feat: option to disable webhooks validation

seka19 · Aug 1, 2021 · eafbcba · eafbcba
1 parent 9423192
commit eafbcba
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/src/ShopifyApp/Middleware/AuthWebhook.php b/src/ShopifyApp/Middleware/AuthWebhook.php
@@ -4,6 +4,7 @@
 
 use Closure;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Response;
 use OhMyBrew\ShopifyApp\Facades\ShopifyApp;
 
@@ -16,7 +17,7 @@ class AuthWebhook
      * Handle an incoming request to ensure webhook is valid.
      *
      * @param \Illuminate\Http\Request $request
-     * @param \Closure                 $next
+     * @param \Closure $next
      *
      * @return mixed
      */
@@ -26,11 +27,13 @@ public function handle(Request $request, Closure $next)
         $shop = $request->header('x-shopify-shop-domain');
         $data = $request->getContent();
 
-        $hmacLocal = ShopifyApp::createHmac(['data' => $data, 'raw' => true, 'encode' => true]);
-        if (!hash_equals($hmac, $hmacLocal) || empty($shop)) {
+        if (!Config::get('shopify-app.skip_webhook_validation')) {
+            $hmacLocal = ShopifyApp::createHmac(['data' => $data, 'raw' => true, 'encode' => true]);
+            if (!hash_equals($hmac, $hmacLocal) || empty($shop)) {
 
-            // Issue with HMAC or missing shop header
-            return Response::make('Invalid webhook signature.', 401);
+                // Issue with HMAC or missing shop header
+                return Response::make('Invalid webhook signature.', 401);
+            }
         }
 
         // All good, process webhook

diff --git a/src/ShopifyApp/resources/config/shopify-app.php b/src/ShopifyApp/resources/config/shopify-app.php
@@ -94,10 +94,16 @@
     /**
      * Use only for test mode!
      * Disable redirects to Shopify to get token, confirm scopes etc.
-     * and suppose any logged in shop is authorized
+     * and suppose any logged-in shop is authorized
      */
     'skip_auth_redirect' => (bool)env('SHOPIFY_SKIP_AUTH_REDIRECT', false),
 
+    /**
+     * Use only for test mode!
+     * Accept and process webhooks ignoring HMAC signature
+     */
+    'skip_webhook_validation' => (bool)env('SHOPIFY_SKIP_WEBHOOK_VALIDATION', false),
+
     /*
     |--------------------------------------------------------------------------
     | Shopify App Name