This works perfectly when a user visits the app in the web browser through their Shopify admin. However, when they visit the app in the mobile app the HMAC that I calculate and the HMAC that Shopify provides to me are different.
Any idea why the HMAC wouldn't be the same for both web and mobile?
At this time I can't replicate the issue. From what library are you calling HmacSHA256? I don't think this is a part of App Bridge as far as I can tell. When I calculate the HMAC by hand, it computes as expected for both Mobile and the Web.
The params look to be the same across those two platforms too, so I'm at a bit of a loss based on what I see.
Some of my Ruby code:
Rack::Utils.secure_compare(params['hmac'], calculate_hmac(params)) # true or false
OpenSSL::HMAC.hexdigest('sha256', SHARED_SECRET, sorted_string_params(params))
Alex | Shopify - Was my reply helpful? Click Like to let me know! - Was your question answered? Mark it as an Accepted Solution - To learn more visit the Shopify Help Center or the Shopify Blog