Skip to content

[WIP] - Fix app proxy HMAC validation dropping duplicate query parameters#3101

Open
byrichardpowell wants to merge 3 commits intomainfrom
fix/app-proxy-hmac-duplicate-params
Open

[WIP] - Fix app proxy HMAC validation dropping duplicate query parameters#3101
byrichardpowell wants to merge 3 commits intomainfrom
fix/app-proxy-hmac-duplicate-params

Conversation

@byrichardpowell
Copy link
Contributor

@byrichardpowell byrichardpowell commented Mar 13, 2026

WHY are these changes introduced?

Fixes #2374

authenticate.public.appProxy() throws a spurious 400 for requests where a query parameter appears more than once. Object.fromEntries(searchParams.entries()) silently drops duplicate keys before HMAC validation, producing a different string than Shopify signed.

stringifyQueryForAppProxy in hmac-validator.ts already handles arrays by joining with commas, but never received arrays because Object.fromEntries collapsed them first.

WHAT is this pull request doing?

Adds a searchParamsToQuery() helper that iterates URLSearchParams entries preserving duplicates as arrays, and replaces all three Object.fromEntries(searchParams.entries()) calls inside validateAppProxyHmac in both shopify-app-remix and shopify-app-react-router.

Also fixes the createAppProxyHmac test helper which had the same bug (masking the issue in tests), and adds a regression test for the duplicate-parameter case.

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)

Checklist

  • I have used pnpm changeset to create a draft changelog entry (do NOT update the CHANGELOG.md files manually)
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs)

byrichardpowell and others added 3 commits March 13, 2026 14:28
@byrichardpowell @claude
Fix app proxy HMAC validation dropping duplicate query parameters
456db9b 
Object.fromEntries(searchParams.entries()) silently collapsed repeated
query params before HMAC validation, producing a different string than
Shopify signed and causing spurious 400s.

Replace with searchParamsToQuery() which preserves duplicates as arrays,
matching the comma-join behaviour already expected by stringifyQueryForAppProxy.

Fixes #2374

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@byrichardpowell @claude
Fix no-negated-condition lint errors in searchParamsToQuery
1371057 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@byrichardpowell @claude
Fix TS build error: use Record<string, string> instead of string | st…
5157966 
…ring[]

AuthQuery only accepts string | undefined values. Pre-join duplicate params
with commas in searchParamsToQuery so the type satisfies AuthQuery.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@byrichardpowell byrichardpowell changed the title Fix app proxy HMAC validation dropping duplicate query parameters [WIP] - Fix app proxy HMAC validation dropping duplicate query parameters Mar 13, 2026
@byrichardpowell
Copy link
Contributor Author

byrichardpowell commented Mar 13, 2026

Marking as WIP as I need to test this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

App Proxy authenticate.public.appProxy Fails Signature Validation with Specific Query Parameter Names (e.g., consented, consentGiven)

1 participant

@byrichardpowell