Search code examples
shopwareshopware6shopware6-apishopware6-app

Shopware6 confirm registration can't match shopware-shop-signature

We are developing our app following the steps described in here:

https://developer.shopware.com/docs/guides/plugins/apps/app-base-guide

We successfully implemented the first call with the indicated checks over the "shopware-app-signature". We have problem doing the same with the second call (the confirm-registration). The flow works fine, but we are not able to recalculate the "shopware-shop-id" as suggested in the documentation. There is an example done in php. Given the following body:

{
  "apiKey":"SWIARXBSDJRWEMJONFK2OHBNWA",
  "secretKey":"Q1QyaUg3ZHpnZURPeDV3ZkpncXdSRzJpNjdBeWM1WWhWYWd0NE0",
  "timestamp":"1592398983",
  "shopUrl":"http:\/\/my.shop.com",
  "shopId":"sqX6cqHi6hbj",
  "shopSecret":"b49b082162c95b8afd322dffcc82b3550a64ad5b06a05813d431090d32a4b5f3"
}

the doc suggests to recalculate the "shopware-shop-signature" like this:

use Psr\Http\Message\RequestInterface;

/** @var RequestInterface $request */
$hmac = \hash_hmac('sha256', $request->getBody()->getContents(), $shopSecret);

Our server is written in JS with node, and we tried to replicate the hmac calculation like this:

createHmac("sha256", shopSecret).update(request.rawBody).digest("hex");

where "shopSecret" is the one created in the first call and "request.rawBody" is the raw json request body. Unfortunately this never matches the "shopware-shop-signature" in the request headers. Do you have any suggestion on where we are doing wrong?

A little side note: with the app in development mode (with the secret in the manifest.xml) the previous body of the confirm-registration never sends back the "shopSecret", so we have to recalculate it. Is it the expected behavior?

Solution

  • There have been similar questions regarding authentication/confirmation on node-based servers before. So far the issues always were always caused by either differences in escaping or decoding within either the request body or the query parameters.

    I think in your instance the problem could be that in your request.rawBody the http:\/\/my.shop.com string automatically is unescaped to http://my.shop.com. This causes the keys generated in Shopware and on your end to be hashed differently, making the comparison fail. Make sure the slashes stay escaped.
    For reference see this answer.

    FYI: If, in your later development, you'll have problems with authentication of GET requests, note that url encoded query parameters must not be decoded by your node server or the authentication will fail, also due to differing hashes.
    For reference see this question.