search

phpish / shopify_app-skeleton

Skeleton Shopify App project using phpish/shopify
94 stars 41 forks source link

getting "Invalid Request! Request or redirect did not come from Shopify" error on install #22

Open alexandprivate opened 8 years ago

alexandprivate commented 8 years ago

Hello, I am having this persistent error every time I try to install my app and this is so far the many things I have tried.

I have phpish/shopify_app-skeleton in my server and compose install with all dependencies after that I change my conf.php adding a global variable for redirecting URL:= like this

define('REDIRECT_URL', 'http://my-app-name.hosting.com/app/oauth.php');

after that in my oauth.php file I place at the end of the line 16 my gobal variable "REDIRECT_URL" like this:

$permission_url = shopify\authorization_url($_GET['shop'], SHOPIFY_APP_API_KEY, array('read_content', 'write_content', 'read_themes', 'write_themes', 'read_products', 'write_products', 'read_customers', 'write_customers', 'read_orders', 'write_orders', 'read_script_tags', 'write_script_tags', 'read_fulfillments', 'write_fulfillments', 'read_shipping', 'write_shipping'),REDIRECT_URL);

also I have commented the line 11:

shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

even I have replace line 11 with the function explained in this post but not result came up.

but nothing works... any advice ??? anything else to do, I am doing something wrong o missing any steps?

myjanky commented 8 years ago

What is the exact error you are receiving? Please post your log file for php errors if any relate to this. Maybe you can add a couple print to log calls in the install.php file to see where the installation is failing.

alexandprivate commented 8 years ago

Hi @myjanky thanks a lot for the quick response, here I go ...

the error I am getting in my browser after run the installation is:

Invalid Request! Request or redirect did not come from Shopify

with that clear I would like to make a review about the changes I've done with my conf.php and oauth.php

in conf.php I just add a new line with my address is my callback address in my shopify backend :

define('REDIRECT_URL', 'http://my-app-name.hosting.com/app/oauth.php');

once I did this, I move to make changes in my oauth.php with following changes:

I place at the end of the line 16 my global variable "REDIRECT_URL" like this:

$permission_url = shopify\authorization_url($_GET['shop'], SHOPIFY_APP_API_KEY, array('read_content', 'write_content', 'read_themes', 'write_themes', 'read_products', 'write_products', 'read_customers', 'write_customers', 'read_orders', 'write_orders', 'read_script_tags', 'write_script_tags', 'read_fulfillments', 'write_fulfillments', 'read_shipping', 'write_shipping'),REDIRECT_URL);

after that I checked again my install URL but I get the same error in my browser after been redirected to the login to my shop and after log in I get this

Invalid Request! Request or redirect did not come from Shopify

then I move back to my oauth.php file and commented the line 11, this line

Invalid Request! Request or redirect did not come from Shopify

then I move back to my oauth.php file and commented the line 11, this line

shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

and after did this I tried again my install URL and get a different error:

400 - Oauth error invalid_request: The redirect_uri is missing or not whitelisted

came back to my oauth.php file and removed the comment in line 11, and finally I change the function for line 11 with the new one listed in the issue 19 changing function is_valid_request into this

function is_valid_request_hmac($query_params, $shared_secret) { if (!isset($query_params['timestamp'])) return false; $seconds_in_a_day = 24 60 60; $older_than_a_day = $query_params['timestamp'] < (time() - $seconds_in_a_day); if ($older_than_a_day) return false;

$hmac = $query_params['hmac']; unset($query_params['signature'], $query_params['hmac']);

foreach ($query_params as $key=>$val) $params[] = "$key=$val"; sort($params);

return (hash_hmac('sha256', implode('&', $params), $shared_secret) === $hmac); }

but then I get again this error

400 - Oauth error invalid_request: The redirect_uri is missing or not whitelisted

so what can I do next ?

alexandprivate commented 8 years ago

this is my browser view showing the last error I am getting like commented above.

400 oauth error invalid_request

myjanky commented 8 years ago

Your redirect URL must match that in your partner's account app dashboard @ developers.shopify.com

The error is unrelated to is_valid_request_hmac.

What is your partners dashboard app redirect url. (callback)

alexandprivate commented 8 years ago

edit app settings for shippingfy shopify partners

my callback http://myapp.hekities.com/app/oauth.php and is the one I defined in conf.php

and my oauth.php in the line 11 like this

shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

myjanky commented 8 years ago

Hmmm. Can you host with SSL? I had many issues until I SSL my app domain.

alexandprivate commented 8 years ago

hummm I need to check my hosting, I don't think so but let me try

myjanky commented 8 years ago

heroku has ssl containers you can move the code to.

On Fri, Jul 29, 2016 at 10:37 AM, alexandprivate notifications@github.com wrote:

hummm I need to check my hosting, I don't think so but let me try

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/phpish/shopify_app-skeleton/issues/22#issuecomment-236214224, or mute the thread https://github.com/notifications/unsubscribe-auth/ANaCiFmWNU-9-nnubiH1ka3mepaq52lgks5qah49gaJpZM4JXnMW .

Larry Wheeler Phone: 817.238.3708 Chief Technology Officer www.sleepingbaby.com

"I believe that the money is in making the tools. They say during the gold rush, the people that made the most money were the ones selling the shovels.”

[image: Inline image 1] http://www.sleepingbaby.com/

myjanky commented 8 years ago

Can you post the entire oauth.php file you have?

alexandprivate commented 8 years ago

good idea. let me try my hosting and keep you posted about the SSL...

alexandprivate commented 8 years ago

<?php

session_start();

require __DIR__.'/vendor/autoload.php';
use phpish\shopify;

require __DIR__.'/conf.php';

# Guard: http://docs.shopify.com/api/authentication/oauth#verification
shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

# Step 2: http://docs.shopify.com/api/authentication/oauth#asking-for-permission
if (!isset($_GET['code']))
{
    $permission_url = shopify\authorization_url($_GET['shop'], SHOPIFY_APP_API_KEY, array('read_content', 'write_content', 'read_themes', 'write_themes', 'read_products', 'write_products', 'read_customers', 'write_customers', 'read_orders', 'write_orders', 'read_script_tags', 'write_script_tags', 'read_fulfillments', 'write_fulfillments', 'read_shipping', 'write_shipping'),REDIRECT_URL);
    die("<script> top.location.href='$permission_url '</script>");

}

# Step 3: http://docs.shopify.com/api/authentication/oauth#confirming-installation
try
{
    # shopify\access_token can throw an exception
    $oauth_token = shopify\access_token($_GET['shop'], SHOPIFY_APP_API_KEY, SHOPIFY_APP_SHARED_SECRET, $_GET['code']);

    $_SESSION['oauth_token'] = $oauth_token;
    $_SESSION['shop'] = $_GET['shop'];

    echo 'App Successfully Installed!';
}
catch (shopify\ApiException $e)
{
    # HTTP status code was >= 400 or response contained the key 'errors'
    echo $e;
    print_R($e->getRequest());
    print_R($e->getResponse());
}
catch (shopify\CurlException $e)
{
    # cURL error
    echo $e;
    print_R($e->getRequest());
    print_R($e->getResponse());
}

?>

myjanky commented 8 years ago

Ok I see some issues.

With composer it is getting shopify.php from phpish library. is_valid_request() is not the same function as is_valid_request_hmac() and you are calling the former.

# Guard: http://docs.shopify.com/api/authentication/oauth#verification shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

I think you may be getting hung up on step one, prior to asking for permission. Comment out everything below the above code snippet and dump $_GET to the screen with vardump...

what does it contain?

myjanky commented 8 years ago

Also, is the redirect url visible in the URI as a query param (get var.)

alexandprivate commented 8 years ago

yeah but I change the function in shopify.php so it is working fine and doing the check by hmac ... notice if not the error will go with die "Invalid Request! Request or redirect did not come from Shopify" and is not happening that.

and thats not the problem the function is working fine I am getting the error in line 16

alexandprivate commented 8 years ago

LARRY ! the app have been installed !!! dont ask me how or why !!! kinda budu or something ! I change nothing !

alexandprivate commented 8 years ago

I think it was a cache problem or something !!! thanks a lot pal !!!! write you back about further issues and success ! thanks again

myjanky commented 8 years ago

Are you not using composer to get your libraries? Changing shopify.php will only work if you disable composer. Yes, could be a cache issue due to composer.

myjanky commented 8 years ago

no worries. Hope you get the app together how you want.

alexandprivate commented 8 years ago

yeah ! I think it was that !

alexandprivate commented 8 years ago

thanks man

ZoobiDoobi commented 7 years ago

Hi, still stuck at this error! (Invalid Request! Request or redirect did not come from Shopify) Things that I tried : 1- added Redirect URL to conf.php 2-Added Redirect URL to oauth.php 3-App Code is hosted on SSL domain.

Any help? Totally new to shopify

ZoobiDoobi commented 7 years ago

screenshot_2

This is the var_dum($_GET), 'singature' index is missing

myjanky commented 7 years ago

see if the shared secret is getting passed into the is_valid_request() properly.

ZoobiDoobi commented 7 years ago

Problem was 'signature index'. now instead of signature, 'hmac' is being used. Following patch resolved the issue.. https://github.com/xewl/shopify/blob/patch-1/shopify.php I only used is_valid_request from this patch.

Thanks :)

ghost commented 7 years ago

Hi The patch is not working. Please give me the url for the updated patch. I am also facing the same issue. Thanks

myjanky commented 7 years ago

@sanishkamboj the issue involves hmac as Shopify no longer supports md5 hash. please try this function in place of is_valid_request(). `public function validateSignature($query) { if(!is_array($query) || empty($query['hmac']) || !is_string($query['hmac'])) return false; $dataString = array(); foreach ($query as $key => $value) { $key = str_replace('=', '%3D', $key); $key = str_replace('&', '%26', $key); $key = str_replace('%', '%25', $key); $value = str_replace('&', '%26', $value); $value = str_replace('%', '%25', $value);

        if($key != 'hmac')
            $dataString[] = $key . '=' . $value;
    }

    sort($dataString);

    $string = implode("&", $dataString);
    if (version_compare(PHP_VERSION, '5.3.0', '>='))
        $signature = hash_hmac('sha256', $string, $this->secret);
    else
        $signature = bin2hex(mhash(MHASH_SHA256, $string, $this->secret));

    return $query['hmac'] == $signature;
}`

this is from ohShopify. I take no credit for the function