Focuses on API authentication, access scopes, and permission management.
Hello,
We are lately encountering a lot of "Invalid signature" errors when validating app proxy signatures.
Example:
The query string is :
?sections[]=sections--17064511996130__cart-drawer&shop=someshop.myshopify.com&logged_in_customer_id=&path_prefix=/a/page×tamp=1708383084&signature=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
For validation, we are calculating the digital signature as per the Shopify documentation available here : https://shopify.dev/docs/apps/online-store/app-proxies#calculate-a-digital-signature
So when generating the HMAC hash, the sorted params string is the following :
$dataString = 'logged_in_customer_id=path_prefix=/a/pagesections=sections--17064511996130__cart-drawershop=someshop.myshopify.comtimestamp=1708383084';
We're using PHP's hash_hmac function to generate the hash as follows:
$computedSignature = hash_hmac('sha256', $dataString, $sharedSecret);
However, the computed signature does not match the signature from the initial request.
Did anyone else encountered similar problems lately with validating app proxy signatures?
I am suspecting the problems are generated only when the initial request contains array params (such as sections in the example above), because any requests without array params seem to validate signatures perfectly fine.
Any help or ideas are highly appreciated.
Thanks,