I'm having issues with HMAC validation. Sometimes it's valid sometimes it's not.
Some examples where my HMAC is valid are URL's such as DOMAIN/shipping-zone or DOMAIN/settings
However URL's such as the domain root or a query with hmac, timestamp and etc PLUS an additional parameter are not valid?
Am I approaching this incorrectly?
if (!isset($query['timestamp'])) return false; $seconds_in_a_day = 24 * 60 * 60; $older_than_a_day = $query['timestamp'] < (time() - $seconds_in_a_day); if ($older_than_a_day) return false; $shared_secret = $_ENV['SHOPIFY_API_SECRET_KEY']; $hmac_header = $query['hmac']; unset($query['hmac']); $data = urldecode(http_build_query($query)); $calculated_hmac = hash_hmac('sha256', $data, $shared_secret, false); $verified = hash_equals($hmac_header, $calculated_hmac); return $verified;