skip to Main Content

I’m doing some URL verification between a Shopify site and my app. On Shopify, in a .liquid file, I’m creating an HMAC value using Shopify’s built in hmac_sha256 string filter. I’m using a secret key and a Twitch user ID which I’ve stored in a customer tag.

The hash value is passed as a query parameter to my app, which uses the crypto module in node.js to generate a hash and compare it with the hash from the url.

Things get strange here: In the .liquid file, when I type the Twitch ID directly into the string filter, the hash value generated by the .liquid file is the same value my app generates, and everything looks good:

{{ "12345678" | hmac_sha256: "secret_key" }}

However, when I pass the same Twitch ID as a variable into the string filter, the hash value the liquid file generates is different than the first time:

{{ twitchId | hmac_sha256: "secret_key" }}

I’ve already tried removing whitespace and newline characters from the Twitch ID variable just in case there were any. I don’t even have a guess as to what the problem could be. Maybe the variable (which is a string) is encoded differently than when I type it in directly?

For reference, the javascript code checking for matching hashes:

    // Get query string params:
    const { hash, twitchId } = req.query;
    console.log('Twitch ID in query: ' + twitchId);

    // Verify user
    const generatedUserHash = crypto
    .createHmac('sha256', userVerifySecret)
    .update(twitchId)
    .digest('hex');

    console.log('Passed hash: ' + hash + ' Generated hash: ' + generatedUserHash);

    if (generatedUserHash == hash) {
        return true;
    } else {
        return false;
    }

2

Answers


  1. Chosen as BEST ANSWER

    Turns out my variable twitchId was getting instantiated after I was trying to use it in the sha256 filter. I was instantiating it in my theme.liquid file, and I was trying to access it in a liquid file in my app (the request from the Shopify site is responded to with a liquid file).

    I guess I wrongly assumed the theme.liquid file is loaded before the file in my response to Shopify. I assumed this because javascript variables I instantiate in my theme.liquid file are available in my response liquid file (I think this has something to do with liquid variables being created server-side and javascript variables being created client-side).

    I am now instantiating the twitchId variable in my response liquid file. So that solved it.


  2. You need to show how you are assigning the ID to the variable. Without seeing that, there is no way to validate your question.

    I did a quick test, and proved I get the same HMAC with a string and a variable, so it must be that you are doing something weird in your assignment:

    <h1>{{ "12345678"  | hmac_sha256: "secret_key" }}</h1>
    {% capture fizz %}12345678{% endcapture%}
    <h1>{{ fizz   | hmac_sha256: "secret_key"}}</h1>
    

    Produces:

    fcfebc0d424982ce8c7a986264beb0d4b1de44507501451e142236404e5b9778
    fcfebc0d424982ce8c7a986264beb0d4b1de44507501451e142236404e5b9778

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search