Hmac verification stop working

Solved
lirang
Tourist
5 0 1

Hello, my Shopify app verification process suddenly stopped working in the last few days after a year in which everything worked.

In my installation flow, I get the followings params: code, state, shop, timestamp. I use HmacSHA256 and then comate it with the hmac I got in the request.

Please help me understand what am I missing and why it suddenly stop working...

 

BTW, I read in a similar post something about a new param: host, however when I tried to add it to the controller, the request didn't work at all

AskarAlim
New Member
4 0 0

I was facing the same problem before, then I've found out there is another param 'host'.

authenticate-with-oauth mentioned that "This query string is merely an example, and the request parameters provided by Shopify could be subject to change. Your verification strategy should not depend on the parameters in the example above."

0 Likes
longtruong
Tourist
4 0 0

Me too. It work OK before. Now it can't verify hmac

0 Likes
phuoclong1088
Shopify Partner
1 0 0

From yesterday, I can't 'validateSignature'

0 Likes
darrynten
Shopify Partner
20 1 7

This is an accepted solution.

Please make sure you're validating your HMAC against _all_ values (except the hmac itself)

You should not be manually selecting params from the query, you must verify everything that comes through.

If you don't your app will break whenever a new param is added as it will change the hmac.

@darrynten
0 Likes