Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HMAC verification requires removing padding characters from host (==) #146

Open
badger-adam opened this issue Aug 7, 2024 · 0 comments
Open

Comments

@badger-adam
Copy link

Expected Behavior

When performing hmac verification, the generated hmac should match the one provided by Shopify.

Current Behavior

The generated hmac does not match the one provided by Shopify.

Failure Information

When a host is provided to Shopify that contains Base64 padding characters (==) at the end, Shopify removes the padding before calculating the HMAC hash but doesn't document that they do this. If you ask the Shopify AI Assistant, it will tell you to remove the padding characters before generating the HMAC.

image

Steps to Reproduce

Create a subscription plan url that contains a Base64 encoded "host" parameter containing padding characters. When redirected back to your app after subscribing, the authenticate/token request will fail hmac verification.

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.

  • Package Version: v21.1.0
  • Laravel Version: v11.18.1
  • PHP Version: v8.3
  • Template Engine: React
  • Using a toolset (Docker, Laradock, Vagrant, etc.): Docker

I can create a PR if this is the direction we would like to go. In our project, we patched this code.

diff --git a/vendor/gnikyt/basic-shopify-api/src/BasicShopifyAPI.php b/vendor/gnikyt/basic-shopify-api/src/BasicShopifyAPI.php
index 86c5485..305abf7 100755
--- a/vendor/gnikyt/basic-shopify-api/src/BasicShopifyAPI.php
+++ b/vendor/gnikyt/basic-shopify-api/src/BasicShopifyAPI.php	
@@ -372,6 +372,10 @@ public function verifyRequest(array $params): bool
             unset($params['hmac']);
             ksort($params);
 
+            if (array_key_exists('host', $params)) {
+                $params['host'] = rtrim($params['host'], '=');
+            }
+
             // Encode and hash the params (without HMAC), add the API secret, and compare to the HMAC from params
             return $hmac === hash_hmac(
                 'sha256',

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant