Hi,
We’ve got an app proxy setup which has been working across our development team. We’ve create a KOA middleware function to check the signature coming from the App Proxy that looks like the following:
async function verifyAppProxy(ctx: any, next: Function): Promise<any> {
const { query } = ctx.request;
const { signature } = query;
delete query.signature;
const input = Object.keys(query)
.sort()
.map((key) => {
let value = query[key];
value = Array.isArray(value) ? value : [value];
return `${key}=${value.join(',')}`;
})
.join('');
const hash = crypto
.createHmac('sha256', SHOPIFY_API_SECRET_KEY)
.update(input)
.digest('hex');
ctx.assert(signature === hash, 403, 'invalid signature');
return await next();
}
For one of our developers though it just won’t work. Once we started debugging the code, we found that App Proxy is sending the Query String twice… for instance, the url should look like
http://123456.ngrok.io/cart?shop=secret-store.myshopify.com&path_prefix=%2Fcommunity%2Fcart×tamp=1591151903&signature=mysignature
but instead it is coming out looking like this
http://123456.ngrok.io/cart?shop=secret-store.myshopify.com&path_prefix=%2Fcommunity%2Fcart×tamp=1591151903&signature=mysignature?shop=secret-store.myshopify.com&path_prefix=%2Fcommunity%2Fcart×tamp=1591151903&signature=mysignature
So the signature ends up coming in as an array with two values
signature = [ "mysignature?shop=secret-store.myshopify.com", "mysignature"]
This seems to be an internal fault in App Proxy itself. We’ve tried to removing and then adding again the App Proxy multiple times yet we still seem to get the same fault.
The only other thing we can think to try is to delete and re-create the application from scratch which he will try tomorrow.
Any ideas?