msb_52843
/
dalong_mall
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix shopify hmac verify

Browse Source
master
Yixian 3 years ago
parent 6d9986d044
commit 2362015ae1
3 changed files with 37 additions and 12 deletions
Show Stats Download Patch File Download Diff File

13
src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java
Unescape View File

@ -12,23 +12,20 @@ public class ShopifyRequestValidator {
private String clientSecret; private String clientSecret;
public Boolean valid(ShopifyCommonParameter parameter) { public Boolean valid(ShopifyCommonParameter parameter) {
StringBuilder message =new StringBuilder(); StringBuilder message = new StringBuilder();
message.append("code=").append(parameter.getCode()) message.append("code=").append(parameter.getCode())
.append("&host=").append(parameter.getHost()) .append("&host=").append(parameter.getHost())
.append("&shop=").append(parameter.getShop()) .append("&shop=").append(parameter.getShop())
.append("&state=").append(parameter.getState()) .append("&state=").append(parameter.getState())
.append("&timestamp=").append(parameter.getTimestamp()); .append("&timestamp=").append(parameter.getTimestamp());
return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,parameter.getHmac()); return HmacVerificationUtil.hmacSHA256(message.toString(), clientSecret, parameter.getHmac());
} }
public boolean verifyPermission(String shopifyStoreHost, String hmac, String timestamp) { public boolean verifyPermission(String queryStrWithoutHmac, String hmac) {
StringBuilder message =new StringBuilder(); return HmacVerificationUtil.hmacSHA256(queryStrWithoutHmac, clientSecret, hmac);
message.append("shop=").append(shopifyStoreHost)
.append("&timestamp=").append(timestamp);
return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,hmac);
} }
public boolean verify(String message, String hmac) { public boolean verify(String message, String hmac) {
return HmacVerificationUtil.hmacSHA256(message,clientSecret,hmac); return HmacVerificationUtil.hmacSHA256(message, clientSecret, hmac);
} }
} }

11
src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
Unescape View File

@ -10,9 +10,12 @@ import au.com.royalpay.payment.tools.env.PlatformEnvironment;
import au.com.royalpay.payment.tools.exceptions.BadRequestException; import au.com.royalpay.payment.tools.exceptions.BadRequestException;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.StringRedisTemplate; import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*; import org.springframework.web.bind.annotation.*;
import org.springframework.web.util.UriComponentsBuilder;
import javax.servlet.http.HttpServletRequest;
import java.util.regex.Pattern; import java.util.regex.Pattern;
@Controller @Controller
@ -33,18 +36,18 @@ public class ShopifyAuthTemplateController {
* *
* @param shop * @param shop
* @param hmac * @param hmac
* @param timestamp
* @return * @return
*/ */
@GetMapping("/auth") @GetMapping("/auth")
@ShopifyEndpoint @ShopifyEndpoint
public String shopifyStorePermission(@RequestParam("shop") String shop, public String shopifyStorePermission(@RequestParam("shop") String shop,
@RequestParam("hmac") String hmac, @RequestParam("hmac") String hmac, HttpServletRequest request) {
@RequestParam("timestamp") String timestamp) {
if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) { if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) {
throw new BadRequestException("Parameter shop is invalid."); throw new BadRequestException("Parameter shop is invalid.");
} }
if (!shopifyRequestValidator.verifyPermission(shop, hmac, timestamp)) { String queryStr = UriComponentsBuilder.fromHttpRequest(new ServletServerHttpRequest(request))
.replaceQueryParam("hmac").build().getQuery();
if (!shopifyRequestValidator.verifyPermission(queryStr, hmac)) {
throw new ShopifyRequestVerifyException("This request parameters is invalid"); throw new ShopifyRequestVerifyException("This request parameters is invalid");
} }
ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop); ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop);

25
src/test/java/au/com/royalpay/payment/manage/shopify/support/HmacVerificationUtilTest.java
Unescape View File

@ -0,0 +1,25 @@
package au.com.royalpay.payment.manage.shopify.support;
import org.junit.jupiter.api.Test;
import org.springframework.web.util.UriComponentsBuilder;
import static org.junit.jupiter.api.Assertions.*;
class HmacVerificationUtilTest {
@Test
void checkParameters() {
String message = "host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=geek-test-shop.myshopify.com&timestamp=1648025715";
String key = "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";
String hmac = "803cd4924b19cedc5361ab09776d078a18be3ba32fd7d62de72269a12bec1ffc";
assert HmacVerificationUtil.hmacSHA256(message, key, hmac);
}
@Test
void testQuery() {
String base = "host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&timestamp=1648025715&shop=geek-test-shop.myshopify.com";
String query = UriComponentsBuilder.fromUriString("/shopify/auth?hmac=803cd4924b19cedc5361ab09776d078a18be3ba32fd7d62de72269a12bec1ffc&host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&timestamp=1648025715&shop=geek-test-shop.myshopify.com")
.replaceQueryParam("hmac").build().getQuery();
assertEquals(base, query);
}
}
Write Preview
Loading…
Cancel
Save