Need help with HMAC Signature Validation in JS - Please!

Highlighted
Shopify Partner
8 0 0

Hey,

I am having trouble with my HMAC signature validation. I cannot get my generated hash to match the passed hmac value.

I am using the following code to try and achieve this but obviously i'm doing something wrong.

I'm building my app in JS using MeteorJS.

The token parameter i'm passing here is the permanet token generated for the given shop.

Please can someone help me out here...

Thanks,

Luke

 

var shopifySignatureValidation =  function(params, token) {

		// Create string
		var message = 'code=' + token + '&shop=' + params.shop + '&timestamp=' + params.timestamp;

		// Do the hmac sha256 encrypting
		var hash = CryptoJS.HmacSHA256(message, ShopifyApi.options.secret).toString();

		return hash === params.hmac;
}

 

0 Likes
Highlighted
Shopify Staff (Retired)
Shopify Staff (Retired)
143 0 27

On the second line, have you tried replacing token with params.code?

0 Likes
Highlighted
Shopify Expert
60 0 9

Also, don't hardcode the message that way. See http://ecommerce.shopify.com/c/shopify-apis-and-technology/t/hmac-verify-app-install-request-using-p...

Check out my apps: Social Call-to-Action [https://apps.shopify.com/social-call-to-action] and Fliptabify [https://apps.shopify.com/fliptabify]. I also maintain the Shopify API client in PHP [https://github.com/phpish/shopify] and PHP Quickstart Skeletons for building Shopify apps: [https://github.com/phpish/shopify_app-skeleton] and [https://github.com/phpish/shopify_private_app-skeleton]
0 Likes
Highlighted
Shopify Partner
8 0 0

 

Thanks for the reply Josh.

The reason i am not using params.code, as you've mentioned, is that i am trying to verify normal requests for after the app authorisation process is complete. So i believe that instead of the params.code you need to use the permanet access token here?

Is this correct or have i got that wrong?

Thanks!

0 Likes
Highlighted
Shopify Partner
8 0 0

Thanks Sandeep. 

I was just doing it that way as the simplest way, just to get it working initally, but maybe thats not helping me. I will try using a map as mentioned.

Would using a string as i've done actually stop this from working though? The post you linked to mentions "without outputting raw binary data"...is this related?

0 Likes
Highlighted
Shopify Expert
60 0 9

The verification process allows you to "trust" the query parameters your app recevied in a redirect from Shopify actually came from them. Other than auth redirect and webhooks, IIRC, there are no other "normal requests" that come from Shopify and so don't require the verification step. The HMAC is only for the query parameters and you shouldn't need/use the permanent oauth token there.

Check out my apps: Social Call-to-Action [https://apps.shopify.com/social-call-to-action] and Fliptabify [https://apps.shopify.com/fliptabify]. I also maintain the Shopify API client in PHP [https://github.com/phpish/shopify] and PHP Quickstart Skeletons for building Shopify apps: [https://github.com/phpish/shopify_app-skeleton] and [https://github.com/phpish/shopify_private_app-skeleton]
0 Likes
Highlighted
Shopify Expert
60 0 9

There shouldn't be a problem hardcoding the string that way for now, but that code will not work if Shopify introduced additional parameters. For example, see this thread when Shopify introdcued the HMAC verification process and broke all apps that harcoded the MD5 verification step.

Check out my apps: Social Call-to-Action [https://apps.shopify.com/social-call-to-action] and Fliptabify [https://apps.shopify.com/fliptabify]. I also maintain the Shopify API client in PHP [https://github.com/phpish/shopify] and PHP Quickstart Skeletons for building Shopify apps: [https://github.com/phpish/shopify_app-skeleton] and [https://github.com/phpish/shopify_private_app-skeleton]
0 Likes
Highlighted
Shopify Partner
8 0 0

Thanks Sandeep. I understand what your saying here but i'm developing a embedded app.

I need to verify requests that are sent via Shopify admin. 

I dont want to have a seperate login / auth process for my app. I want to use the embedded SDK and verify requests so i know the user is real and from a given shop admin.

Does that make sense? Maybe i'm not understanding something quite right.

Thanks.

0 Likes
Highlighted
Shopify Expert
60 0 9

I haven't built an embedded app yet, but AIUI from the docs, it looks like it (OAuth) works the same there: "OAuth will behave normally in your app, as it would for any other Shopify apps" except for the "escaping the iframe" caveat.

Check out my apps: Social Call-to-Action [https://apps.shopify.com/social-call-to-action] and Fliptabify [https://apps.shopify.com/fliptabify]. I also maintain the Shopify API client in PHP [https://github.com/phpish/shopify] and PHP Quickstart Skeletons for building Shopify apps: [https://github.com/phpish/shopify_app-skeleton] and [https://github.com/phpish/shopify_private_app-skeleton]
0 Likes
Highlighted
Shopify Partner
8 0 0

Ok, let's leave the embedded element out of this for now, as it could get confusing.

I'll give a example of needing to use the permenet token in place of the code parameter for a HMAC verification:

When in a store admin, on the apps page, if a user clicks a app, shopify then redirects, in a new window, to the app redirect url. Shopify sends 3 url params as part of the redirect: hmac, shop and timestamp.

No code param.

So i believe in order to verify this request, you need to use the permanet access token (previously generated and stored) for this shop, in place of the code param.

Can a member of the Shopify team please confirm whether this is true or not?

Thanks. 

0 Likes