Hmac Verification for Bulk Actions

44 9 12



It seems that I'm doing something wrong when trying to verify the hmac for the Bulk action.


My code is taken from the koa-shopify-auth:



const querystring = require('querystring');
const crypto = require('crypto');

const apiSecret = "APP_SECRET";
const {hmac: _hmac, signature: _signature,} =  req.query;

let orderedMap = Object.keys(map)
  .reduce((accum, key) => {
    accum[key] = map[key];
    return accum;
  }, {});

const message = querystring.stringify(orderedMap);
const generatedHash = crypto
  .createHmac('sha256', apiSecret)

console.log(generatedHash, _hmac, message);

// generatedHash => 0f01a761392920bd30ef605590accce89a8280891cbcb671a2e1d4b3bd59ea60 
// _hmac         => 7c3f5fae53c3a5017146c4e23bd6af0fbe35054e4f009572860f39eb325c28a9 
// message => ids=4266725539892&ids=4268494946356&locale=en&object=product&

 The issue is that it doesn't work for multiply ids.


Example query response: 



  locale: 'en',
  object: 'product',
  shop: '',
  single: 'false',
  timestamp: '1571296530',
  ids: ['4266725539892', '4268494946356'],
  hmac: '0f01a761392920bd30ef605590accce89a8280891cbcb671a2e1d4b3bd59ea60'

The code work for a single id, so the issue should be in the ids array. 


Has someone faced this issue before?


What have I tried by guessing:

  1. join(',') for the ids array - fail
  2. changing the querystring variable from ids= to ids[]= - fail
  3. changing the word argument ids to id - fail
  4. using a single id - fail
  5. removing the additional query params ( object and single ) - fail
1 Like

Let me know what you come up with. I'm essentially having the same exact issue. I saw this thread here providing more details on what is expected from the hmac calculation but it's still failing for me. For reference here is the query object I'm using to validate HMAC:


{ hmac:
locale: 'en',
timestamp: '1571680135',
shop: '',
ids: [ '1' ] }

Check out our newest app Daily Deals:
44 9 12

Hi @Conner_Pope 


I haven't found a solution yet.


I saw the thread before posting but it didn't work for me as well.


A saw a few APPs that have the option for Bulk Actions and not working, so I it seemed that the issue was recent or it wasn't working from the start.



hello @ikolarov , I have actually figured out what you need to do. It's a bit confusing but this is how I made it work.


When you get a bulk product request, you will receive a URL query like this:


What you must do is parse this URL query. What I did is I created an array, and for each ids%5B%5D within the query I add the value (object ID) to the array. I then send this to the backend to verify the Hmac. 


So, on the backend where you actually verify the Hmac, this is what Shopify expects... They expect you to add this array into the sorted query for the hmac calculated signature.


What this means is in your sorted query string, you must add ids to be in this (string) format: ids=["1", "2"] ... Note, this is not an array data type, this is a string that you must print out using the array sent from the client. Also note, the formatting needs to be precise, you must have double quotations ("), and you must add a single character of white space in between values.


This is what you must do. I have no idea why there is no documentation on any of this.

Check out our newest app Daily Deals:
44 9 12

Hi @Conner_Pope 


Thank you!


I gave up on this and I was considering even not adding the functionality to the App.


I can't stress enough how dumb is this. As you said this should be properly documented somewhere.


Tested it and it works without a problem. 


Thanks once again for the solution!

5 0 2

Wow @Conner_Pope thank you so much for figuring this out - i have no idea how you did it. I was banging my face against the wall trying to figure this out. This is crazy dumb and confusing and agree should be documented somewhere. 


Just to confirm, the sting to match against should look like (not included):


`ids=["1", "2"]&locale=en-US&`


I'll verify and update for confirmation. 


My guess based on this is that nobody with a bulk action app extension is validating requests actually come from shopify 🥴