Last edited 10 days ago

SHA256 HMAC Verification on requests generated by app extension.

Created an APP extension that adds a post orders button to the orders action. After selecting an order and clicking the post butoon shopify sends this raw request.

GET /data?hmac=ec80a0468b4414504a6ff57de52ed8030e84f489b47f1b9830e91cb1f4203fc7&ids%5B%5D=934477070451&locale=en&shop=ubiquittous.myshopify.com&timestamp=1544031593 HTTP/1.1
Host: 08e3e699.ngrok.io
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
X-Forwarded-Proto: https

Spent hours looking for documentation.  I have been hashing the following string based on my interpetation of the docs I have read.


If you are wondering what method I am using to hash I am using a xojo routine that looks like this:

 sha256 = Crypto.HMAC("my secret", body, Crypto.Algorithm.SHA256)

If any one has any help or suggestions they are greatly appreciated. I apologise if I have created a duplicate thread or asking on the wrong forum. I have seen some people mentioning that undocumented protocol=https:// needed to be added as part of the body, tried it no luck.