Skip to content

Instantly share code, notes, and snippets.

Forked from gavinballard/
Created April 4, 2017 00:43
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Python view decorator for the HMAC verification of a Shopify Webhook.
import hashlib, base64, hmac, json, settings
def shopify_webhook(f):
A decorator thats checks and validates a Shopify Webhook request.
def _hmac_is_valid(body, secret, hmac_to_verify):
hash =, secret, hashlib.sha256)
hmac_calculated = base64.b64encode(hash.digest())
return hmac_calculated == hmac_to_verify
def wrapper(request, *args, **kwargs):
# Try to get required headers and decode the body of the request.
webhook_topic = request.META['HTTP_X_SHOPIFY_TOPIC']
webhook_hmac = request.META['HTTP_X_SHOPIFY_HMAC_SHA256']
webhook_data = json.loads(request.body)
return HttpResponseBadRequest()
# Verify the HMAC.
if not _hmac_is_valid(request.body, settings.SHOPIFY_API_SECRET, webhook_hmac):
return HttpResponseForbidden()
# Otherwise, set properties on the request object and return.
request.webhook_topic = webhook_topic
request.webhook_data = webhook_data
return f(request, args, kwargs)
return wrapper
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment