Development discussions around Shopify APIs
Return management just got easier! We’ve launched Customer Self-Serve Returns to all Shopify merchants. Click here to learn more!
Hi Everyone,
I've added a script attempting to verify hmac on my main App URL route, tried to use a fairly fresh method I found on one of the SDK's
Also, tried a couple different solutions from Stackoverflow, as well as generating a new API secret - to no avail, the verification always fails (provided hmac never matches the one my code generates)
Here's the current code, any ideas?
$getArray = $_GET;
$hmacProvided = '';
if (isset($getArray['hmac'])) {
$hmacProvided = $getArray['hmac'];
unset($getArray['hmac']);
} else {
//hmac value not found
}
//deprecated
if (isset($getArray['signature'])) {
unset($getArray['signature']);
}
$paramStrings = [];
foreach ($getArray as $key => $value) {
$paramStrings[] = "$key=$value";
}
$str = join('&', $paramStrings);
$realHmac = hash_hmac('sha256', $str, $apiSecret);
//
if (md5($realHmac) === md5($hmacProvided)) {
$verifyHmac = true;
} else {
$verifyHmac = false;
}
Thanks,
Luke
Have you tried
$str = join('&', $paramStrings);
instead of
$str = join('&', $paramStrings);
My code can verify success before. But it can't verify. Do you know any change in api?
Please let me know
did you ksort your params before checking?
$dataCheck = "code=XXX&shop=MyShop&state=XXXX×tamp=1619575950"
$computed_hmac = hash_hmac('sha256', $dataCheck, $my_secret_key);
Hi @darrynten,
Yes. I sort before checking.
It work before. Suddenly it can't not verify. I don't understand why.
You're missing the rest of the params.
You must check *all* params (excl hmac) against the hmac
Dear @darrynten,
Thank you so much.
I can verify hmac success. But I can't get access_token.
Here my code:
$query = array(
"client_id" => My API key
"client_secret" => My Secret key, // Your app credentials (secret key)
"code" => $code // Grab the access key from the URL
);
// Generate access token URL
$access_token_url = "https://" . $shop . "/admin/oauth/access_token";
// Configure curl client and execute request
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $access_token_url);
curl_setopt($ch, CURLOPT_POST, count($query));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($query));
$result = curl_exec($ch);
curl_close($ch);
// Store the access token
$result = json_decode($result, true);
User | RANK |
---|---|
16 | |
7 | |
6 | |
6 | |
5 |
Learn these 5 things I had to learn the hard way with starting and running my own business
By Kitana Jan 27, 2023Would you love to unleash the unbridled power of the Google Shopping Channel into your sho...
By Gabe Jan 6, 2023How can you turn a hobby into a career? That’s what Emmanuel did while working as a wa...
By Skye Dec 30, 2022