[Fixes #47] Replace http_build_query with custom function

http_build_query in the method does URL-encoding to its components. While it may seem a logical thing to do, technically the string to be constructed is not a URL. Shopify doesn't do such encoding and as a result, the generated hash value does not match. For example in the case when Shopify supplies protocol=http:// query parameter and current implementation with http_build_query encodes it to protocol=https%3A%2F%2F resulting in false negative result.
phpclassic · Jun 11, 2019 · d71a202 · d71a202
1 parent 7a06c4b
commit d71a202
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/lib/AuthHelper.php b/lib/AuthHelper.php
@@ -32,6 +32,23 @@ public static function getCurrentUrl()
         return "$protocol://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
     }
 
+    /**
+     * Build a query string from a data array
+     * This is a replacement for http_build_query because that returns an url-encoded string.
+     *
+     * @param array $data Data array
+     *
+     * @return array
+     */
+    public static function buildQueryString($data)
+    {
+        $paramStrings = [];
+        foreach ($data as $key => $value) {
+            $paramStrings[] = "$key=$value";
+        }
+        return join('&', $paramStrings);
+    }
+
     /**
      * Verify if the request is made from shopify using hmac hash value
      *
@@ -61,7 +78,7 @@ public static function verifyShopifyRequest()
             unset($data['signature']);
         }
         //Create data string for the remaining url parameters
-        $dataString = http_build_query($data);
+        $dataString = self::buildQueryString($data);
 
         $realHmac = hash_hmac('sha256', $dataString, $sharedSecret);