I followed exactly the code from the shopify docs (Shopify app with Node and Express) for integrating app with express but it seems that I still hitting HMAC Validation Failed.
const map = Object.assign({}, req.query);
delete map['signature'];
delete map['hmac'];
const message = querystring.stringify(map);
const providedHmac = Buffer.from(hmac, 'utf-8');
const generatedHash = Buffer.from(
crypto
.createHmac('sha256',this.configService.get('SHOPIFY_API_SECRET'))
.update(message)
.digest('hex'),
'utf-8'
);
let hashEquals = false;
// timingSafeEqual will prevent any timing attacks. Arguments must be buffers
try {
hashEquals = crypto.timingSafeEqual(generatedHash, providedHmac)
// timingSafeEqual will return an error if the input buffers are not the same length.
} catch (e) {
hashEquals = false;
};
if (!hashEquals) {
return res.status(400).send('HMAC validation failed');
}
I’m expecting the code above to work and do not return the error.
2
Answers
I had the same problem and I think it might be related how the nonce is created that is used for the state parameter, if we leave this blank when redirecting the verification is successful. From the beginning I created a nonce like this:
And then if I used this nonce in the
state
parameter the hmac verification in the callback always failed, when I changed it to:everything is working as expected:
This should work for your Express application.
Based on koa repository.