Django Webhook Unauthorized Issue on Azure Despite Successful Local Testing

I have a Django + React project hosted on Azure. I'm using Azure Postgres as my database, and my webhook handler is set up to receive events from an external API (Seal Subscriptions). The webhook subscriptions/create event sends a POST request to my Django backend at:

https://vitaverde-backend.greensky-92f80007.eastus.azurecontainerapps.io/shopify/webhook/subscription/

However, I keep getting the following error in my Azure backend log stream:

ws 11 128676314590080 Received webhook request
2025-03-04T00:39:38.1700588Z stderr F ERROR 2025-03-04 00:39:38,169 views 11 128676314590080 Unauthenticated user request
2025-03-04T00:39:38.1701766Z stderr F WARNING 2025-03-04 00:39:38,170 log 11 128676314590080 Unauthorized: /shopify/webhook/subscription/

Debugging Steps Taken

  1. Tested Webhook Locally:

    • I wrote a test_webhook.sh script, which successfully sends a POST request with the correct headers and HMAC signature.
    • The webhook persists data correctly to my Azure Postgres DB.

    Test Script:

    #!/bin/bash

PAYLOAD='{"test": true, "customer": {"first_name": "Test", "last_name": "User", "email": "test@example.com"}}'

SEAL_SECRET="seal_secret_****************************"
SIGNATURE=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SEAL_SECRET" | cut -d' ' -f2)

curl -X POST \
  "https://vitaverde-backend.greensky-92f80007.eastus.azurecontainerapps.io/shopify/webhook/customer-creation/" \
  -H "Content-Type: application/json" \
  -H "X-Seal-Token: seal_token_*************************" \
  -H "X-Seal-Hmac-Sha256: $SIGNATURE" \
  -d "$PAYLOAD" \
  -v

echo -e "\n\nPayload: $PAYLOAD"
echo "Signature: $SIGNATURE"

  2. Ensured CSRF Exemption for Webhook:

    • In settings.py, I added the webhook endpoint to CSRF_EXEMPT_URLS:

      CSRF_EXEMPT_URLS = [
    'shopify/webhook/subscription/',
    'shopify/webhook/customer-creation/',
    'api/customer/webhook/seal-delivery/',
]

    • Explicitly allowed the domain in CSRF_TRUSTED_ORIGINS:

      CSRF_TRUSTED_ORIGINS = [
    'https://vitaverde-frontend.greensky-92f80007.eastus.azurecontainerapps.io',
    'https://www.vitaverde.store',
    'https://vitaverde.store',
    'http://localhost:3000',
    'https://app.sealsubscriptions.com',
]

  3. Webhook View Configuration:

    • I ensured my webhook view does not require authentication and is CSRF-exempt:

      from django.views.decorators.csrf import csrf_exempt
from rest_framework.decorators import api_view, permission_classes
from rest_framework.permissions import AllowAny
from django.http import JsonResponse

@csrf_exempt
@api_view(['POST'])
@permission_classes([AllowAny])
def shopify_webhook_subscription(request):
    # Process webhook payload
    return JsonResponse({"message": "Webhook received"}, status=200)

Issue

  • The webhook works fine when tested via test_webhook.sh.
  • However, when Seal Subscriptions makes the request, my Django logs show an authentication error.
  • This makes me suspect an issue with request headers, CSRF enforcement, or CORS settings on Azure.

Questions

  1. Why does the webhook fail only when Seal Subscriptions sends the request?
  2. Could Azure be enforcing additional security checks that block external requests?
  3. How can I debug this further to see exactly what request headers Seal Subscriptions is sending?

Any insights would be greatly appreciated! 🚀

Вернуться на верх