Shopify App oAuth Error FIX, “Invalid Request! Request or redirect did not come from Shopify” PHP

I spent about 3 hours this morning trying to figure out what happened to my Shopify App. It is June 1st, 2016, which is sugnificant because now that I know what happened, apparently Shopify has changed how they want you to authenticate your App. They have dropped the SIGNATURE parameter and want you to authenticate using a hashed HMAC.

Here is how I fixed the problem… (This is in PHP by the way, not Ruby)

In your oauth.php (or whatever file does the authentication processing), find the function call that validates the request. In my oauth.php it is this:

shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

This means you need to change your is_valid_request() function inside your shopify.php file.

Here is the new function you need to change yours to:

function is_valid_request($query_params, $shared_secret) {
		
	if (!isset($query_params['timestamp'])) return false;
	$seconds_in_a_day = 24 * 60 * 60;
	$older_than_a_day = $query_params['timestamp'] < (time() - $seconds_in_a_day);
	if ($older_than_a_day) return false;

	$msg = 'code='.$query_params['code'].'&shop='.$query_params['shop'].'&timestamp='.$query_params['timestamp'];
	$sig = hash_hmac('sha256', $msg, $shared_secret);
				
	return ($sig === $query_params['hmac']);
		
}

Now you are ready to authenticate!

Author: Valik Rudd

Valik (Valiik) Rudd is an Internet entrepreneur. He develops new online businesses and creates new websites. His other passion is writing about the those things. Web Design Ideas blog is the outlet through which his ideas and web design tricks and tips get recorded and shared with others.

2 thoughts on “Shopify App oAuth Error FIX, “Invalid Request! Request or redirect did not come from Shopify” PHP”

  1. I have the same problem, but i dontknow how can apply your solution in my code, could you help me, this is my code:

    session_start();

    require __DIR__.’/vendor/autoload.php’;
    use phpish\shopify;

    require __DIR__.’/conf.php’;

    # Guard: http://docs.shopify.com/api/authentication/oauth#verification
    shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die(‘Invalid Request! Request or redirect did not come from Shopify’);

    # Step 2: http://docs.shopify.com/api/authentication/oauth#asking-for-permission
    if (!isset($_GET[‘code’]))
    {

    $permission_url = shopify\authorization_url($_GET[‘shop’], SHOPIFY_APP_API_KEY, array(‘write_shipping’, ‘read_orders’));
    die(” top.location.href=’$permission_url'”);

    }

    # Step 3: http://docs.shopify.com/api/authentication/oauth#confirming-installation
    try
    {
    # shopify\access_token can throw an exception
    $oauth_token = shopify\access_token($_GET[‘shop’], SHOPIFY_APP_API_KEY, SHOPIFY_APP_SHARED_SECRET, $_GET[‘code’]);

    $_SESSION[‘oauth_token’] = $oauth_token;
    $_SESSION[‘shop’] = $_GET[‘shop’];

    $shop = $_SESSION[‘shop’];

    $db->query(” INSERT INTO tbl_usersettings SET access_token=’$oauth_token’, store_name=’$shop'”);

    //echo ” swal(‘Good job!’, ‘You clicked the button!’, ‘success’); “;

    header(‘Location: http://api.99minutos.com/shopify/admin.php‘);

    //echo ‘App Successfully Installed!’;
    }
    catch (shopify\ApiException $e)
    {
    # HTTP status code was >= 400 or response contained the key ‘errors’
    echo $e;
    print_R($e->getRequest());
    print_R($e->getResponse());
    }
    catch (shopify\CurlException $e)
    {
    # cURL error
    echo $e;
    print_R($e->getRequest());
    print_R($e->getResponse());
    }
    error_reporting(0);

  2. Victor, the very first function:

    shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die(‘Invalid Request! Request or redirect did not come from Shopify’);

    this is what you need to change, change “is_valid_request” to “is_valid_requestt” and add a validation function above this, like I specified in the blog post.

    That will validate it correctly. Hope it helps.

    ~ Valik

Leave a Reply

Your email address will not be published. Required fields are marked *