Shopify Multipass : Elixir Implementation

For the record, here is the complete working proof-of-concept code:

# Use your multipass secret from the Shopify Dashboard: Settings -> Checkout 
multipass_secret = "1234567890abcdef1234567890abcdef"
block_size = 16

customer_data = %{
  email: "test@test.shopify.com",
  created_at: DateTime.to_iso8601(Timex.now()), # Must be a current time
}

# Split the secret into 2 binary keys each containing exactly 16 bytes
key_material = :crypto.hash(:sha256, multipass_secret)
<< encryption_key::binary-size(16), signature_key::binary-size(16) >> = key_material

# Encode the message payload
customer_data_as_string = Jason.encode!(customer_data)

# Initialization Vector
ivec = :crypto.strong_rand_bytes(block_size)

# Padding
to_add = block_size - rem(byte_size(customer_data_as_string), block_size)
padded = customer_data_as_string <> :binary.copy(<<to_add>>, to_add)

# Manually pad the message with the IV
cipher_text = ivec <> :crypto.block_encrypt(:aes_cbc128, encryption_key, ivec, padded)
signature = :crypto.hmac(:sha256, signature_key, cipher_text)
message = cipher_text <> signature

token = Base.url_encode64(message, case: :lower)

# The magic multipass link to your site:
"https://yoursite.myshopify.com/account/login/multipass/#{token}"