Merge pull request #508 from Shopify/liz/return-401

Return 401 for invalid HMAC on webhook event

.changeset/popular-jokes-roll.md

@@ -0,0 +1,5 @@
+---
+'@shopify/shopify-app-remix': patch
+---
+
+Now `authenticate.webhook(request);` will return 401 Unauthorized when webhook HMAC validation fails.

packages/shopify-app-remix/src/server/authenticate/webhooks/__tests__/authenticate.test.ts

@@ -130,7 +130,7 @@ describe('Webhook validation', () => {
     expect(admin?.graphql.session).toBe(session);
   });
 
-  it('throws a 400 on invalid HMAC', async () => {
+  it('throws a 401 on invalid HMAC', async () => {
     // GIVEN
     const shopify = shopifyApp(testConfig());
 
@@ -147,7 +147,7 @@ describe('Webhook validation', () => {
     );
 
     // THEN
-    expect(response.status).toBe(400);
+    expect(response.status).toBe(401);
   });
 
   it.each([

packages/shopify-app-remix/src/server/authenticate/webhooks/authenticate.ts

@@ -1,4 +1,8 @@
-import {ApiVersion, ShopifyRestResources} from '@shopify/shopify-api';
+import {
+  ApiVersion,
+  ShopifyRestResources,
+  WebhookValidationErrorReason,
+} from '@shopify/shopify-api';
 
 import type {BasicParams, MandatoryTopics} from '../../types';
 import {AdminApiContext, adminClientFactory} from '../../clients';
@@ -42,8 +46,16 @@ export function authenticateWebhookFactory<
     });
 
     if (!check.valid) {
-      logger.debug('Webhook validation failed', check);
-      throw new Response(undefined, {status: 400, statusText: 'Bad Request'});
+      if (check.reason === WebhookValidationErrorReason.InvalidHmac) {
+        logger.debug('Webhook HMAC validation failed', check);
+        throw new Response(undefined, {
+          status: 401,
+          statusText: 'Unauthorized',
+        });
+      } else {
+        logger.debug('Webhook validation failed', check);
+        throw new Response(undefined, {status: 400, statusText: 'Bad Request'});
+      }
     }
 
     const sessionId = api.session.getOfflineId(check.domain);