@typhoslabs/shopify-hmac

Simple HMAC validator for Shopify OAuth requests.

Usage no npm install needed!

<script type="module">
  import typhoslabsShopifyHmac from 'https://cdn.skypack.dev/@typhoslabs/shopify-hmac';
</script>

README

shopify-hmac

Simple HMAC validator for Shopify OAuth requests.

Usage

var hmac = require('@typhoslabs/shopify-hmac');
var error;

// query must be an object
var query = { shop:"typhoslabs.myshopify.com" ... };
// secret must be a string
var secret = "i am an app secret - change me";

// test querystring values
if((error = hmac(query, secret))){
    return console.error(error);
}

// valid because no error was returned
console.log("query is good");

Details

function shopifyHMAC(query, secret)

parameters

  • query: An object of string values. Must include "shop", "timestamp", and "hmac." It will ignore the "hmac" and "signature" fields when building the querystring to be hash as well as any null fields.
  • secret: Must be your app's secret

returns

  • error: only if an error occurred. DevErrors inicate something was misconfigured. UserErrors indicate that query had missing or invalid values.

Spoofing/Testing

var hmac = require('@typhoslabs/shopify-hmac');
var crypto = require('crypto');

const MY_APP_SECRET = "appsecret";

var query = {
    // include a valid shopify shop url
    shop: 'my-shop.myshopify.com',
    // include a current timestamp 
    // note: Shopify sends the time in seconds
    timestamp: Math.round(Date.now() / 1000)
};

var hmac = crypto
    // hash with your secret
    .createHmac('sha256', MY_APP_SECRET)
    // use the exposed getOAuthQueryString() function to build
    // a valid query string to hash
    .update(hmac.getOAuthQueryString(query))
    // needs to be hexidecimal
    .digest('hex');

// add the hmac to the query
query.hmac = hmac;

// check if you want...
var err = hmac(query, MY_APP_SECRET);