HMAC mismatch when query contains spaces — URLSearchParams encodes spaces differently than Shopify expects

[sed39]

Issue summary

Before opening this issue, I have:

• Upgraded to the latest version of the relevant packages
  • @shopify/* package and version:
  • Node version:
  • Operating system:
• Set { logger: { level: LogSeverity.Debug } } in my configuration, when applicable
• Found a reliable way to reproduce the problem that indicates it's a problem with the package
• Looked for similar issues in this repository
• Checked that this isn't an issue with a Shopify API
  • If it is, please create a post in the Shopify community forums or report it to Shopify Partner Support

When a query parameter value contains spaces, the query string generated by JavaScript's new URLSearchParams(...) in the Shopify SDK uses an encoding that doesn't match what Shopify's signature/verification expects, causing the HMAC verification to fail.

Expected behavior

validated by api.utils.validateHmac(query) work.

Actual behavior

not work. I'm a bit confused — how exactly should the HMAC check be performed here? After reading the code of api.utils.validateHmac, I tried a version that doesn't encode spaces, and the HMAC verification passed.

Steps to reproduce the problem

1. Open [Shopify App Store], find any App.
2. add some params with escapes at query.
3. click Install
4. copy the searchParams, try validate it.

[github-actions]

We're labeling this issue as stale because there hasn't been any activity on it for 60 days. While the issue will stay open and we hope to resolve it, this helps us prioritize community requests.

You can add a comment to remove the label if it's still relevant, and we can re-evaluate it.