diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/application/ShopifyMerchantAuthApplication.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/application/ShopifyMerchantAuthApplication.java index 3d44a32ba..779b20d90 100644 --- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/application/ShopifyMerchantAuthApplication.java +++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/application/ShopifyMerchantAuthApplication.java @@ -55,12 +55,10 @@ public class ShopifyMerchantAuthApplication { /** * 获取shopify店铺授权url * @param shopifyStoreHost - * @param hmac - * @param timestamp * @return */ - public ShopifyPermissionURL getShopifyPermissionUrl(String shopifyStoreHost, String hmac, String timestamp) { - ShopifyPermissionURL shopifyPermissionURL = shopifyAuthService.shopifyPermission(shopifyStoreHost, hmac, timestamp); + public ShopifyPermissionURL getShopifyPermissionUrl(String shopifyStoreHost) { + ShopifyPermissionURL shopifyPermissionURL = shopifyAuthService.shopifyPermission(shopifyStoreHost); return shopifyPermissionURL; } diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyAuthService.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyAuthService.java index 751f33fed..ad99f0971 100644 --- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyAuthService.java +++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyAuthService.java @@ -10,6 +10,7 @@ import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; +import org.springframework.data.redis.core.StringRedisTemplate; import org.springframework.http.ResponseEntity; import org.springframework.stereotype.Service; import org.springframework.web.client.RestClientException; @@ -38,9 +39,17 @@ public class ShopifyAuthService { @Qualifier("shopifyRestTemplate") private RestTemplate restTemplate; - public ShopifyPermissionURL shopifyPermission(String shopifyStoreHost, String hmac, String timestamp) { + @Autowired + private StringRedisTemplate stringRedisTemplate; + + public ShopifyPermissionURL shopifyPermission(String shopifyStoreHost) { String redirectUri = PlatformEnvironment.getEnv().concatUrl("/auth.html"); - String permissionUrl = String.format(PERMISSION_URL, shopifyStoreHost, clientId, scope, redirectUri, String.valueOf(new Date().getTime()).substring(0,10)); + + String state = String.valueOf(new Date().getTime()).substring(0,10); + + stringRedisTemplate.boundValueOps("shopifyAuthState:"+shopifyStoreHost).set(state); + + String permissionUrl = String.format(PERMISSION_URL, shopifyStoreHost, clientId, scope, redirectUri, state); return ShopifyPermissionURL.builder().url(permissionUrl).build(); } diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthController.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthController.java index 8c4a4e117..516a155c0 100644 --- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthController.java +++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthController.java @@ -8,6 +8,7 @@ import au.com.royalpay.payment.manage.shopify.auth.web.command.ShopifyPermission import au.com.royalpay.payment.manage.shopify.auth.web.command.ShopifyVerifyRequest; import com.alibaba.fastjson.JSONObject; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.data.redis.core.StringRedisTemplate; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; @@ -28,6 +29,9 @@ public class ShopifyAuthController { @Autowired private ShopifyRequestValidator shopifyRequestValidator; + @Autowired + private StringRedisTemplate stringRedisTemplate; + /** * 校验shopify请求 * @@ -36,6 +40,11 @@ public class ShopifyAuthController { */ @PostMapping("/verify") public JSONObject verifyRequest(@RequestBody @Valid ShopifyVerifyRequest request) { + String state = stringRedisTemplate.boundValueOps("shopifyAuthState:" + request.getShop()).get(); + if (!request.getState().equals(state)) { + throw new ShopifyRequestVerifyException("This request parameters is invalid"); + } + stringRedisTemplate.delete("shopifyAuthState:" + request.getShop()); if (!shopifyRequestValidator.valid(request.build())) { throw new ShopifyRequestVerifyException("This request parameters is invalid"); } diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java index b94a92bd9..424494079 100644 --- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java +++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java @@ -36,7 +36,7 @@ public class ShopifyAuthTemplateController { if (!shopifyRequestValidator.verifyPermission(shopifyStoreHost, hmac, timestamp)) { throw new ShopifyRequestVerifyException("This request parameters is invalid"); } - ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shopifyStoreHost, hmac, timestamp); + ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shopifyStoreHost); return new RedirectView(shopifyPermissionURL.getUrl()); }