Detect if a request comes from within the Shopify Admin Panel

Question

I am using the Embedded APP SDK (for building Shopify App) that allows me to display a webpage inside the admin panel. Lets say the Shopify App has a url of /shopifyApp . Whenever user clicks on the said app, he is redirected to "/shopifyApp" . The get request looks like /shopifyApp?hmac=b20934d6b66cxxx&protocol=https%3A%2F%2F&shop=dev-store-61.myshopify.com&timestamp=1466715935

I am trying to verify if the hmac is valid. I am using the below piece of code to validation , but unfortunately its not working.

var map = JSON.parse(JSON.stringify(req.query));
    delete map['hmac'];
    var message = querystring.stringify(map);
    var generated_hash = require('crypto').createHmac('sha256', "myAppSecret").update(message).digest('hex');
    if (generated_hash === req.query.hmac) {
       //show Authenticated page
    } else {
        //Show unauthenticated page
    }

The generated has is never equal to hmac for some reason. Can someone advise me as to what I am doing wrong ?

Answer 1

You need to delete the hmac and signature

function verifyRequest(req, res, next) {
var map = JSON.parse(JSON.stringify(req.query));
delete map['signature'];
delete map['hmac'];

var message = querystring.stringify(map);
var generated_hash = crypto.createHmac('sha256', config.oauth.client_secret).update(message).digest('hex');
if (generated_hash === req.query.hmac) {
    next();
} else {
    return res.json(400);
}

}