ProductAppendImages is sorting query params in image URLs before requesting them

tim_allen
Visitor
1 0 1

We are using the graphQL API to send images through to Shopify. We have noticed that recently it seems shopify are sorting query string parameters in these (signed) URLs before attempting to download the images.

For example:
We are using imgix for these images.

This is what we actually sent to the shopify API:

https://marketplacer.imgix.net/x2/cdwq9uxbS-bfbPG_RPKXG20yE.jpg?auto=format&fm=pjpg&fit=max&w=2048&h...

This what shopify requested:

https://marketplacer.imgix.net/x2/cdwq9uxbS-bfbPG_RPKXG20yE.jpg?auto=format&fit=max&fm=pjpg&h=2048&s...

The re-ordering of the parameters or any change of the URL can render the original signature invalid; a generated signature only works on a specific URL.  It may be if you try the URLs that they are both working, but _initially_ the reordered one would 403 because it's not yet in cache in imgix.  Aftering trying the "original" one, in some cases, the image goes into cache at imgix and then both versions work.  That's a red herring however.  The essential point is that ideally shopify would not re-order parameter in this manner as it breaks auth in some cases.

Reply 1 (1)

awwdam
Shopify Staff
249 42 36

Hey @tim_allen,

I would be happy to take a closer look at this, and see if I can provide any additional insights or context. Would you be able to replicate this behaviour again potentially with a different URL of the same structure, and log the x-request-id header value returned in the API response headers we send.

If you can share this as well as any additional details about your initial request and response I can try to locate request logs on our end and pass on next steps or insights. 

- Cheers

awwdam | API Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog