Application verification

Shoplo provides an easy way to confirm that a user came from the administration panel. Every redirection from Shoplo to an application includes verification with parameters such as signature, hmac, shop identification number, shop domain and timestamp. All parameters without shop_domain are base64 hashed to one v parameter. Shop domain parameter is the first permanent domain when a shop is created.


Query string example of a verification part:

"&shop_domain=check.shoplo.lc&v=dGltZXN0YW1wPTE0MjM0MjM2NjkmaG1hYz1NakE0T0RoaU5qRTVZbU00T1dVelpXUTVaamxsTVdVM1lUY3lOamxrTm1JME5XUmpOMlEwT1dVMk1XUmhOMlExWlRJeE1tRXlPRGszT0dSak9ESXlPQT09JnNpZ25hdHVyZT03Zjk1NjFmZDZiMzRhOWU1MGRkNjQ5ZjcxOWQ2MzVmMyZzaG9wX2lkPTM5NjQ="

After decoding hashed value, we receive our parameters concatenated with &

timestamp=1423423669&hmac=MjA4ODhiNjE5YmM4OWUzZWQ5ZjllMWU3YTcyNjlkNmI0NWRjN2Q0OWU2MWRhN2Q1ZTIxMmEyODk3OGRjODIyOA==&signature=7f9561fd6b34a9e50dd649f719d635f3&shop_id=3964

In the next step we convert our query string to a map like below:

TIMESTAMP: 1423423669
HMAC: MjA4ODhiNjE5YmM4OWUzZWQ5ZjllMWU3YTcyNjlkNmI0NWRjN2Q0OWU2MWRhN2Q1ZTIxMmEyODk3OGRjODIyOA==
SIGNATURE: 7f9561fd6b34a9e50dd649f719d635f3
SHOP_ID: 3964

HMAC validation

After preparing all parameters we can process HMAC-SHA256 using application secret key. The hmac is authentic if base64 encoded hexdigest equals to it.

base64_encode( hash_hmac( 'sha256', SHOP_DOMAIN + APP_DOMAIN + SECRET_KEY + SHOP_ID + TIMESTAMP, SECRET_KEY ) )

Signature validation

The signature parameter is authentic if it equals to the calculated md5 digest like below:

 md5( SECRET_KEY + SHOP_DOMAIN + SHOP_ID + base64_decode(CALCULATED_HMAC) )