API Announcements

Was talking to a colleague and we are just going to include the hmac in the signature calculation. None of your md5 signature code will have to change immediately. The 1st June deadline will still apply though.

But the hmac method does currently work? So changing over immediately won't cause any downtime?

Yeah if you want to start using the hmac (once that code is deployed) you can. I'm going to make updates to the OAuth documentation about it, but it's basically going to be something like this.

params from shopify:

hello=1&world=2&hmac=abcedf&signature=a1b2c3d4

- the params that you'd use to calculate hmac would be hello and world

- the params that you'd use to calculate signature would be hello, world and hmac

These would all be sorted and joined and stuff according to the OAuth documentation.

(once that code is deployed)

When will that code be deployed?

I'm just trying to figure out when is the earliest I can switch to the hmac method.

Will the shopify-omniauth-oauth2 strategy be updated to be compatible with this change?

https://github.com/Shopify/omniauth-shopify-oauth2

There isn't anything to worry about with shopify-omniauth-oauth2 because it doesn't validate the signed request. Yeah...

Halley,

I'll post a message here when the code has been deployed. I was planning on having it out on Dec 16, though with the suggested improvement it might be sooner.

The changes have been deployed and are now available for your applications.

Hi Chris

This change has meant that all users of my app can no longer log in or register. I've logged a support ticket but am temporarily working around the issue.

Daniel

We made a change to the way signature validation is done (from what we originally planned) such that there should not have been any impact on authentication. How is your application calculating the signature?

You should only be removing the signature key and using the rest of the parameters in the API request as data to calculate that signature.

So if you get the params a=1&b=2&hmac=asfdasfsafas&signature=1342342423

You should be performing calculating the signature like this:

MD5("secreta=1b=2hmac=asfdasfsafas") which would give you the (not real in this example) result of 1342342423

Signature verification has been working fine since the oauth2 migration and just broke a couple of hours ago.

Can I email you a real example of expected/actual signature? I have supplied it to Jesse Fillmore in support on ticket #1201646.

Can you include a gist of how your signatures are being calculated?

var a = string.Concat(
                  "code=", code,
                  "shop=", shop,
                  "timestamp=", timestamp);

var sig = _utility.GetMd5HexaHash(secret + a);

calls...

public string GetMd5HexaHash(string x)
{
            MD5 md5 = new MD5CryptoServiceProvider();
            var data = Encoding.Default.GetBytes(x);
            var hash = md5.ComputeHash(data);

            // Transforms as hexa
            // Returns MD5 hexa hash
            return hash.Aggregate(string.Empty, (current, b) => current + String.Format("{0:x2}", b));

}

Yeah you need to include the hmac in your code, that's the quick fix though it's not versatile enough to withstand other changes if any were to happen. The reason why your signatures are failing is because it's statically dependent on things it was expecting to only be there. Does .NET provide decent URI/Params utilities that converts that data into a hash?

Move the data into a hash and remove the "signature" key from it. Sort the rest and calculate the MD5 from that.

😕 breaking change to the API originally scheduled for 1st June 2015 deployed early without any further warning = unhappy developer having to change his app at 21:30 and field a ton of support emails from customers

The changes shouldn't break your app. The reason they are is because you set static variables to look for within the query. The docs state that you are supposed to take all params, minus the signature, and calculate the signature from those. Because you only look for specific params in your code, instead of using all params, you end up missing any params that you didn't plan for.

You should write your code from the beginning to not be opinionated about what params should be included.

My app is broken... calls from clients coming in wondering why... 😞 😞

Chris: Are there any plans to update the Omniauth gem to support signature verifications for embedded apps?

Hello Shopify Team - Andrew from AfterShip here.

We received a numbers of customer emails regarding the shopify connection error starting from Dec 16 15:00 (GMT+8).  My developers have found this issue 10 hours later and followed this guide to fix it.

Is it possible to notify partners in advance for this key change? 

Blair used to email apps@shopify.com with key platform changes, this worked well.

Polling the forums isn't a good way to do this. I'd prefer an email notification.

Shopify now requires HMAC to be included in the MD5 Signature Validation

http://docs.shopify.com/api/authentication/oauth

var a = string.Concat(
                  "code=", code,

                  "hmac=", hmac,    <----------------------
                  "shop=", shop,
                  "timestamp=", timestamp);

Daniel, you can subscribe to the API Announcements forums so you don't need to poll them to keep up to date. Anything API related will be posted here with information about when a deprecation will be removed and so fourth.

Great Chris, done.

Hey Shopify,

There really needs to be a better way to handle notifications of changes that break customer's apps especially during the busiest shopping time of the year. Pulling from the forums is not good enough when it comes to game breakers.

Drop this bomb without notification and now scrambling during the holidays to get last minute fixes up so a client can release time sensitive releases. ARGH

You can do better.

Love always,

Your first Shopify Partner.

The API Announcement forums are fairly low volume, so you can always subscribe and get emails sent to your inbox.

The way the change was built was done in a way that should've had little to no impact on any of our API consumers. We plan on improving our methods of communication such that any of our developers can get updates out to our partners.

Hi Chris,

Is there a way to get the currently logged in admin user's id and/or email passed as parameters (and included in signature) when the EASDK is being loaded? We have an app that has multi-admin logins, and we'd like a way to know which admin is being authenticated on our app when our embedded app frame is being loaded.

Cheers.

i'm pretty confused here, i can only generate a matching hmac when the 'code' parameter is passed... how to i validate that it is a request from an admin when it is just shop, timestamp, hmac, and signature? I didnt use the old system, i just started with shopify api and oauth today

Chris-

The Shopify API Ruby Gem has not been updated [https://github.com/Shopify/shopify_api/blob/master/lib/shopify_api/session.rb#L44].  Should I put in a PR or does someone already have something for that?

I put one in anyway: https://github.com/Shopify/shopify_api/pull/173