d
Topic
TDev Member
Posts:
3
13 days ago

Signature check in hosted gateway refund requests

Hi,

Trying to verify the x_signature value in refund requests does not seem to be working.

Using exactly the same process for initial sale transactions, i.e. taking all x_ fields sorted into alphabetical order (excluding x_signature itself) and calulcating a new signature value to compare against x_signature always fails.

The refund request contained these fields:

x_account_id
x_amount
x_currency
x_gateway_reference
x_reference
x_shopify_order_id
x_signature
x_test
x_transaction_type
x_url_callback

Is there any difference in the signature process for refunds? As mentioned, the exact same signature check for standard order requests works fine, but when handling refunds (with the same account_id, secret key etc) doesn't work. It's not a different implemenation of the signature check, it's a common function called from both.

 

i
Replies
Busfox Shopify Employee
Posts:
304
12 days ago

Hi there,

Andrew here from the Shopify Developer Experience Team.

Can you share with me a request id or checkout id so that I may take a look in our logs? On your end, you can also ensure that the payload you are signing is correct. This may seem obvious, but order management requests appear with the params as a json body, rather than url params as in the payment requests.

Thanks!

Andrew McCauley | Developer Experience @ Shopify | 1-888-746-7439
TDev Member
Posts:
3
Last edited 11 days ago

Hi, the fields are being extracted from the json object before then doing the signature check.

Sample response receieved:

{"x_account_id":"2","x_amount":"53.87","x_reference":466702106678,"x_currency":"AED","x_gateway_reference":"040013237867","x_test":true,"x_url_callback":"https:\/\/checkout.shopify.com\/services\/ping\/notify_integration\/telr\/11166980","x_shopify_order_id":352677527606,"x_transaction_type":"refund","x_signature":"5b9bb35952f1e283f84e32a54c82fa071fa97df06dfbeba75d646df595b89d40"}

Fileds extracted from this:

x_account_id = 2
x_amount = 53.87
x_currency = AED
x_gateway_reference = 040013237867
x_reference = 466702106678
x_shopify_order_id = 352677527606
x_signature = 5b9bb35952f1e283f84e32a54c82fa071fa97df06dfbeba75d646df595b89d40
x_test = 1
x_transaction_type = refund
x_url_callback = https://checkout.shopify.com/services/ping/notify_integration/telr/11166980


 

Data used to generate the hash for checking signature:

x_account_id2x_amount53.87x_currencyAEDx_gateway_reference040013237867x_reference466702106678x_shopify_order_id352677527606x_test1x_transaction_typerefundx_url_callbackhttps://checkout.shopify.com/services/ping/notify_integration/telr/11166980

 

Hash recieved in the request:

5b9bb35952f1e283f84e32a54c82fa071fa97df06dfbeba75d646df595b89d40

Hash calculated from the data:

1ad420c49b252b00578e73b107256bdb1646a61c7b26e4ac548e223b30750e9b

For this testing, the secret key being used was simply 'tokenpwd'

The same signature check process (all x_ params except x_signature, sorted into alpahbetical order, append param and value, then HMAC SHA256 using the secret key) is working when used to check the initial order request, but does not work here.

It's probably something obivous, but I just can't see it.

 

TDev Member
Posts:
3
11 days ago

Just spotted the problem - the value x_test had somehow been changed from 'true' to '1' before doing the signature checks. With it as 'true' instead then the signature matches.