From 852c9d5a940a39cb37bc72f81e5b4fa15a9937f5 Mon Sep 17 00:00:00 2001
From: Paulo Margarido <64600052+paulomarg@users.noreply.github.com>
Date: Tue, 19 Jul 2022 11:35:55 -0400
Subject: [PATCH] Return 401 on webhook validation errors

---
 CHANGELOG.md                            | 2 ++
 src/webhooks/__tests__/registry.test.ts | 8 ++++----
 src/webhooks/registry.ts                | 4 ++--
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4269f8406..1317bb7a8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
 
+- Return a 401 instead of 403 when webhooks fail validation [#425](https://github.com/Shopify/shopify-api-node/pull/425)
+
 ## [4.1.0] - 2022-07-14
 
 - Add new method to construct the host app URL [#419](https://github.com/Shopify/shopify-api-node/pull/419)
diff --git a/src/webhooks/__tests__/registry.test.ts b/src/webhooks/__tests__/registry.test.ts
index e88c85887..8d0975cc0 100644
--- a/src/webhooks/__tests__/registry.test.ts
+++ b/src/webhooks/__tests__/registry.test.ts
@@ -387,7 +387,7 @@ describe('ShopifyWebhooks.Registry.process', () => {
       .expect(StatusCode.Ok);
   });
 
-  it('handles the request and returns Forbidden when topic is not registered', async () => {
+  it('handles the request and returns Not Found when topic is not registered', async () => {
     ShopifyWebhooks.Registry.addHandler('NONSENSE_TOPIC', {
       path: '/webhooks',
       webhookHandler: genericWebhookHandler,
@@ -409,10 +409,10 @@ describe('ShopifyWebhooks.Registry.process', () => {
       .post('/webhooks')
       .set(headers({hmac: hmac(Context.API_SECRET_KEY, rawBody)}))
       .send(rawBody)
-      .expect(StatusCode.Forbidden);
+      .expect(StatusCode.NotFound);
   });
 
-  it('handles the request and returns Forbidden when hmac does not match', async () => {
+  it('handles the request and returns Unauthorized when hmac does not match', async () => {
     ShopifyWebhooks.Registry.addHandler('PRODUCTS', {
       path: '/webhooks',
       webhookHandler: genericWebhookHandler,
@@ -434,7 +434,7 @@ describe('ShopifyWebhooks.Registry.process', () => {
       .post('/webhooks')
       .set(headers({hmac: hmac('incorrect secret', rawBody)}))
       .send(rawBody)
-      .expect(StatusCode.Forbidden);
+      .expect(StatusCode.Unauthorized);
   });
 
   it('fails if the given body is empty', async () => {
diff --git a/src/webhooks/registry.ts b/src/webhooks/registry.ts
index 6487ff3a8..3abc87913 100644
--- a/src/webhooks/registry.ts
+++ b/src/webhooks/registry.ts
@@ -422,13 +422,13 @@ const WebhooksRegistry: RegistryInterface = {
               responseError = error;
             }
           } else {
-            statusCode = StatusCode.Forbidden;
+            statusCode = StatusCode.NotFound;
             responseError = new ShopifyErrors.InvalidWebhookError(
               `No webhook is registered for topic ${topic}`,
             );
           }
         } else {
-          statusCode = StatusCode.Forbidden;
+          statusCode = StatusCode.Unauthorized;
           responseError = new ShopifyErrors.InvalidWebhookError(
             `Could not validate request for topic ${topic}`,
           );