For the record, here is the complete working proof-of-concept code:
# Use your multipass secret from the Shopify Dashboard: Settings -> Checkout
multipass_secret = "1234567890abcdef1234567890abcdef"
block_size = 16
customer_data = %{
email: "test@test.shopify.com",
created_at: DateTime.to_iso8601(Timex.now()), # Must be a current time
}
# Split the secret into 2 binary keys each containing exactly 16 bytes
key_material = :crypto.hash(:sha256, multipass_secret)
<< encryption_key::binary-size(16), signature_key::binary-size(16) >> = key_material
# Encode the message payload
customer_data_as_string = Jason.encode!(customer_data)
# Initialization Vector
ivec = :crypto.strong_rand_bytes(block_size)
# Padding
to_add = block_size - rem(byte_size(customer_data_as_string), block_size)
padded = customer_data_as_string <> :binary.copy(<<to_add>>, to_add)
# Manually pad the message with the IV
cipher_text = ivec <> :crypto.block_encrypt(:aes_cbc128, encryption_key, ivec, padded)
signature = :crypto.hmac(:sha256, signature_key, cipher_text)
message = cipher_text <> signature
token = Base.url_encode64(message, case: :lower)
# The magic multipass link to your site:
"https://yoursite.myshopify.com/account/login/multipass/#{token}"






















