Every request or redirect from Shopify to the client server includes an hmac parameter that can be used to verify the authenticity of the request from Shopify. For each request, you must remove the hmac entry from the query string and process it through an HMAC-SHA256 hash function.
According to the official documentation, and the APIs used until now, it was expected that my verifyRequest middleware, that was verifying correctly other requests, should accept every request being redirected from Shopify. It happens that when I try to use the Billing API, the request does not comes signed and then doesn't pass in the request verification. Is this an expected behavior? The redirect URL only comes with the query string "charge_id=1234567", different than the other requests that were redirected from Shopify, like the app installation callback URL.
Does any one knows what can be done instead? I thought of accepting the request without verifying it, signing it myself, and redirect myself to the correct endpoint with the verification middleware.
Thank you very much.
I am having the same problem and found your post. Others have asked this question and have gotten no responses:
This is what I'm going to do (also writing this out for my own benefit to clarify my thinking):
After I wrote the above I found this thread where @Joel-Reeds lays out a similar flow so I think I'm on the right track. But good grief, is it supposed to be this laborious for app developers who want to simply publish an app with a trial + monthly subscription? If Shopify already automatically stops billing merchants when they uninstall our app, why can't they do the same when a merchant installs our app?