Invalid hex characters in request HMAC query parameter?

few_meaning · June 5, 2023, 1:46am

In May I’ve seen 3 occurrences of invalid hex characters in a very small number of requests. For example, I’m seeing requests to my OAuth callback endpoint with a query parameter that looks like:

hmac=7205A26CO3h5cR973593353631776t2Tc737W3320p784s917473qrd63X88555

I was under the impression from the documentation that:

The message is authentic if the generated hexdigest is equal to the value of the hmac parameter

Is this a malicious actor/test that I’m validating the requests correctly, or have I misunderstood the implementation required for HMAC validation (that it is always a hex string)?

Shayne · June 5, 2023, 3:19pm

Requests to the OAuth callback endpoints should always be hex encoded, but it’s worth mentioning that hmac values for webhooks are base64 encoded (which this value looks to be).

You may want to check to make sure that a few webhooks aren’t sneaking into this route, but your assumption that OAuth hmac callbacks are hex values is correct.

Topic		Replies	Views
HTTP POST for redact-shop-data webhook failing HMAC validation? Shopify Apps	6	97	August 29, 2023
"Invalid OAuth callback." error inconsistency Authentication	2	20	March 14, 2022
Why does HMAC validation keep failing in my embedded app development? Shopify Apps	4	200	September 4, 2022
HMAC verification issues Store Design	54	185	December 10, 2017
Hmac Validation Issue Oauth-base flow Authentication	2	17	May 21, 2022

Invalid hex characters in request HMAC query parameter?

Related topics