Access a community of over 900,000 Shopify Merchants and Partners and engage in meaningful conversations with your peers.
I'm having issues with HMAC validation. Sometimes it's valid sometimes it's not.
Some examples where my HMAC is valid are URL's such as DOMAIN/shipping-zone or DOMAIN/settings
However URL's such as the domain root or a query with hmac, timestamp and etc PLUS an additional parameter are not valid?
Am I approaching this incorrectly?
if (!isset($query['timestamp'])) return false;
$seconds_in_a_day = 24 * 60 * 60;
$older_than_a_day = $query['timestamp'] < (time() - $seconds_in_a_day);
if ($older_than_a_day) return false;
$shared_secret = $_ENV['SHOPIFY_API_SECRET_KEY'];
$hmac_header = $query['hmac'];
$data = urldecode(http_build_query($query));
$calculated_hmac = hash_hmac('sha256', $data, $shared_secret, false);
$verified = hash_equals($hmac_header, $calculated_hmac);
If you are familiar enough with Ruby, there's a sample routine on one of the Shopify documentation pages --> https://shopify.dev/tutorials/manage-webhooks. Perhaps this could shed some light.