I am trying to implement Shopify's JWT cookieless authentication using Apps Script: https://shopify.dev/tutorials/authenticate-your-app-using-session-tokens#verify-the-signature
When I do this:
var byteSignature = Utilities.computeHmacSha256Signature(<header>.<payload>, 'sshhh');
var signed = Utilities.base64EncodeWebSafe(byteSignature);
signed
equals the <signature>
from the JWT, except signed
has an extra =
buffer character at the end. Am I doing something wrong here, or do I just strip it of any =
characters at the end for the purposes of my comparison boolean? Is there a better way?
I am basing this in part off of the npm library: https://github.com/leighs-hammer/shopify-jwt-auth-verify/blob/master/src/index.ts