FROM CACHE - en_header

When shopify redirects to return_url for Billing API, no hmac/signature or shop domain sent

Vaibhav_Sinha
Shopify Partner
1 0 2
‎03-23-2018 11:59 PM

When shopify redirects to return_url for Billing API, no hmac/signature or shop domain sen...

Hi

For almost all the APIs where a redirect or server-to-server API call happens from Shopify end, we get a hmac/signature along with the shop domain to validate if the call originated from shopify. If there any specific reason why the same is not the case when Shopify redirects to return_url that we send while creating a ApplicationCharge/RecurringApplicationCharge using the Billing APIs?

During the redirect, we are only provided with the charge_id as the URL param. Are we expected to maintain a mapping of charge id to shop domain on our end to figure out which shop's access token has to be used to be able to get the ApplicationCharge/RecurringApplicationCharge and to activate it?

974 Views
Report
Replies 6 (6)
benackland
Shopify Partner
1 0 1
‎03-18-2019 07:38 AM

Re: When shopify redirects to return_url for Billing API, no hmac/signature or shop domain...

I'm also seeing this behavior. Can anyone confirm whether this redirect deliberately does not have both the shop and hmac query string params?

962 Views
Report
kelseyjudson
Shopify Partner
42 1 39
‎12-13-2020 05:38 AM

Re: When shopify redirects to return_url for Billing API, no hmac/signature or shop domain...

I'd like to know why this behaviour seems to be inconsistent with the rest of the platform too. It makes things rather more awkward than they need to be.

682 Views
0 Likes
Report
Ephraim1
Tourist
5 1 0
‎04-14-2021 06:43 AM

Re: When shopify redirects to return_url for Billing API, no hmac/signature or shop domain...

any resolution here?  Having the same issue

564 Views
0 Likes
Report
Jakeyd
Shopify Partner
10 1 2
‎04-28-2021 02:57 PM

Re: When shopify redirects to return_url for Billing API, no hmac/signature or shop domain...

Yeah I'm seeing this behaviour also. However, if I leave the return_url blank, then it seems to default to the install url from the app settings with hmac included.

534 Views
0 Likes
Report
policenauts
Shopify Partner
201 9 61
‎04-29-2021 11:55 AM

Re: When shopify redirects to return_url for Billing API, no hmac/signature or shop domain...

There are old threads in this forum about this strange omission with some workarounds mentioned, please do a search. 

509 Views
0 Likes
Report
HunkyBill
Shopify Expert
4828 60 576
‎04-29-2021 01:22 PM

Re: When shopify redirects to return_url for Billing API, no hmac/signature or shop domain...

I think you can add to this, Admin Links. They get an HMAC in the querystring and the shop name but there is no indication as to how these are used to validate incoming calls to an App. So when we are using JWT, what are we to do when we get Admin Links as well as this issue with the billing.

As for Billing, I had usually already setup a session, so when Shopify calls the return URL it is already tagged to a session for the store, but I can see how that would not be true for a lot of other use cases.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
493 Views
0 Likes
Report

Community Blog Articles

circuits-on-a-whiteboard.jpg
5 Things I Wish I knew Before Starting a Business

Learn these 5 things I had to learn the hard way with starting and running my own business

By Kitana Jan 27, 2023
em_01.png
Building the perfect campaign on the Google Shopping channel - tips from Em...

Would you love to unleash the unbridled power of the Google Shopping Channel into your sho...

By Gabe Jan 6, 2023
em_01.png
How to Launch A Career With Community Forums: Talking with Emmanuel Flossie...

How can you turn a hobby into a career? That’s what Emmanuel did while working as a wa...

By Skye Dec 30, 2022
Terms of Service Privacy Policy