HMAC verification requires removing padding characters from host (==) #146
Description
Expected Behavior
When performing hmac verification, the generated hmac should match the one provided by Shopify.
Current Behavior
The generated hmac does not match the one provided by Shopify.
Failure Information
When a host is provided to Shopify that contains Base64 padding characters (==) at the end, Shopify removes the padding before calculating the HMAC hash but doesn't document that they do this. If you ask the Shopify AI Assistant, it will tell you to remove the padding characters before generating the HMAC.
Steps to Reproduce
Create a subscription plan url that contains a Base64 encoded "host" parameter containing padding characters. When redirected back to your app after subscribing, the authenticate/token request will fail hmac verification.
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
- Package Version: v21.1.0
- Laravel Version: v11.18.1
- PHP Version: v8.3
- Template Engine: React
- Using a toolset (Docker, Laradock, Vagrant, etc.): Docker
I can create a PR if this is the direction we would like to go. In our project, we patched this code.
diff --git a/vendor/gnikyt/basic-shopify-api/src/BasicShopifyAPI.php b/vendor/gnikyt/basic-shopify-api/src/BasicShopifyAPI.php
index 86c5485..305abf7 100755
--- a/vendor/gnikyt/basic-shopify-api/src/BasicShopifyAPI.php
+++ b/vendor/gnikyt/basic-shopify-api/src/BasicShopifyAPI.php
@@ -372,6 +372,10 @@ public function verifyRequest(array $params): bool
unset($params['hmac']);
ksort($params);
+ if (array_key_exists('host', $params)) {
+ $params['host'] = rtrim($params['host'], '=');
+ }
+
// Encode and hash the params (without HMAC), add the API secret, and compare to the HMAC from params
return $hmac === hash_hmac(
'sha256',