Sandeep Shetty commented on How to validate every request that comes from Shopify when the code parameter is not present in every request?

Firstly, the code you presented above to verify requests that don't have the code parameter will work but it's still not the right way to do it. Note that the documentation doesn't say "take the shop and timestamp parameter and do ...". It says "remove the signature and hmac parameters". The distinction is important because the former will fail if the HMAC is based on additional parameters that might be added in the future like it happened recently when the hmac parameter was introduced. The documentation is actually very clear about the algorithm to follow to verify every type of request (with or without the code param). This thread has more details: https://ecommerce.shopify.com/c/shopify-apis-and-technology/t/hmac-verify-app-install-request-using-php-252951#comment-253000

Secondly, if I understand this correctly:

• you don't treat successfully completing the OAuth dance as login and require an additional login to your service. It looks like you are doing this to differentiate between different users ("storeowners") of the same shop.
• You are taking the shop, hmac, timestamp you get in the request from Shopify and passing it along with the login/register form and then on the server side verifying the HMAC.

While this "hack" works for now, it is fragile (for reasons mentioned in the first point) and too coupled with Shopify (you need to send all the parameters that Shopify uses for calculating it's hash, even the ones you don't need). It's also using something meant to verify if the request came from Shopify for verifying that the current user is not tampering with a form on your app.


Here are a couple of ways this "security problem" is generally solved:

1. Store the verified shop param in a session before redirecting the user to the login/register page (Step 4 and Step 5). This means the shop param is stored server side (in the session store) and not editable by the user.
2. Send the shop param in the login/register form along with your own HMAC using a secret per session and then check the HMAC on form submission.

Another "hack" to use Shopify's OAuth for authentication in your case is to start the OAuth dance (on both Step 4 and Step 5) and then send the resulting shop and code param along with the login/register form. Then upon form submission attempt to finish the OAuth dance by exchanging the code for a permanent access token. If the user modifies the shop param then the combination of the tampered shop and code will not work.

I'd be wary of using hacks though.