Securing Mechanic webhooks

Mechanic webhooks are configured properly for CORS, which makes them suitable for submissions from your online store's frontend.

These webhooks do not include any authentication, so you may want to add some verification in your own implementation. One might use something like this, in your store's theme code:

customer_id: {{ | json }},
customer_id_signature: {{ | hmac_sha256: "some-secret-value" | json }}

With this in place, one would then use something like this, in the corresponding Mechanic task script:

{% assign customer_id = %}
{% assign customer_id_signature = %}
{% assign expected_customer_id_signature = customer_id | hmac_sha256: "some-secret-value" | json %}
{% if expected_customer_id_signature != customer_id_signature %}
{% error "Customer ID signature did not match." %}
{% endif %}

This way, you can be sure that incoming data was, in fact, prepared by a real Shopify storefront request.