hmac validation for oauth (cli three)

Question

hmac validation for oauth (cli three)

daveagill opened this issue 2 years ago · 2 comments

This template does not validate the hmac parameter provided by Shopify during the initial request to initiate the OAuth flow.

The hmac should be validated at that point according to the documentation: https://shopify.dev/apps/auth/oauth/getting-started#step-2-verify-the-installation-request

Adding hmac validation here is further complicated because verify-request.js and useAuthenticatedFetch.js both redirect to the oauth endpoint without providing an hmac.

Answer 1 · 2023-03-28T21:50:12.000Z

@daveagill this has been fixed at the API level which is used by the template. So I will close this one.

Answer 2 · 2023-03-28T23:13:13.000Z

@cquemin Thank you for the update. Is there somewhere to raise an issue to update the documentation? I think it could be made clearer by noting that the JS API handle the hmac validation for us.