"Security: Calculate a digital signature" in nodejs

New Member
2 0 0
  const map = Object.assign({}, req.query);
  delete map.signature;
  let message = querystring.stringify(map);
  message = message.split('&').sort().join('&');
  console.log('message', message);
  const providedSignature = Buffer.from(signature, 'utf-8');
  const generatedHash = Buffer.from(
    crypto
      .createHmac('sha256', apiSecret)
      .update(message)
      .digest('hex'),
      'utf-8'
    );
  let hashEquals = false;
  console.log('generatedHash', generatedHash);
  console.log('providedSignature', providedSignature);
  // timingSafeEqual will prevent any timing attacks. Arguments must be buffers
  try {
    hashEquals = crypto.timingSafeEqual(generatedHash, providedSignature);
  // timingSafeEqual will return an error if the input buffers are not the same length.
  } catch (e) {
    hashEquals = false;
  };

on the given URL - https://help.shopify.com/en/api/guides/application-proxies

the code sample present to verify the integrity of API proxy requests.

I wrote Nodejs code but this is not working. Please help

 

 

 

0 Likes
Highlighted
Tourist
11 2 1

I followed the ruby algo:

https://help.shopify.com/en/api/guides/application-proxies#security

 

 const generatedHash = crypto
    .createHmac('sha256', SHOPIFY_API_SECRET_KEY)
    .update(hmacHeader)
    .digest('hex');

    console.log(generatedHash, signature);

 

0 Likes