From 2362015ae113fb4bc5a4acb80cf7e9a0f0b4d84c Mon Sep 17 00:00:00 2001 From: Yixian Date: Wed, 23 Mar 2022 17:21:17 +0800 Subject: [PATCH] fix shopify hmac verify --- .../service/ShopifyRequestValidator.java | 13 ++++------ .../web/ShopifyAuthTemplateController.java | 11 +++++--- .../support/HmacVerificationUtilTest.java | 25 +++++++++++++++++++ 3 files changed, 37 insertions(+), 12 deletions(-) create mode 100644 src/test/java/au/com/royalpay/payment/manage/shopify/support/HmacVerificationUtilTest.java diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java index cf90d7473..3c7daab6f 100644 --- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java +++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java @@ -12,23 +12,20 @@ public class ShopifyRequestValidator { private String clientSecret; public Boolean valid(ShopifyCommonParameter parameter) { - StringBuilder message =new StringBuilder(); + StringBuilder message = new StringBuilder(); message.append("code=").append(parameter.getCode()) .append("&host=").append(parameter.getHost()) .append("&shop=").append(parameter.getShop()) .append("&state=").append(parameter.getState()) .append("×tamp=").append(parameter.getTimestamp()); - return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,parameter.getHmac()); + return HmacVerificationUtil.hmacSHA256(message.toString(), clientSecret, parameter.getHmac()); } - public boolean verifyPermission(String shopifyStoreHost, String hmac, String timestamp) { - StringBuilder message =new StringBuilder(); - message.append("shop=").append(shopifyStoreHost) - .append("×tamp=").append(timestamp); - return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,hmac); + public boolean verifyPermission(String queryStrWithoutHmac, String hmac) { + return HmacVerificationUtil.hmacSHA256(queryStrWithoutHmac, clientSecret, hmac); } public boolean verify(String message, String hmac) { - return HmacVerificationUtil.hmacSHA256(message,clientSecret,hmac); + return HmacVerificationUtil.hmacSHA256(message, clientSecret, hmac); } } diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java index c57b68a81..dcd5c9d70 100644 --- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java +++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java @@ -10,9 +10,12 @@ import au.com.royalpay.payment.tools.env.PlatformEnvironment; import au.com.royalpay.payment.tools.exceptions.BadRequestException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.data.redis.core.StringRedisTemplate; +import org.springframework.http.server.ServletServerHttpRequest; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.*; +import org.springframework.web.util.UriComponentsBuilder; +import javax.servlet.http.HttpServletRequest; import java.util.regex.Pattern; @Controller @@ -33,18 +36,18 @@ public class ShopifyAuthTemplateController { * * @param shop * @param hmac - * @param timestamp * @return */ @GetMapping("/auth") @ShopifyEndpoint public String shopifyStorePermission(@RequestParam("shop") String shop, - @RequestParam("hmac") String hmac, - @RequestParam("timestamp") String timestamp) { + @RequestParam("hmac") String hmac, HttpServletRequest request) { if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) { throw new BadRequestException("Parameter shop is invalid."); } - if (!shopifyRequestValidator.verifyPermission(shop, hmac, timestamp)) { + String queryStr = UriComponentsBuilder.fromHttpRequest(new ServletServerHttpRequest(request)) + .replaceQueryParam("hmac").build().getQuery(); + if (!shopifyRequestValidator.verifyPermission(queryStr, hmac)) { throw new ShopifyRequestVerifyException("This request parameters is invalid"); } ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop); diff --git a/src/test/java/au/com/royalpay/payment/manage/shopify/support/HmacVerificationUtilTest.java b/src/test/java/au/com/royalpay/payment/manage/shopify/support/HmacVerificationUtilTest.java new file mode 100644 index 000000000..acc19713a --- /dev/null +++ b/src/test/java/au/com/royalpay/payment/manage/shopify/support/HmacVerificationUtilTest.java @@ -0,0 +1,25 @@ +package au.com.royalpay.payment.manage.shopify.support; + +import org.junit.jupiter.api.Test; +import org.springframework.web.util.UriComponentsBuilder; + +import static org.junit.jupiter.api.Assertions.*; + +class HmacVerificationUtilTest { + + @Test + void checkParameters() { + String message = "host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=geek-test-shop.myshopify.com×tamp=1648025715"; + String key = "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"; + String hmac = "803cd4924b19cedc5361ab09776d078a18be3ba32fd7d62de72269a12bec1ffc"; + assert HmacVerificationUtil.hmacSHA256(message, key, hmac); + } + + @Test + void testQuery() { + String base = "host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg×tamp=1648025715&shop=geek-test-shop.myshopify.com"; + String query = UriComponentsBuilder.fromUriString("/shopify/auth?hmac=803cd4924b19cedc5361ab09776d078a18be3ba32fd7d62de72269a12bec1ffc&host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg×tamp=1648025715&shop=geek-test-shop.myshopify.com") + .replaceQueryParam("hmac").build().getQuery(); + assertEquals(base, query); + } +} \ No newline at end of file