Security issue with HMAC Authentication

Highlighted
New Member
3 0 1

 

In regards to Shopify for API usage, we are using HMAC integrity checks. We have made this group aware that HMAC is NOT Authentication

When is mentions authenticity, that means the authenticity of the payload of a message not the authenticating of the users. To add more security to external APIs, Is there any other support from Shopify apart from HMAC. My organization is in the financial domain and does not allow  HAMC authentication alone as security. Looking forward to see any other options apart from  HAMC like whitelisting source IPs/ Oauth2 

This is right now a roadblock to integrating with Shopify. Please provide support on this topic 

1 Like
Highlighted
Shopify Partner
594 41 118

Where is the HMAC authentication coming into play? Are you looking at receiving webhooks or is this a payment processing integration? If it's the former, then perhaps you could perform a polling query on a regular basis. That way your side would be the initiator, and you would have more control over the API request/response process. While this is clunkier than the webhooks automatically informing you of any event, it does lessen the security implications to a degree.

1 Like
Highlighted
Shopify Partner
11 3 0

I'm not quite sure how you are using the API, but in our case we use Oauth2 from Shopify (to generate user based access tokens). 

These are unrelated concerns as you mentioned, HMAC ensures that the message that is generated by Shopify has the same content (hashing the content with a private key) as when it arrives to your application. It has nothing to do with user-based authentication.

In our case we register our application with each user shop (this is an Oauth2 flow) where we request permission, retrieve a code, then post this code to Shopify to retrieve a token (which is later the only token that can be used by our application to interact with the user data...)

This is a sales channel flow, I'm not sure which flow you are using but this is 100% oAuth based authentication... https://shopify.dev/tutorials/authenticate-with-oauth

 

 

The Shop Front: Welcome to the eCommerce platform with integrated video, audio and chat. Engage with your customers online and offline with multi-channel conversion tools. Edit your products and prices in realtime and stream them privately. Available in the App store: https://apps.shopify.com/the-shop-front
0 Likes
Highlighted
Trailblazer
172 13 26

I believe you can use the new JWT for this which provides a session token from App Bridge.

 

0 Likes
Highlighted
Shopify Partner
594 41 118

So @digital11 , how are you working with these HMAC signatures? If it's on the receiving end of a webhook then there's only so much control you have over them. I know you can customize to a degree which record fields are being passed along with the webhook request you're seeing. But other than the HMAC signature I'm not sure of any other authentication/authorization/validation mechanism is available. Part of the HMAC validation is based on a specific API secret that's used to create the hash. So if that API secret is associated with a specific Shopify API "user" then you can deduce that this is the user who initiated the webhook request.

0 Likes