Shopify APIs and SDKs

jollysoundcake1 · ‎01-28-2021

Hi Everyone,

I've added a script attempting to verify hmac on my main App URL route, tried to use a fairly fresh method I found on one of the SDK's

Also, tried a couple different solutions from Stackoverflow, as well as generating a new API secret - to no avail, the verification always fails (provided hmac never matches the one my code generates)

Here's the current code, any ideas?

            $getArray = $_GET;
            $hmacProvided = '';
            if (isset($getArray['hmac'])) {
                $hmacProvided = $getArray['hmac'];
                unset($getArray['hmac']);
            } else {
                //hmac value not found
            }
            //deprecated
            if (isset($getArray['signature'])) {
                unset($getArray['signature']);
            }
            $paramStrings = [];
            foreach ($getArray as $key => $value) {
                $paramStrings[] = "$key=$value";
            }
            $str = join('&amp;', $paramStrings);
            $realHmac = hash_hmac('sha256', $str, $apiSecret);
            //
            if (md5($realHmac) === md5($hmacProvided)) {
                $verifyHmac = true;
            } else {
                $verifyHmac = false;
            }

Thanks,

Luke

jollysoundcake1 · ‎01-28-2021

Anyone?

tomhv · ‎02-20-2021

Have you tried

            $str = join('&', $paramStrings);

instead of

            $str = join('&amp;', $paramStrings);

longtruong · ‎04-27-2021

My code can verify success before. But it can't verify. Do you know any change in api?

Please let me know

darrynten · ‎04-28-2021

did you ksort your params before checking?

@darrynten

longtruong · ‎04-28-2021

$dataCheck = "code=XXX&shop=MyShop&state=XXXX&timestamp=1619575950"

$computed_hmac = hash_hmac('sha256', $dataCheck, $my_secret_key);

Hi @darrynten,

Yes. I sort before checking.

It work before. Suddenly it can't not verify. I don't understand why.

darrynten · ‎04-28-2021

You're missing the rest of the params.

You must check *all* params (excl hmac) against the hmac

@darrynten

longtruong · ‎04-29-2021

Dear @darrynten,

Thank you so much.

I can verify hmac success. But I can't get access_token.

Here my code:

$query = array(
		  "client_id" => My API key
		  "client_secret" => My Secret key, // Your app credentials (secret key)
		  "code" => $code // Grab the access key from the URL
		);

		// Generate access token URL
		$access_token_url = "https://" .  $shop . "/admin/oauth/access_token";

		// Configure curl client and execute request
		$ch = curl_init();
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($ch, CURLOPT_URL, $access_token_url);
		curl_setopt($ch, CURLOPT_POST, count($query));
		curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($query));
		$result = curl_exec($ch);
		curl_close($ch);

		// Store the access token
		$result = json_decode($result, true);