Have your say in Community Polls: What was/is your greatest motivation to start your own business?
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Invalid Signature for App Proxy

Invalid Signature for App Proxy

bogdanvalsan
Shopify Partner
2 0 0

Hello, 

We are lately encountering a lot of "Invalid signature" errors when validating app proxy signatures.

Example:
The query string is : 
?sections[]=sections--17064511996130__cart-drawer&shop=someshop.myshopify.com&logged_in_customer_id=&path_prefix=/a/page&timestamp=1708383084&signature=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

For validation, we are calculating the digital signature as per the Shopify documentation available here : https://shopify.dev/docs/apps/online-store/app-proxies#calculate-a-digital-signature

So when generating the HMAC hash, the sorted params string is the following : 

$dataString = 'logged_in_customer_id=path_prefix=/a/pagesections=sections--17064511996130__cart-drawershop=someshop.myshopify.comtimestamp=1708383084';


We're using PHP's hash_hmac function to generate the hash as follows: 

$computedSignature = hash_hmac('sha256', $dataString, $sharedSecret);

However, the computed signature does not match the signature from the initial request.

Did anyone else encountered similar problems lately with validating app proxy signatures?

I am suspecting the problems are generated only when the initial request contains array params (such as sections in the example above), because any requests without array params seem to validate signatures perfectly fine.

Any help or ideas are highly appreciated.

Thanks,

Replies 0 (0)