I’m working on an Elixir implementation of Shopify’s Multipass feature – it’s basically a single-sign-on (SSO) flow that lets your app handle authentication, and on success, it produces a URL that when clicked will cause a customer record to be upserted into Shopify. They include working examples of how to do this in PHP and Ruby, but I cannot make it work in Elixir.
You have to enable the feature and they give you a 32 character shared secret key.
# Example key from Shopify Admin
multipass_secret = "1234567890abcdef1234567890abcdef"
customer_data = %{
email: "test@test.shopify.com",
created_at: DateTime.to_iso8601(Timex.now()), # <-- the token will only be valid for a small timeframe around this timestamp.
}
key_material = :crypto.hash(:sha256, multipass_secret)
# Split the key into 2 binaries each containing exactly 16 bytes
<< encryption_key::binary-size(16), signature_key::binary-size(16) >> = key_material
customer_data_as_string = Jason.encode!(customer_data)
# Initialization Vector
ivec = :crypto.strong_rand_bytes(16)
to_add = 16 - rem(byte_size(customer_data_as_string), 16)
padded = customer_data_as_string <> :binary.copy(<<to_add>>, to_add)
cipher_text = ivec <> :crypto.block_encrypt(:aes_cbc128, encryption_key, ivec, padded)
signature = :crypto.hmac(:sha256, signature_key, cipher_text)
message = cipher_text <> signature
token = Base.encode16(message, case: :lower)
"https://yourstore.myshopify.com/account/login/multipass/#{token}"
Note that this feature is only available in Shopify Plus accounts.
No error on generation, but when I click the link to head over to Shopify, I get a bad request error. Using the PHP or Ruby code samples results in a working link that logs me into the Shopify store.
I took the provided ruby code on the Shopify documentation, replaced dynamic values with static values (the json string and iv) and used the resulting token to set up a simple test.
WOW. That has to be the best typo I’ve made in weeks! Base 16?!? I was so focused on the hard parts of the crypto stuff that I didn’t pay attention to the last bit. THANK YOU!!
Sure – the process does require that customer data be JSON encoded. Can you recommend how to nicely implement that as a dependency? Or should I restructure the input to make the user do the JSON encoding outside of your package?