxxxxx";

        String HMAC_ALGORITHM = "HmacSHA256";
        Mac mac = Mac.getInstance(HMAC_ALGORITHM);
        SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), HMAC_ALGORITHM);
        mac.init(secretKeySpec);


        String signature = new String(Hex.encodeHex(mac.doFinal(payload.toString().getBytes())));

        System.out.println("header hmac "+map.get("x-shopify-hmac-sha256").toString());
        System.out.println("generated hmac "+signature);
        System.out.println(map.get("x-shopify-hmac-sha256").toString().equals(signature));
        return new ResponseEntity<Object>("{}", HttpStatus.OK);

    }catch(Exception exception) {

        exceptionService.saveExceptions(map.get("x-shopify-shop-domain").toString(), exception);
        return new ResponseEntity<Object>("{}", HttpStatus.BAD_REQUEST);

    }
}

您可以创建两种计算 HMAC 的方法并检查这个

private static String calculateHmac(String message, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
  Mac hmac = Mac.getInstance(HMAC_ALGORITHM);
  SecretKeySpec key = new SecretKeySpec(secret.getBytes(), HMAC_ALGORITHM);
  hmac.init(key);

  return Base64.encodeBase64String(hmac.doFinal(message.getBytes()));
}  

private static Boolean checkHmac(String message, String hmac, String secret) throws InvalidKeyException, NoSuchAlgorithmException {
  return hmac.equals(calculateHmac(message, secret));
}

checkHmac 返回true 或 false

使用此代码

private static Boolean verifyWebhook(HttpServletRequest request, final String secret) {
  try {
    String jsonString = IOUtils.toString(request.getInputStream(),"UTF-8");

    String hmac = request.getHeader("X-Shopify-Hmac-Sha256");

    return checkHmac(jsonString, hmac, secret);
  } catch (IOException e) {
    logger.info(e.getMessage());
  } catch (InvalidKeyException e) {
    logger.info(e.getMessage());
  } catch (NoSuchAlgorithmException e) {
    logger.info(e.getMessage());
  }

  return false;  
}

你也可以看到