@typhoslabs/shopify-hmac
v2.0.0
Published
Simple HMAC validator for Shopify OAuth requests.
Downloads
11
Readme
shopify-hmac
Simple HMAC validator for Shopify OAuth requests.
Usage
var hmac = require('@typhoslabs/shopify-hmac');
var error;
// query must be an object
var query = { shop:"typhoslabs.myshopify.com" ... };
// secret must be a string
var secret = "i am an app secret - change me";
// test querystring values
if((error = hmac(query, secret))){
return console.error(error);
}
// valid because no error was returned
console.log("query is good");
Details
function shopifyHMAC(query, secret)
parameters
- query: An object of string values. Must include "shop", "timestamp", and "hmac." It will ignore the "hmac" and "signature" fields when building the querystring to be hash as well as any null fields.
- secret: Must be your app's secret
returns
- error: only if an error occurred. DevErrors inicate something was misconfigured. UserErrors indicate that query had missing or invalid values.
Spoofing/Testing
var hmac = require('@typhoslabs/shopify-hmac');
var crypto = require('crypto');
const MY_APP_SECRET = "appsecret";
var query = {
// include a valid shopify shop url
shop: 'my-shop.myshopify.com',
// include a current timestamp
// note: Shopify sends the time in seconds
timestamp: Math.round(Date.now() / 1000)
};
var hmac = crypto
// hash with your secret
.createHmac('sha256', MY_APP_SECRET)
// use the exposed getOAuthQueryString() function to build
// a valid query string to hash
.update(hmac.getOAuthQueryString(query))
// needs to be hexidecimal
.digest('hex');
// add the hmac to the query
query.hmac = hmac;
// check if you want...
var err = hmac(query, MY_APP_SECRET);