Back to Top

Hmac validation in shopify app

Updated 22 December 2017

Authorisation in shopify app

Shopify app requires store’s data but first it has to go through authorisation process.

shopify uses OAuth 2.0 for authorisation.

Every request from app is validated at shopify end. Similary every request or redirect from shopify must be validated by app server for proper verification.

for this shopify provides a hmac parameter along with other parameters.

What is hmac

hash message authentication code is calculated hash value of all the parameters sent by the shopify .

Searching for a Shopify
Headless solution ?
Find out More

How hmac validation can be done

hmac can be calculated in any programming language using sha256 cryptographic algorithm.

However the doc for hmac verification is provided by shopify but still there is confusion among app developers how to implement it correctly.

 

Step:1

First we need to get the parameters except hmac parameter.

Note: we need all the parameters sent by shopify server.

 

Step:2

keys and values must be checked for & an % characters if found then it should be replaced by %25 and %26 respectively .

if key contains = character then it should be replaced by %3d which is nothing but utf-8 value of the character.

 

Step:3

Then build a string in which key and value are joined together using = character and such key and value pair joined by & sign .

 

Step:4

Finally we need to calculate  hmac-sha256 hash using ‘app-secret-key’ as the key .

the calculated hash digest can be checked with hmac value as provided by the shopify.

 

Here is the code in php for hmac verification.

<?php

function verifyHmac()
{
  $ar= [];
  $hmac = $_GET['hmac'];
  unset($_GET['hmac']);

  foreach($_GET as $key=>$value){

    $key=str_replace("%","%25",$key);
    $key=str_replace("&","%26",$key);
    $key=str_replace("=","%3D",$key);
    $value=str_replace("%","%25",$value);
    $value=str_replace("&","%26",$value);
    
    $ar[] = $key."=".$value;
  }

  $str = join('&',$ar);
  $ver_hmac =  hash_hmac('sha256',$str,"YOUR-APP-SECRET-KEY",false);

  if($ver_hmac==$hmac)
  {
    echo 'hmac verified';
  }

}
?>

 

. . .

Leave a Comment

Your email address will not be published. Required fields are marked*


Be the first to comment.

Back to Top

Message Sent!

If you have more details or questions, you can reply to the received confirmation email.

Back to Home