Hi,
I’m hitting the same issue as this thread: Webhook has empty x-shiphero-hmac-sha256 signature . PO Update and other webhooks on the same account sign fine.
Tried re-registering under both the 3PL and customer accounts, with and without customer_account_id. No change.
Can someone from ShipHero confirm if this is a known bug on Order Canceled, and what the recommended verification approach is in the meantime?
Thanks in advance,
I’m the OP of the thread you linked. I had to use the user_agent as a validation method to verify that the request is coming from Ship Hero.
Thanks @kevchcm, greatly appreciate your response!
I will definitely consider using that as an initial filter.
I do hope that ShipHero responds to this matter because the absence of the hmac signature still leaves us vulnerable to spoofing, especially when dealing with a webhook that signals order cancellations.
The problem here lies on the mismatch between the shop_name that comes on the order and the shop_name used when the webhook was registered. If order doesn’t include a shop_name, the webhook will compute the HMAC-SHA256 using the shop_name it was given when it was registered. But if order comes with a shop_name, webhook will look for an entry on API settings containing that shop_name. If it doesn’t find that, it won’t compute the HMAC digest. So the workaround here will be the create an API credential for the shop_name that comes on orders.
Hi @sgriffin, thanks for raising this, and thanks @kevchcm for sharing the workaround.
I would not recommend using the User-Agent as the primary verification method. It can be useful as an extra coarse filter, but the HMAC signature is the right mechanism for verifying that the webhook came from ShipHero.
For the Order Canceled webhook specifically, the signature is generated using API credentials that match the order’s shop_name for that account, with fallback to default credentials when available. If the webhook was registered under one shop_name, but the canceled order has a different shop_name and there is no API credential/secret for that shop, the webhook may be delivered without the X-Shiphero-HMAC-SHA256 header.
The recommended fix is to create API credentials for the same shop_name that appears on the order / webhook payload, then register the Order Canceled webhook for that shop. After that, the HMAC header should be included.