getting "Invalid Request! Request or redirect did not come from Shopify" error on install

phpish / shopify_app-skeleton

Skeleton Shopify App project using phpish/shopify

94 stars 41 forks source link

getting "Invalid Request! Request or redirect did not come from Shopify" error on install #43

Open nidhiorangemantra opened 6 years ago

nidhiorangemantra commented 6 years ago

appissue Hello,

I am creating my custom shopify app but when i clicking on "Install App" button then i am gettiing "Invalid Request! Request or redirect did not come from Shopify" issue. So please help me how to install app ?

This is install Url : http://femmeluxefinery.myshopify.com/admin/api/auth?api_key=0191a4622a3af05d09f52226ac11ea40

Store Url : femmeluxefinery.myshopify.com appsettings

myjanky commented 6 years ago

cant really use localhost anymore without some hoops to jump through.

you need to host on a server with ssl (https://)

ahmu83 commented 5 years ago

I am getting this error when I try to install the shopify app Notice: Undefined index: signature in /vendor/phpish/shopify/shopify.php on line 21 Invalid Request! Request or redirect did not come from Shopify

I noticed that the url https://ID.ngrok.io/oauth.php?hmac=&shop=MY-TEST-STORE.myshopify.com&timestamp=1552491745 did not have the signature query string instead of the hmac query string. And I tried to update that instead in line 21 but it only removed the notice but the error (Invalid Request! Request or redirect did not come from Shopify) was still there

X4nd0R commented 4 years ago

I was able to solve this issue by editing the phpish file: /vendor/phpish/shopify/shopify.php. The is_valid_request() function should look like this:

function is_valid_request($query_params, $shared_secret)
{
    if (!isset($query_params['timestamp'])) return false;

    $seconds_in_a_day = 24 * 60 * 60;

    $older_than_a_day = $query_params['timestamp'] < (time() - $seconds_in_a_day);
    if ($older_than_a_day) return false;

    $signature = $query_params['hmac'];
    unset($query_params['hmac']);

    $message = http_build_query($query_params);

    return (hash_hmac('sha256', $message, $shared_secret) === $signature);
}

I believe the Shopify API/Oauth system has changed and phpish's code is out of date.

X4nd0R commented 4 years ago

I still continued to have further issues after rewriting the above function. So I wrote a fresh bare-bones Shopify app in PHP that is more inline with Shopify's current protocols/standards. Check it out here: https://github.com/XenithTech/php-shopify-app-skeleton If you have any issue please open a ticket and I will work on a solution as quickly as possible.