HMAC Verification

BGilbert
Shopify Expert
30 0 14

Is anyone else suddenly having problems with their calculated HMACs coming out as invalid?

Andrew_Womersle
Tourist
6 0 2

Hi, 

We are experiencing the same issue.

An app that has worked fine for over 1 year has suddenly stopped verifying the HMAC. Another app which uses the same HMAC validation code is working fine.

Both apps are embedded apps, using the admin link functionality.

Anyone got any ideas?

Thanks
Andrew.

0 Likes
Rob_Curry
Shopify Partner
53 0 10

Hi,

Yes, i started seeing this yesterday but only on some apps. HMAC validation is failing!

My solution was to create a new app in the partner dashboard with the same information and then update my app to use a different key - not ideal but worked.

Hoping shopify can fix this asap!

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 298

Hey everyone,

We've identified the cause of the issue and are working on deploying a fix as soon as we can. In the mean time, you should be able to get by this issue by removing the `protocol` and `locale` parameters from the query string you're running through the SHA256 function.

0 Likes
Rob_Curry
Shopify Partner
53 0 10

Hey Alex,

Is removing the protocol and locale a permanent fix or just a temporary one? Do you have an ETA on the fix?

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 298

For now you can expect it to be a temporary fix. If there's anything anyone needs to revert or adjust before the fix is deployed I'll post here with details.

 

PS

Hoping to have this shipped today

0 Likes
BGilbert
Shopify Expert
30 0 14

Some of our other apps that didn't have the issue are now having the issue.

0 Likes
Alex
Shopify Staff
Shopify Staff
1555 81 298

This was occurring as part of a rollout of an update to the embedded app sdk, so this is being applied to more and more shops. For now, the safest bet would be to first try computing an hmac like normal (all params) and if that fails, tryng again without the locale and protocol params.

Sorry for the headaches everyone, he team is nearly finished writing the fix and it should be deploying before too long.

0 Likes
Cynthia_Stamou
Tourist
19 0 2

For those of us that have implemented the temporary fix, are our apps going to be OK after the Shopify team issue a fix?

 

This made our day (actually late night for my time zone). Support incidents coming in, then trying to  investigate, then applying the temp fix and now wondering whether we need to revert the temp fix in the next few hours. 

IMHO, for an incident like this, you should have sent  a "heads-up"  email to app publishers. 

★ Pro Bar Maker app: Email/FreeShipping/Discount/... Bars ⟿ ★ Shopideo app: Add product video
0 Likes
BGilbert
Shopify Expert
30 0 14

The fix will work as long as you try with the locale & protcol, then if it doesn't work try without it.

 

We're having another issue now with ShopifyApp.redirect no longer working :( (from app.js) is this related?

0 Likes