fix shopify hmac verify

master
Yixian 3 years ago
parent 6d9986d044
commit 2362015ae1

@ -12,23 +12,20 @@ public class ShopifyRequestValidator {
private String clientSecret;
public Boolean valid(ShopifyCommonParameter parameter) {
StringBuilder message =new StringBuilder();
StringBuilder message = new StringBuilder();
message.append("code=").append(parameter.getCode())
.append("&host=").append(parameter.getHost())
.append("&shop=").append(parameter.getShop())
.append("&state=").append(parameter.getState())
.append("&timestamp=").append(parameter.getTimestamp());
return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,parameter.getHmac());
return HmacVerificationUtil.hmacSHA256(message.toString(), clientSecret, parameter.getHmac());
}
public boolean verifyPermission(String shopifyStoreHost, String hmac, String timestamp) {
StringBuilder message =new StringBuilder();
message.append("shop=").append(shopifyStoreHost)
.append("&timestamp=").append(timestamp);
return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,hmac);
public boolean verifyPermission(String queryStrWithoutHmac, String hmac) {
return HmacVerificationUtil.hmacSHA256(queryStrWithoutHmac, clientSecret, hmac);
}
public boolean verify(String message, String hmac) {
return HmacVerificationUtil.hmacSHA256(message,clientSecret,hmac);
return HmacVerificationUtil.hmacSHA256(message, clientSecret, hmac);
}
}

@ -10,9 +10,12 @@ import au.com.royalpay.payment.tools.env.PlatformEnvironment;
import au.com.royalpay.payment.tools.exceptions.BadRequestException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.util.UriComponentsBuilder;
import javax.servlet.http.HttpServletRequest;
import java.util.regex.Pattern;
@Controller
@ -33,18 +36,18 @@ public class ShopifyAuthTemplateController {
*
* @param shop
* @param hmac
* @param timestamp
* @return
*/
@GetMapping("/auth")
@ShopifyEndpoint
public String shopifyStorePermission(@RequestParam("shop") String shop,
@RequestParam("hmac") String hmac,
@RequestParam("timestamp") String timestamp) {
@RequestParam("hmac") String hmac, HttpServletRequest request) {
if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) {
throw new BadRequestException("Parameter shop is invalid.");
}
if (!shopifyRequestValidator.verifyPermission(shop, hmac, timestamp)) {
String queryStr = UriComponentsBuilder.fromHttpRequest(new ServletServerHttpRequest(request))
.replaceQueryParam("hmac").build().getQuery();
if (!shopifyRequestValidator.verifyPermission(queryStr, hmac)) {
throw new ShopifyRequestVerifyException("This request parameters is invalid");
}
ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop);

@ -0,0 +1,25 @@
package au.com.royalpay.payment.manage.shopify.support;
import org.junit.jupiter.api.Test;
import org.springframework.web.util.UriComponentsBuilder;
import static org.junit.jupiter.api.Assertions.*;
class HmacVerificationUtilTest {
@Test
void checkParameters() {
String message = "host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=geek-test-shop.myshopify.com&timestamp=1648025715";
String key = "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";
String hmac = "803cd4924b19cedc5361ab09776d078a18be3ba32fd7d62de72269a12bec1ffc";
assert HmacVerificationUtil.hmacSHA256(message, key, hmac);
}
@Test
void testQuery() {
String base = "host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&timestamp=1648025715&shop=geek-test-shop.myshopify.com";
String query = UriComponentsBuilder.fromUriString("/shopify/auth?hmac=803cd4924b19cedc5361ab09776d078a18be3ba32fd7d62de72269a12bec1ffc&host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&timestamp=1648025715&shop=geek-test-shop.myshopify.com")
.replaceQueryParam("hmac").build().getQuery();
assertEquals(base, query);
}
}
Loading…
Cancel
Save