The ids parameter should be prepared differently for the HMAC

humancopy · humancopy · commit 0d492cbfa43f · 2019-04-12T14:01:28.000+02:00
diff --git a/lib/shopify/oauth.ex b/lib/shopify/oauth.ex
@@ -79,10 +79,27 @@ defmodule Shopify.OAuth do
 
   defp valid_hmac?(secret, params) do
     hmac  = params["hmac"]
-    query = params |> Map.delete("hmac") |> URI.encode_query
 
-    :crypto.hmac(:sha256, secret, query)
+    :crypto.hmac(:sha256, secret, query_string(params))
     |> Base.encode16(case: :lower)
     |> String.equivalent?(hmac)
   end
+
+  defp query_string(params) do
+    # Extract the ids and convert them to an array of strings
+    # ["1", "2", "3"]
+    ids = params["ids"]
+    |> Enum.map(fn x -> "\"#{x}\"" end)
+    |> Enum.join(", ")
+
+    # Remove the ids & hmac parameters and make a query string
+    query = params
+    |> Map.delete("ids")
+    |> Map.delete("hmac")
+    |> URI.encode_query
+
+    # Concatenate the ids back to the query - they must not be URI encoded!
+    # https://community.shopify.com/c/Shopify-APIs-SDKs/HMAC-calculation-vs-ids-arrays/m-p/261154
+    "ids=[#{ids}]&#{query}"
+  end
 end
