getting "Invalid Request! Request or redirect did not come from Shopify" error on install

[alexandprivate]

Hello, I am having this persistent error every time I try to install my app and this is so far the many things I have tried.

I have phpish/shopify_app-skeleton in my server and compose install with all dependencies
after that I change my conf.php adding a global variable for redirecting URL:= like this

define('REDIRECT_URL', 'http://my-app-name.hosting.com/app/oauth.php');

after that in my oauth.php file I place at the end of the line 16 my gobal variable "REDIRECT_URL" like this:

$permission_url = shopify\authorization_url($_GET['shop'], SHOPIFY_APP_API_KEY, array('read_content', 'write_content', 'read_themes', 'write_themes', 'read_products', 'write_products', 'read_customers', 'write_customers', 'read_orders', 'write_orders', 'read_script_tags', 'write_script_tags', 'read_fulfillments', 'write_fulfillments', 'read_shipping', 'write_shipping'),REDIRECT_URL);

also I have commented the line 11:

shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

even I have replace line 11 with the function explained in this post but not result came up.

but nothing works... any advice ??? anything else to do, I am doing something wrong o missing any steps?

[myjanky]

What is the exact error you are receiving? Please post your log file for php errors if any relate to this.
Maybe you can add a couple print to log calls in the install.php file to see where the installation is failing.

[alexandprivate]

Hi @myjanky thanks a lot for the quick response, here I go ...

the error I am getting in my browser after run the installation is:

Invalid Request! Request or redirect did not come from Shopify

with that clear I would like to make a review about the changes I've done with my conf.php and oauth.php

in conf.php I just add a new line with my address is my callback address in my shopify backend :

define('REDIRECT_URL', 'http://my-app-name.hosting.com/app/oauth.php');

once I did this, I move to make changes in my oauth.php with following changes:

I place at the end of the line 16 my global variable "REDIRECT_URL" like this:

$permission_url = shopify\authorization_url($_GET['shop'], SHOPIFY_APP_API_KEY, array('read_content', 'write_content', 'read_themes', 'write_themes', 'read_products', 'write_products', 'read_customers', 'write_customers', 'read_orders', 'write_orders', 'read_script_tags', 'write_script_tags', 'read_fulfillments', 'write_fulfillments', 'read_shipping', 'write_shipping'),REDIRECT_URL);

after that I checked again my install URL but I get the same error in my browser after been redirected to the login to my shop and after log in I get this

Invalid Request! Request or redirect did not come from Shopify

then I move back to my oauth.php file and commented the line 11, this line

Invalid Request! Request or redirect did not come from Shopify

then I move back to my oauth.php file and commented the line 11, this line

shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

and after did this I tried again my install URL and get a different error:

400 - Oauth error invalid_request: The redirect_uri is missing or not
whitelisted

came back to my oauth.php file and removed the comment in line 11, and finally I change the function for line 11 with the new one listed in the issue 19 changing function is_valid_request into this

function is_valid_request_hmac($query_params, $shared_secret) {
if (!isset($query_params['timestamp'])) return false;
$seconds_in_a_day = 24 60 60;
$older_than_a_day = $query_params['timestamp'] < (time() - $seconds_in_a_day);
if ($older_than_a_day) return false;

$hmac = $query_params['hmac'];
unset($query_params['signature'], $query_params['hmac']);

foreach ($query_params as $key=>$val) $params[] = "$key=$val";
sort($params);

return (hash_hmac('sha256', implode('&', $params), $shared_secret) === $hmac);
}

but then I get again this error

400 - Oauth error invalid_request: The redirect_uri is missing or not
whitelisted

so what can I do next ?

[alexandprivate]

this is my browser view showing the last error I am getting like commented above.

[myjanky]

Your redirect URL must match that in your partner's account app dashboard @ developers.shopify.com

The error is unrelated to is_valid_request_hmac.

What is your partners dashboard app redirect url. (callback)

[alexandprivate]

my callback http://myapp.hekities.com/app/oauth.php and is the one I defined in conf.php

and my oauth.php in the line 11 like this

shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

[myjanky]

Hmmm. Can you host with SSL? I had many issues until I SSL my app domain.

[alexandprivate]

hummm I need to check my hosting, I don't think so but let me try

[myjanky]

heroku has ssl containers you can move the code to.

On Fri, Jul 29, 2016 at 10:37 AM, alexandprivate notifications@github.com
wrote:

hummm I need to check my hosting, I don't think so but let me try

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#22 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ANaCiFmWNU-9-nnubiH1ka3mepaq52lgks5qah49gaJpZM4JXnMW
.

Larry Wheeler
Phone: 817.238.3708
Chief Technology Officer
www.sleepingbaby.com

"I believe that the money is in making the tools. They say during the gold
rush, the people that made the most money were the ones selling the
shovels.”

[image: Inline image 1] http://www.sleepingbaby.com/

[myjanky]

Can you post the entire oauth.php file you have?

[alexandprivate]

good idea. let me try my hosting and keep you posted about the SSL...

[alexandprivate]

top.location.href='$permission_url '</script>"); } # Step 3: http://docs.shopify.com/api/authentication/oauth#confirming-installation try { # shopify\access_token can throw an exception $oauth_token = shopify\access_token($_GET['shop'], SHOPIFY_APP_API_KEY, SHOPIFY_APP_SHARED_SECRET, $_GET['code']); $_SESSION['oauth_token'] = $oauth_token; $_SESSION['shop'] = $_GET['shop']; echo 'App Successfully Installed!'; } catch (shopify\ApiException $e) { # HTTP status code was >= 400 or response contained the key 'errors' echo $e; print_R($e->getRequest()); print_R($e->getResponse()); } catch (shopify\CurlException $e) { # cURL error echo $e; print_R($e->getRequest()); print_R($e->getResponse()); } ``` ?>

[myjanky]

Ok I see some issues.

With composer it is getting shopify.php from phpish library.
is_valid_request() is not the same function as is_valid_request_hmac() and you are calling the former.

# Guard: http://docs.shopify.com/api/authentication/oauth#verification shopify\is_valid_request($_GET, SHOPIFY_APP_SHARED_SECRET) or die('Invalid Request! Request or redirect did not come from Shopify');

I think you may be getting hung up on step one, prior to asking for permission.
Comment out everything below the above code snippet and dump $_GET to the screen with vardump...

what does it contain?

[myjanky]

Also, is the redirect url visible in the URI as a query param (get var.)

[alexandprivate]

yeah but I change the function in shopify.php so it is working fine and doing the check by hmac ... notice if not the error will go with die
"Invalid Request! Request or redirect did not come from Shopify" and is not happening that.

and thats not the problem the function is working fine I am getting the error in line 16

[alexandprivate]

LARRY ! the app have been installed !!! dont ask me how or why !!! kinda budu or something ! I change nothing !

[alexandprivate]

I think it was a cache problem or something !!! thanks a lot pal !!!! write you back about further issues and success ! thanks again

[myjanky]

Are you not using composer to get your libraries? Changing shopify.php will only work if you disable composer. Yes, could be a cache issue due to composer.

[myjanky]

no worries. Hope you get the app together how you want.

[alexandprivate]

yeah ! I think it was that !

[alexandprivate]

thanks man

[ZoobiDoobi]

Hi, still stuck at this error! (Invalid Request! Request or redirect did not come from Shopify)
Things that I tried :
1- added Redirect URL to conf.php
2-Added Redirect URL to oauth.php
3-App Code is hosted on SSL domain.

Any help? Totally new to shopify

[ZoobiDoobi]

This is the var_dum($_GET), 'singature' index is missing

[myjanky]

see if the shared secret is getting passed into the is_valid_request() properly.

[ZoobiDoobi]

Problem was 'signature index'. now instead of signature, 'hmac' is being used.
Following patch resolved the issue..
https://github.com/xewl/shopify/blob/patch-1/shopify.php
I only used is_valid_request from this patch.

Thanks :)

[ghost]

Hi The patch is not working. Please give me the url for the updated patch. I am also facing the same issue.
Thanks

[myjanky]

@sanishkamboj
the issue involves hmac as Shopify no longer supports md5 hash.
please try this function in place of is_valid_request().
`public function validateSignature($query)
{
if(!is_array($query) || empty($query['hmac']) || !is_string($query['hmac']))
return false;
$dataString = array();
foreach ($query as $key => $value) {
$key = str_replace('=', '%3D', $key);
$key = str_replace('&', '%26', $key);
$key = str_replace('%', '%25', $key);
$value = str_replace('&', '%26', $value);
$value = str_replace('%', '%25', $value);

		if($key != 'hmac')
			$dataString[] = $key . '=' . $value;
	}
	
	sort($dataString);
	
	$string = implode("&", $dataString);
	if (version_compare(PHP_VERSION, '5.3.0', '>='))
		$signature = hash_hmac('sha256', $string, $this->secret);
	else
		$signature = bin2hex(mhash(MHASH_SHA256, $string, $this->secret));
			
	return $query['hmac'] == $signature;
}`

this is from ohShopify. I take no credit for the function