const map = Object.assign({}, req.query);
delete map.signature;
let message = querystring.stringify(map);
message = message.split('&').sort().join('&');
console.log('message', message);
const providedSignature = Buffer.from(signature, 'utf-8');
const generatedHash = Buffer.from(
crypto
.createHmac('sha256', apiSecret)
.update(message)
.digest('hex'),
'utf-8'
);
let hashEquals = false;
console.log('generatedHash', generatedHash);
console.log('providedSignature', providedSignature);
// timingSafeEqual will prevent any timing attacks. Arguments must be buffers
try {
hashEquals = crypto.timingSafeEqual(generatedHash, providedSignature);
// timingSafeEqual will return an error if the input buffers are not the same length.
} catch (e) {
hashEquals = false;
};
on the given URL - https://help.shopify.com/en/api/guides/application-proxies
the code sample present to verify the integrity of API proxy requests.
I wrote Nodejs code but this is not working. Please help
I followed the ruby algo:
https://help.shopify.com/en/api/guides/application-proxies#security
const generatedHash = crypto .createHmac('sha256', SHOPIFY_API_SECRET_KEY) .update(hmacHeader) .digest('hex'); console.log(generatedHash, signature);