Hi,
I’m hitting the same issue as this thread: Webhook has empty x-shiphero-hmac-sha256 signature . PO Update and other webhooks on the same account sign fine.
Tried re-registering under both the 3PL and customer accounts, with and without customer_account_id. No change.
Can someone from ShipHero confirm if this is a known bug on Order Canceled, and what the recommended verification approach is in the meantime?
Thanks in advance,
I’m the OP of the thread you linked. I had to use the user_agent as a validation method to verify that the request is coming from Ship Hero.
Thanks @kevchcm, greatly appreciate your response!
I will definitely consider using that as an initial filter.
I do hope that ShipHero responds to this matter because the absence of the hmac signature still leaves us vulnerable to spoofing, especially when dealing with a webhook that signals order cancellations.
The problem here lies on the mismatch between the shop_name that comes on the order and the shop_name used when the webhook was registered. If order doesn’t include a shop_name, the webhook will compute the HMAC-SHA256 using the shop_name it was given when it was registered. But if order comes with a shop_name, webhook will look for an entry on API settings containing that shop_name. If it doesn’t find that, it won’t compute the HMAC digest. So the workaround here will be the create an API credential for the shop_name that comes on orders.