Created an APP extension that adds a post orders button to the orders action. After selecting an order and clicking the post butoon shopify sends this raw request.
GET /data?hmac=ec80a0468b4414504a6ff57de52ed8030e84f489b47f1b9830e91cb1f4203fc7&ids%5B%5D=934477070451&locale=en&shop=ubiquittous.myshopify.com×tamp=1544031593 HTTP/1.1 Host: 08e3e699.ngrok.io Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 X-Forwarded-Proto: https X-Forwarded-For: 220.127.116.11
Spent hours looking for documentation. I have been hashing the following string based on my interpetation of the docs I have read.
If you are wondering what method I am using to hash I am using a xojo routine that looks like this:
sha256 = Crypto.HMAC("my secret", body, Crypto.Algorithm.SHA256)
If any one has any help or suggestions they are greatly appreciated. I apologise if I have created a duplicate thread or asking on the wrong forum. I have seen some people mentioning that undocumented protocol=https:// needed to be added as part of the body, tried it no luck.
The first thing I'm noticing is the ampersand at the beginning of your string (&). Is that intended? Everything else looks fine from what I can tell. There was a period where we were mistakenly including a `protocol` parameter which we have since resolved, so that shouldn't be anything to worry about unless you're seeing it on your end.
I am having some kind of the issue.
I added an Admin Link on "Orders action drop down".
I select 2 orders then click on my app Admin Link, I got a URL with :
Problem is I can't find a way to verify that the request comes from Shopify...
On my code I manage to get the query parameters and prepare for HMAC validation.
Here is an example of what I get :
Array (  => ids=833580236913&ids=831146786929  => locale=en  => shop=shop.myshopify.com  => timestamp=1545221008 )
In PHP, I check the HMAC:
$calculated_hmac = hash_hmac('sha256', implode('&', $params), API_SECRET); // $hmac is hmac from the request query. return hash_equals($hmac, $calculated_hmac);
But hash_equals always returns false...
I think the problems comes from the way I deal with the array of ids because when I try the same code for an Admin Link on "Order details" then I only have 1 parameter id=123456789 and my HMAC validation works.
Anyone can help me about how to deal with ids array ?
|2 hours ago|
|2 hours ago|
|3 hours ago|
|4 hours ago|