App proxy signature verification not working

Dev Platform
1

i am trying to verify the app proxy signature but it is not working.

i followed the documentation and i made sure i am using the correct secret key from the partner dev dashboard, here is my code:

def verify_hmac(request: Request) → bool:

qs = request.url.query

print(f'Raw query string: "{qs}"')

pairs = parse_qsl(qs, keep_blank_values=True)

params = dict(pairs)

print(f"Parsed params: {params}")   

signature = params.get("signature")

if not signature:

    return False

timestamp = params.get("timestamp")

if not timestamp:

    return False

try:

    ts_int = int(timestamp)

except ValueError:

    return False

if abs(int(time.time()) - ts_int) > MAX_TIMESTAMP_AGE:

    return False

message = ""

for k, v in params.items():

    if k != "signature":

        message += f"{k}={v}&"

message = message.rstrip("&")

print(f"Message before filtering: {message}")

computed = hmac.new(

    SHOPIFY_APP_SECRET.encode("utf-8"),

    message.encode("utf-8"),

    hashlib.sha256

).hexdigest()

print("Shopify signature:", signature)

print("String to sign:", message)

print("Computed signature:", computed)

return hmac.compare_digest(computed, signature)
2

Hi @joe_mazloum

We’ve recently shipped update to improve the experience working with app proxies - are you still experiencing this?

3

hello liam thx for your reply,

Yes, I’m still facing this problem i hope you could help me.

4

“&” has to be removed before calculating hmac.

see: validateHmac Does Not Work For Proxy Requests · Issue #878 · Shopify/shopify-api-js · GitHub

5

Are you still seeing this issue @joe_mazloum ?