PHP - HMAC isn't valid on some requests

Will_Perspectiv · ‎09-17-2020

Hi everyone,

I'm having issues with HMAC validation. Sometimes it's valid sometimes it's not.

Some examples where my HMAC is valid are URL's such as DOMAIN/shipping-zone or DOMAIN/settings

However URL's such as the domain root or a query with hmac, timestamp and etc PLUS an additional parameter are not valid?

Am I approaching this incorrectly?

if (!isset($query['timestamp'])) return false;

$seconds_in_a_day = 24 * 60 * 60;
$older_than_a_day = $query['timestamp'] < (time() - $seconds_in_a_day);

if ($older_than_a_day) return false;

$shared_secret = $_ENV['SHOPIFY_API_SECRET_KEY'];
$hmac_header = $query['hmac'];
unset($query['hmac']);
$data = urldecode(http_build_query($query));
$calculated_hmac = hash_hmac('sha256', $data, $shared_secret, false);

$verified = hash_equals($hmac_header, $calculated_hmac);

return $verified;

Greg_Kujawa · ‎09-17-2020

If you are familiar enough with Ruby, there's a sample routine on one of the Shopify documentation pages --> https://shopify.dev/tutorials/manage-webhooks. Perhaps this could shed some light.

PHP - HMAC isn't valid on some requests

Redirect To Billing API

Submit app for listing without integrating billing API

This page is temporarily unavailable

Integrate Stock Image search for customers

Update Fulfillment(displayStatus)

Re: Discriminating between a return and cancellation when no restock has been selected.

Redirect To Billing API

Re: Response for product create api sometimes doesn't contain all images

Re: Invalid Bucket Bulk Query URL

Submit app for listing without integrating billing API