Merge branch 'production' into develop

3 years ago · 5f5a275be9
parent a5488d107d 9c10d05462
commit 5f5a275be9
6 changed files with 81 additions and 18 deletions
--- a/src/main/java/au/com/royalpay/payment/manage/WebConfiguration.java
+++ b/src/main/java/au/com/royalpay/payment/manage/WebConfiguration.java
@ -1,6 +1,8 @@
 package au.com.royalpay.payment.manage;

 import au.com.royalpay.payment.manage.permission.manager.ManagerUserInterceptor;
+import au.com.royalpay.payment.manage.shopify.support.ShopifyRequestInfoInterceptor;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@ -15,10 +17,15 @@ public class WebConfiguration implements WebMvcConfigurer {
    @Resource
    private ManagerUserInterceptor managerUserInterceptor;

+    @Bean
+    public ShopifyRequestInfoInterceptor shopifyRequestInfoInterceptor() {
+        return new ShopifyRequestInfoInterceptor();
+    }

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(managerUserInterceptor).order(1);
+        registry.addInterceptor(shopifyRequestInfoInterceptor());
    }


--- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
+++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
@ -5,17 +5,14 @@ import au.com.royalpay.payment.manage.shopify.auth.domain.entity.ShopifyCommonPa
 import au.com.royalpay.payment.manage.shopify.auth.domain.entity.ShopifyPermissionURL;
 import au.com.royalpay.payment.manage.shopify.auth.domain.exception.ShopifyRequestVerifyException;
 import au.com.royalpay.payment.manage.shopify.auth.domain.service.ShopifyRequestValidator;
+import au.com.royalpay.payment.manage.shopify.support.ShopifyEndpoint;
 import au.com.royalpay.payment.tools.env.PlatformEnvironment;
 import au.com.royalpay.payment.tools.exceptions.BadRequestException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.redis.core.StringRedisTemplate;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.servlet.view.RedirectView;
+import org.springframework.web.bind.annotation.*;

-import javax.servlet.http.HttpServletResponse;
 import java.util.regex.Pattern;

@Controller
@ -40,10 +37,10 @@ public class ShopifyAuthTemplateController {
     * @return
     */
    @GetMapping("/auth")
+    @ShopifyEndpoint
    public String shopifyStorePermission(@RequestParam("shop") String shop,
                                         @RequestParam("hmac") String hmac,
-                                         @RequestParam("timestamp") String timestamp,
-                                         HttpServletResponse response) {
+                                         @RequestParam("timestamp") String timestamp) {
        if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) {
            throw new BadRequestException("Parameter shop is invalid.");
        }
@ -51,7 +48,6 @@ public class ShopifyAuthTemplateController {
            throw new ShopifyRequestVerifyException("This request parameters is invalid");
        }
        ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop);
-        response.setHeader("content-security-policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com");
        return "redirect:" + shopifyPermissionURL.getUrl();
    }

@ -67,14 +63,13 @@ public class ShopifyAuthTemplateController {
     * @return
     */
    @GetMapping("/auth/back")
-    public RedirectView shopifyStoreAuthRedirect(@RequestParam("code") String code,
+    @ShopifyEndpoint
+    public String shopifyStoreAuthRedirect(@RequestParam("code") String code,
                                                 @RequestParam("hmac") String hmac,
                                                 @RequestParam("host") String host,
                                                 @RequestParam("state") String state,
                                                 @RequestParam("shop") String shop,
-                                                 @RequestParam("timestamp") String timestamp,
-                                                 HttpServletResponse response) {
-
+                                                 @RequestParam("timestamp") String timestamp) {
        if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) {
            throw new ShopifyRequestVerifyException("Parameter shop is invalid.");
        }
@ -97,8 +92,7 @@ public class ShopifyAuthTemplateController {
        }

        String redirectUri = PlatformEnvironment.getEnv().concatUrl("/auth.html#/shopify/login?code=" + code + "&hmac=" + hmac + "&host=" + host + "&state=" + state + "&shop=" + shop + "&timestamp=" + timestamp);
-        response.setHeader("content-security-policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com");
-        return new RedirectView(redirectUri);
+        return "redirect:" + redirectUri;
    }

 }
--- a/src/main/java/au/com/royalpay/payment/manage/shopify/hooks/ShopifyWebhooksController.java
+++ b/src/main/java/au/com/royalpay/payment/manage/shopify/hooks/ShopifyWebhooksController.java
@ -7,6 +7,7 @@ import au.com.royalpay.payment.manage.shopify.hooks.command.ShopifyCustomerReque
 import au.com.royalpay.payment.manage.shopify.hooks.command.ShopifyShopRedactCommand;
 import au.com.royalpay.payment.manage.shopify.store.domain.entity.ShopifyStore;
 import au.com.royalpay.payment.manage.shopify.store.domain.service.ShopifyStoreService;
+import au.com.royalpay.payment.manage.shopify.support.ShopifyEndpoint;
 import au.com.royalpay.payment.manage.shopify.support.ShopifyHttpUtils;
 import com.alibaba.fastjson.JSONObject;
 import lombok.extern.slf4j.Slf4j;
@ -14,6 +15,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;

 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;

@Slf4j
@RestController
@ -31,8 +33,10 @@ public class ShopifyWebhooksController {
     *
     */
    @PostMapping("/customer/request")
+    @ShopifyEndpoint
    public void customerRequest(@RequestHeader("X-Shopify-Hmac-SHA256") String hmac,
-                                HttpServletRequest request) {
+                                HttpServletRequest request,
+                                HttpServletResponse response) {
        String requestBody = ShopifyHttpUtils.getRequestBody(request);
        if (!shopifyRequestValidator.verify(requestBody, hmac)) {
            throw new ShopifyRequestVerifyException("Unauthorized");
@ -45,12 +49,15 @@ public class ShopifyWebhooksController {
     *
     */
    @PostMapping("/customer/erasure")
+    @ShopifyEndpoint
    public void customerRedact(@RequestHeader("X-Shopify-Hmac-SHA256") String hmac,
-                               HttpServletRequest request) {
+                                         HttpServletRequest request,
+                                         HttpServletResponse response) {
        String requestBody = ShopifyHttpUtils.getRequestBody(request);
        if (!shopifyRequestValidator.verify(requestBody, hmac)) {
            throw new ShopifyRequestVerifyException("Unauthorized");
        }
+
        ShopifyCustomerRedactCommand shopifyCustomerRedactCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRedactCommand.class);
    }

@ -59,12 +66,15 @@ public class ShopifyWebhooksController {
     *
     */
    @PostMapping("/shop/erasure")
+    @ShopifyEndpoint
    public void shopRedact(@RequestHeader("X-Shopify-Hmac-SHA256") String hmac,
-                           HttpServletRequest request) {
+                           HttpServletRequest request,
+                           HttpServletResponse response) {
        String requestBody = ShopifyHttpUtils.getRequestBody(request);
        if (!shopifyRequestValidator.verify(requestBody, hmac)) {
            throw new ShopifyRequestVerifyException("Unauthorized");
        }
+
        ShopifyShopRedactCommand shopifyShopRedactCommand = JSONObject.parseObject(requestBody, ShopifyShopRedactCommand.class);
        ShopifyStore shopifyShop = shopifyStoreService.getByShopifyShop(shopifyShopRedactCommand.getShop_domain());
        if (shopifyShop == null) {
--- a/src/main/java/au/com/royalpay/payment/manage/shopify/support/ShopifyEndpoint.java
+++ b/src/main/java/au/com/royalpay/payment/manage/shopify/support/ShopifyEndpoint.java
@ -0,0 +1,9 @@
+package au.com.royalpay.payment.manage.shopify.support;
+
+import java.lang.annotation.*;
+
+@Documented
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD, ElementType.TYPE})
+public @interface ShopifyEndpoint {
+}
--- a/src/main/java/au/com/royalpay/payment/manage/shopify/support/ShopifyRequestInfoInterceptor.java
+++ b/src/main/java/au/com/royalpay/payment/manage/shopify/support/ShopifyRequestInfoInterceptor.java
@ -0,0 +1,43 @@
+package au.com.royalpay.payment.manage.shopify.support;
+
+import com.alibaba.fastjson.JSONObject;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.core.annotation.AnnotatedElementUtils;
+import org.springframework.http.HttpMethod;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.lang.reflect.Method;
+
+public class ShopifyRequestInfoInterceptor extends HandlerInterceptorAdapter {
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+        Method method = ((HandlerMethod) handler).getMethod();
+
+        if(HttpMethod.GET.matches(request.getMethod())) {
+            if (AnnotatedElementUtils.isAnnotated(method, ShopifyEndpoint.class)) {
+                String shop = request.getParameter("shop");
+                if (StringUtils.isNotBlank(shop)) {
+                    response.addHeader("Content-Security-Policy", "frame-ancestors 'none'");
+                }
+            }
+        }
+
+        if (HttpMethod.POST.matches(request.getMethod())) {
+            if (AnnotatedElementUtils.isAnnotated(method, ShopifyEndpoint.class)) {
+                String requestBody = ShopifyHttpUtils.getRequestBody(request);
+                JSONObject body = JSONObject.parseObject(requestBody);
+                String shop = body.getString("shop_domain");
+                if (StringUtils.isNotBlank(shop)) {
+                    response.addHeader("Content-Security-Policy", "frame-ancestors 'none'");
+                }
+            }
+        }
+
+        return super.preHandle(request, response, handler);
+    }
+
+}
--- a/src/main/resources/application-dev.yml
+++ b/src/main/resources/application-dev.yml
@ -73,7 +73,7 @@ spring:
 app:
  run-tasks: false
  host:
-    main: https://1c6d-222-95-180-118.ngrok.io/
+    main: https://65e5-222-95-183-204.ngrok.io/
    regions:
      au: http://dalong-au.dev.rpaygroup.com/
      cn: http://dalong-au.dev.rpaygroup.com/