When shopify redirects to return_url for Billing API, no hmac/signature or shop domain sent

Vaibhav_Sinha
Shopify Partner
1 0 2

Hi

For almost all the APIs where a redirect or server-to-server API call happens from Shopify end, we get a hmac/signature along with the shop domain to validate if the call originated from shopify. If there any specific reason why the same is not the case when Shopify redirects to return_url that we send while creating a ApplicationCharge/RecurringApplicationCharge using the Billing APIs?

During the redirect, we are only provided with the charge_id as the URL param. Are we expected to maintain a mapping of charge id to shop domain on our end to figure out which shop's access token has to be used to be able to get the ApplicationCharge/RecurringApplicationCharge and to activate it?

benackland
Shopify Partner
1 0 1

I'm also seeing this behavior. Can anyone confirm whether this redirect deliberately does not have both the shop and hmac query string params?

kelseyjudson
Shopify Partner
37 1 16

I'd like to know why this behaviour seems to be inconsistent with the rest of the platform too. It makes things rather more awkward than they need to be.

0 Likes
Ephraim1
New Member
2 0 0

any resolution here?  Having the same issue

0 Likes
Jakeyd
New Member
4 0 0

Yeah I'm seeing this behaviour also. However, if I leave the return_url blank, then it seems to default to the install url from the app settings with hmac included.

0 Likes
policenauts
Trailblazer
187 9 47

There are old threads in this forum about this strange omission with some workarounds mentioned, please do a search. 

0 Likes
HunkyBill
Shopify Expert
4549 48 509

I think you can add to this, Admin Links. They get an HMAC in the querystring and the shop name but there is no indication as to how these are used to validate incoming calls to an App. So when we are using JWT, what are we to do when we get Admin Links as well as this issue with the billing.

As for Billing, I had usually already setup a session, so when Shopify calls the return URL it is already tagged to a session for the store, but I can see how that would not be true for a lot of other use cases.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes