App Proxy Signature Change?

I’ve had a production app proxy in place for years now. And it’s worked without a hitch. Looking in the web logs on my app proxy receiver today I see a host of signature verification failures. And when I review the query parameters I see that now there are two parameters that didn’t appear in the original ones I developed against. I see a logged_in_customer and a X-ARR-LOG-ID parameter.

Example pasted below.

shop=myshop.myshopify.com&logged_in_customer_id=&path_prefix=%2Fapps%2Fdch-webapi×tamp=1658335973&signature=77a40cb3a7133b47ba99d4cb71e39a3504c7c73f076516c4bed8cd76509da84b&X-ARR-LOG-ID=4844ec61-339a-4554-8c48-93302b1febec

Anyone else need to revisit their code in order to validate these HMAC signatures coming in? I did review the updated docs (https://shopify.dev/apps/online-store/app-proxies) and added the logged_in_customer_id query parameter. Just wondering about the X-ARR-LOG-ID query parameter that got added. When I remove that one the calculation still doesn’t match up?

Disregard. It had been awhile, so I forgot that I needed to 1) ignore the X-ARR-LOG-ID parameter, 2) add the logged_in_customer_id parameter, and 3) reorder the parameters alphabetically. After going through that exercice we are back in business again.

Hey Greg - did they not update the header further up to now? I’ve been seeing different C# solutions to verify proxy apps and I’ve yet to get matching values