Join us for an upcoming Shopify Partner webinar on February 27, 2024. Discover the latest Checkout Extensibility features, and deep dive on improvements to Shopify Functions and Web Pixels. Register now for either the 10am EST or 2pm EST sessions.

Private App Proxy HMAC Validation Issue

Gregarican
Shopify Partner
1033 86 282

Okay, I have a private app that I've created for my store. It's primary intent is to act as an app proxy to my external API. My API web server is seeing the proxied HTTP requests, but I'm having trouble validating the HMAC signature. I was able to validte the initial HMAC signature that was part of the private app being successfully installed. But subsequent HTTP requests hitting my API web server aren't being validated.

Here's an example:

Query parameters that are being sent --> shop=dch-development.myshopify.com&path_prefix=%2Fapps%2Fdch-webapi&timestamp=1539440498&signature=e4605bd67188d57958f457b4eba0d09f06bb7ab0fe3ca5c4680eb0d28f1c3aba&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be

Here is a Ruby sample script that takes out the signature parameter, but the resulting hash doesn't match the signature above:

require 'openssl'

msg = URI.escape('path_prefix=%2Fapps%2Fdch-webapi&shop=dch-development.myshopify.com&timestamp=1539440498&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be')

puts "Query parameters are : " + msg

digest = OpenSSL::Digest.new('sha256')

key = 'MY_APP_SECRET'

hash = OpenSSL::HMAC.hexdigest(digest,key,msg)

puts "Derived hash is : " + hash

The results are:

Query parameters are : path_prefix=%252Fapps%252Fdch-webapi&shop=dch-development.myshopify.com&timestamp=1539440498&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be
Derived hash is : f6ff2a39c531abcd18d6176a9be6735f074e120367e2f0844b264a05804b28af

 

Any suggestions?

 

Replies 2 (2)

Gregarican
Shopify Partner
1033 86 282

I used the sample Ruby code as-is found here --> https://help.shopify.com/en/api/guides/application-proxies. And it worked fine based on the example. I then pasted in my own query string listed in the thread above, and changed the SHARED_SECRET to be my app's API Secret Key value. As found on my Partner site under Apps --> App --> App Setup. The signature and my derived signature didn't match.

Still running into a brick wall. Does anyone have a point in the right direction?

 

Gregarican
Shopify Partner
1033 86 282

It works now. I have to strip the X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be query parameter that's passed along. This must be something added by my web server as it receives the incoming HTTP request. Works fine now!