HMAC verification works on web but not in Shopify mobile app

trentjones21 · ‎09-13-2019

I am using Shopify App Bridge to create an embedded Shopify app.

When a user installs my shopify app, I verify the user by computing the HMAC and comparing it with the one that Shopify sends me during the install process. I compute the HMAC by calling:

HmacSHA256("shop=some-shop.myshopify.com&timestamp=1568410813","my-shopify-secret-key-found-on-partner-dashboard")

This works perfectly when a user visits the app in the web browser through their Shopify admin. However, when they visit the app in the mobile app the HMAC that I calculate and the HMAC that Shopify provides to me are different.

Any idea why the HMAC wouldn't be the same for both web and mobile?

Alex · ‎09-17-2019

Hey @trentjones21.

At this time I can't replicate the issue. From what library are you calling HmacSHA256? I don't think this is a part of App Bridge as far as I can tell. When I calculate the HMAC by hand, it computes as expected for both Mobile and the Web.

The params look to be the same across those two platforms too, so I'm at a bit of a loss based on what I see.

Some of my Ruby code:

  def secure_request?(params)
    Rack::Utils.secure_compare(params['hmac'], calculate_hmac(params)) # true or false
  end

  def calculate_hmac(params)
    params.delete('hmac')
    OpenSSL::HMAC.hexdigest('sha256', SHARED_SECRET, sorted_string_params(params))
  end

  def sorted_string_params(params)
    params.map{|k,v|  "#{k}=#{v}"}.sort.join('&')
  end

Cheers.

Alex | Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog