PHP - HMAC isn't valid on some requests

4 0 1

Hi everyone, 

I'm having issues with HMAC validation. Sometimes it's valid sometimes it's not.

Some examples where my HMAC is valid are URL's such as DOMAIN/shipping-zone or DOMAIN/settings

However URL's such as the domain root or a query with hmac, timestamp and etc PLUS an additional parameter are not valid?

Am I approaching this incorrectly?

if (!isset($query['timestamp'])) return false;

$seconds_in_a_day = 24 * 60 * 60;
$older_than_a_day = $query['timestamp'] < (time() - $seconds_in_a_day);

if ($older_than_a_day) return false;

$shared_secret = $_ENV['SHOPIFY_API_SECRET_KEY'];
$hmac_header = $query['hmac'];
$data = urldecode(http_build_query($query));
$calculated_hmac = hash_hmac('sha256', $data, $shared_secret, false);

$verified = hash_equals($hmac_header, $calculated_hmac);

return $verified;


Reply 1 (1)
Shopify Partner
1020 83 262

If you are familiar enough with Ruby, there's a sample routine on one of the Shopify documentation pages --> Perhaps this could shed some light.