FROM CACHE - en_header

PHP - HMAC isn't valid on some requests

Will_Perspectiv
Tourist
4 0 1
‎09-17-2020 10:57 AM

PHP - HMAC isn't valid on some requests

Hi everyone, 

I'm having issues with HMAC validation. Sometimes it's valid sometimes it's not.

Some examples where my HMAC is valid are URL's such as DOMAIN/shipping-zone or DOMAIN/settings

However URL's such as the domain root or a query with hmac, timestamp and etc PLUS an additional parameter are not valid?

Am I approaching this incorrectly?

if (!isset($query['timestamp'])) return false;

$seconds_in_a_day = 24 * 60 * 60;
$older_than_a_day = $query['timestamp'] < (time() - $seconds_in_a_day);

if ($older_than_a_day) return false;

$shared_secret = $_ENV['SHOPIFY_API_SECRET_KEY'];
$hmac_header = $query['hmac'];
unset($query['hmac']);
$data = urldecode(http_build_query($query));
$calculated_hmac = hash_hmac('sha256', $data, $shared_secret, false);

$verified = hash_equals($hmac_header, $calculated_hmac);

return $verified;

 

288 Views
0 Likes
Report
Reply 1 (1)
Gregarican
Shopify Partner
1030 86 276
‎09-17-2020 11:48 AM

Re: PHP - HMAC isn't valid on some requests

If you are familiar enough with Ruby, there's a sample routine on one of the Shopify documentation pages --> https://shopify.dev/tutorials/manage-webhooks. Perhaps this could shed some light. 

279 Views
0 Likes
Report

Community Blog Articles

E23_social share_1200x6751.jpg
Shopify Community AMA: Winter Editions ‘23 Recap

Thanks to all Community members that participated in our inaugural 2 week AMA on the new E...

By Jacqui Mar 10, 2023
shopify-academy-foundations-certification-16-9-v1-size.png
Introducing Shopify Certifications

Upskill and stand out with the new Shopify Foundations Certification program

By SarahF_Shopify Mar 6, 2023
notebook-and-coffee.jpg
Adding and Creating Store Policies

One of the key components to running a successful online business is having clear and co...

By Ollie Mar 6, 2023
Terms of Service Privacy Policy