Okay, I have a private app that I’ve created for my store. It’s primary intent is to act as an app proxy to my external API. My API web server is seeing the proxied HTTP requests, but I’m having trouble validating the HMAC signature. I was able to validte the initial HMAC signature that was part of the private app being successfully installed. But subsequent HTTP requests hitting my API web server aren’t being validated.
Here’s an example:
Query parameters that are being sent → shop=dch-development.myshopify.com&path_prefix=%2Fapps%2Fdch-webapi×tamp=1539440498&signature=e4605bd67188d57958f457b4eba0d09f06bb7ab0fe3ca5c4680eb0d28f1c3aba&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be
Here is a Ruby sample script that takes out the signature parameter, but the resulting hash doesn’t match the signature above:
require ‘openssl’
msg = URI.escape(‘path_prefix=%2Fapps%2Fdch-webapi&shop=dch-development.myshopify.com×tamp=1539440498&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be’)
puts "Query parameters are : " + msg
digest = OpenSSL::Digest.new(‘sha256’)
key = ‘MY_APP_SECRET’
hash = OpenSSL::HMAC.hexdigest(digest,key,msg)
puts "Derived hash is : " + hash
The results are:
Query parameters are : path_prefix=%252Fapps%252Fdch-webapi&shop=dch-development.myshopify.com×tamp=1539440498&X-ARR-LOG-ID=9167141b-9727-4059-8958-5b5b90c977be
Derived hash is : f6ff2a39c531abcd18d6176a9be6735f074e120367e2f0844b264a05804b28af
Any suggestions?