Okay, I have a private app that I've created for my store. It's primary intent is to act as an app proxy to my external API. My API web server is seeing the proxied HTTP requests, but I'm having trouble validating the HMAC signature. I was able to validte the initial HMAC signature that was part of the private app being successfully installed. But subsequent HTTP requests hitting my API web server aren't being validated.
Here's an example:
Query parameters that are being sent --> shop=dch-development.myshopify.com&path_prefix=%2Fapps%2Fdch-webapi×tamp=1539440498&signature=e4605bd67188d57958f457b4eba0d09f06bb7ab0fe3ca5c4680eb0d28f1c3aba&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be
Here is a Ruby sample script that takes out the signature parameter, but the resulting hash doesn't match the signature above:
msg = URI.escape('path_prefix=%2Fapps%2Fdch-webapi&shop=dch-development.myshopify.com×tamp=1539440498&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be')
puts "Query parameters are : " + msg
digest = OpenSSL::Digest.new('sha256')
key = 'MY_APP_SECRET'
hash = OpenSSL::HMAC.hexdigest(digest,key,msg)
puts "Derived hash is : " + hash
The results are:
Query parameters are : path_prefix=%252Fapps%252Fdch-webapi&shop=dch-development.myshopify.com×tamp=1539440498&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be Derived hash is : f6ff2a39c531abcd18d6176a9be6735f074e120367e2f0844b264a05804b28af
I used the sample Ruby code as-is found here --> https://help.shopify.com/en/api/guides/application-proxies. And it worked fine based on the example. I then pasted in my own query string listed in the thread above, and changed the SHARED_SECRET to be my app's API Secret Key value. As found on my Partner site under Apps --> App --> App Setup. The signature and my derived signature didn't match.
Still running into a brick wall. Does anyone have a point in the right direction?
It works now. I have to strip the X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be query parameter that's passed along. This must be something added by my web server as it receives the incoming HTTP request. Works fine now!