From 1ed38f82c179e4d2dab05cfad7271437db0bb525 Mon Sep 17 00:00:00 2001
From: humancopy <info@humancopy.net>
Date: Fri, 12 Apr 2019 14:13:02 +0200
Subject: [PATCH] The ids parameter should be prepared differently for the HMAC

---
 lib/shopify/oauth.ex | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/lib/shopify/oauth.ex b/lib/shopify/oauth.ex
index 92018b3..76b2775 100644
--- a/lib/shopify/oauth.ex
+++ b/lib/shopify/oauth.ex
@@ -79,10 +79,38 @@ defmodule Shopify.OAuth do
 
   defp valid_hmac?(secret, params) do
     hmac  = params["hmac"]
-    query = params |> Map.delete("hmac") |> URI.encode_query
 
-    :crypto.hmac(:sha256, secret, query)
+    :crypto.hmac(:sha256, secret, query_string(params))
     |> Base.encode16(case: :lower)
     |> String.equivalent?(hmac)
   end
+
+  defp query_string(query, nil) do
+    query
+  end
+
+  defp query_string(query, ids) do
+    # Convert the ids to a string representing and array of numeric strings:
+    # ["1", "2", "3"]
+    ids = ids
+    |> Enum.map(fn x -> "\"#{x}\"" end)
+    |> Enum.join(", ")
+
+    # Concatenate the ids back to the query - they must not be URI encoded!
+    # https://community.shopify.com/c/Shopify-APIs-SDKs/HMAC-calculation-vs-ids-arrays/m-p/261154
+    "ids=[#{ids}]&#{query}"
+  end
+
+  defp query_string(params) when is_map(params) do
+    # Extract the ids
+    ids = params["ids"]
+
+    # Remove the ids & hmac parameters and make a query string
+    query = params
+    |> Map.delete("ids")
+    |> Map.delete("hmac")
+    |> URI.encode_query
+
+    query_string(query, ids)
+  end
 end