Hmac verification fail

New Member
4 0 0

I have a problem with my app. I am developing an app in node.js until yesterday everything worked correctly, today it does not let you authenticate ... according to what we find is that the hmac that shopify sends, with which it is built from the store url + timestamp + secret-key. Please help...

 

This is my code, functional until yesterday

signIn(
        hmac: string,
        shop: string,
        timestamp: string,
        code?: string,
    ): Promise<LoginUserDto> {
        return new Promise(
            (
                resolve: (result: LoginUserDto) => void,
                reject: (reason: ErrorResult) => void,
            ): void => {
                this.userRepository.getUserByEmail(shop).then((user: User) => {
                    if (!user) {
                        let userDto: CreateUserDto = {
                            shopUrl: shop,
                        };
                        let loginUserDto: LoginUserDto = {
                            newUser: true,
                            redirect: '',
                        };
                        const state = nonce();
                        const redirectUrl = redirectAddress;
                        const installUrl =
                            'https://' +
                            shop +
                            '/admin/oauth/authorize?client_id=' +
                            apiKey +
                            '&scope=' +
                            scopes +
                            '&state=' +
                            state +
                            '&redirect_uri=' +
                            redirectUrl;
                        loginUserDto.redirect = installUrl;
                        resolve(loginUserDto);
                    } else {
                        if (shop && hmac) {
                            let loginUserDto: LoginUserDto = user;
                            //Validate request is from Shopify
                            let query: any = {
                                shop: shop,
                                timestamp: timestamp,
                            };
                            const map = Object.assign({}, query);
                            const message = querystring.stringify(map);
                            const providedHmac = Buffer.from(hmac, 'utf-8');
                            const generatedHash = Buffer.from(
                                crypto
                                    .createHmac('sha256', apiSecret)
                                    .update(message)
                                    .digest('hex'),
                                'utf-8',
                            );
                            let hashEquals = false;

                            try {
                                hashEquals = crypto.timingSafeEqual(
                                    generatedHash,
                                    providedHmac,
                                );
                            } catch (e) {
                                hashEquals = false;
                            }

                            if (!hashEquals) {
                                console.log('hmac failed');
                                let loginUserDto: LoginUserDto = user;
                                loginUserDto.newUser = false;
                                loginUserDto.hmac = false;
                                loginUserDto.redirect =
                                    'https://' + shop + '/admin';
                                resolve(loginUserDto);
                            } else {
                                let loginUserDto: LoginUserDto = user;
                                loginUserDto.newUser = false;
                                loginUserDto.hmac = true;
                                resolve(loginUserDto);
                            }

                            const accessTokenRequestUrl =
                                'https://' + shop + '/admin/oauth/access_token';
                            const accessTokenPayload = {
                                client_id: apiKey,
                                client_secret: apiSecret,
                                code,
                            };
                        } else {
                            let loginUserDto: LoginUserDto = user;
                            loginUserDto.newUser = false;
                            loginUserDto.hmac = false;
                            loginUserDto.redirect =
                                'https://' + shop + '/admin/apps';
                            resolve(loginUserDto);
                        }
                        resolve(user);
                    }
                }); /*.catch((error) => {
                reject(new InternalServerErrorResult(ErrorCode.GeneralError, error));
            });*/
            },
        );
    }
0 Likes
New Member
4 0 0

The app has not been modified for more than a month, it has been tested and worked correctly until yesterday ...

0 Likes