Web Connection
Verifying HMAC in Shopify requests
Gravatar is a globally recognized avatar based on your email address. Verifying HMAC in Shopify requests
  Carl Chambers
  All
  May 3, 2021 @ 08:30pm

Has anyone who has worked with Shopify had success in verifying the HMAC passed by Shopify requests or webhooks to a WWWC app?
So far, I'm striking out.

Thanks,
Carl

Gravatar is a globally recognized avatar based on your email address. re: Verifying HMAC in Shopify requests
  Rick Strahl
  Carl Chambers
  May 4, 2021 @ 05:41pm

wwEncryption supports HMAC hashes. But you have to know exactly how they are created to duplicate them.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Verifying HMAC in Shopify requests
  Carl Chambers
  Rick Strahl
  May 5, 2021 @ 09:08am

Thanks Rick,
The piece I was missing was loEncrypt.SetBinHexMode().

The computed value matched the HMAC passed by Shopify except that it was upper case. It seems rather coincidental that this is the only difference so am I right in guessing that the case does not matter?
Thanks.

Gravatar is a globally recognized avatar based on your email address. re: Verifying HMAC in Shopify requests
  Rick Strahl
  Carl Chambers
  May 6, 2021 @ 09:52am

Case shouldn't matter - it's a binary representation. But if it does for the provider use UPPER() or LOWER() to get it into the right case.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Verifying HMAC in Shopify requests
  Carl Chambers
  Rick Strahl
  May 6, 2021 @ 12:23pm

Thanks, Rick.

Carl

Gravatar is a globally recognized avatar based on your email address. re: Verifying HMAC in Shopify requests
  Michael B
  Carl Chambers
  May 7, 2021 @ 09:17am

Carl - do you mind sharing what you are doing with Shopify and WWWC? I have long been curious if anyone from our world works in theirs.

Gravatar is a globally recognized avatar based on your email address. re: Verifying HMAC in Shopify requests
  Carl Chambers
  Michael B
  May 7, 2021 @ 10:57am

Carl - do you mind sharing what you are doing with Shopify and WWWC? I have long been curious if anyone from our world works in theirs.

Hi Michael,

Just investigating feasibility at this point.
I have a WWWC parts lookup service for pool & spa equipment that provides both interactive lookups and a JSON response for API calls. You can see it here...
Parts by Assembly

I'm looking into making an embedded app that can present point & click parts explosions in a Shopify store to enable consumers to visually find the parts they need and add them to the cart. If I can pull that off, I can provide that app to any online pool dealer with a Shopify store or help them build a Shopify store.

Right now, I'm trying to verify that I can handle all the security requirements. Verifying the HMAC is one of them.

Carl

© 1996-2021