From b28aca3e44b7cb4bbe7f79243b831390fcd5ba9c Mon Sep 17 00:00:00 2001 From: ycfxx Date: Wed, 9 Feb 2022 11:20:33 +0800 Subject: [PATCH] upgrade shopify response Content-Security-Policy --- .../auth/web/ShopifyAuthTemplateController.java | 5 ++--- .../shopify/hooks/ShopifyWebhooksController.java | 16 ++++++++-------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java index 2d895a3f3..5b6dc3969 100644 --- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java +++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java @@ -44,6 +44,7 @@ public class ShopifyAuthTemplateController { @RequestParam("hmac") String hmac, @RequestParam("timestamp") String timestamp, HttpServletResponse response) { + response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com"); if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) { throw new BadRequestException("Parameter shop is invalid."); } @@ -51,7 +52,6 @@ public class ShopifyAuthTemplateController { throw new ShopifyRequestVerifyException("This request parameters is invalid"); } ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop); - response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com"); return "redirect:" + shopifyPermissionURL.getUrl(); } @@ -74,7 +74,7 @@ public class ShopifyAuthTemplateController { @RequestParam("shop") String shop, @RequestParam("timestamp") String timestamp, HttpServletResponse response) { - + response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com"); if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) { throw new ShopifyRequestVerifyException("Parameter shop is invalid."); } @@ -97,7 +97,6 @@ public class ShopifyAuthTemplateController { } String redirectUri = PlatformEnvironment.getEnv().concatUrl("/auth.html#/shopify/login?code=" + code + "&hmac=" + hmac + "&host=" + host + "&state=" + state + "&shop=" + shop + "×tamp=" + timestamp); - response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com"); return "redirect:" + redirectUri; } diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/hooks/ShopifyWebhooksController.java b/src/main/java/au/com/royalpay/payment/manage/shopify/hooks/ShopifyWebhooksController.java index 17146091f..18f56d8e7 100644 --- a/src/main/java/au/com/royalpay/payment/manage/shopify/hooks/ShopifyWebhooksController.java +++ b/src/main/java/au/com/royalpay/payment/manage/shopify/hooks/ShopifyWebhooksController.java @@ -37,11 +37,11 @@ public class ShopifyWebhooksController { HttpServletRequest request, HttpServletResponse response) { String requestBody = ShopifyHttpUtils.getRequestBody(request); + ShopifyCustomerRequestCommand shopifyCustomerRequestCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRequestCommand.class); + response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyCustomerRequestCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com"); if (!shopifyRequestValidator.verify(requestBody, hmac)) { throw new ShopifyRequestVerifyException("Unauthorized"); } - ShopifyCustomerRequestCommand shopifyCustomerRequestCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRequestCommand.class); - response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyCustomerRequestCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com"); } /** @@ -49,16 +49,15 @@ public class ShopifyWebhooksController { * */ @PostMapping("/customer/erasure") - public ResponseEntity customerRedact(@RequestHeader("X-Shopify-Hmac-SHA256") String hmac, + public void customerRedact(@RequestHeader("X-Shopify-Hmac-SHA256") String hmac, HttpServletRequest request, HttpServletResponse response) { String requestBody = ShopifyHttpUtils.getRequestBody(request); + ShopifyCustomerRedactCommand shopifyCustomerRedactCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRedactCommand.class); + response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyCustomerRedactCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com"); if (!shopifyRequestValidator.verify(requestBody, hmac)) { throw new ShopifyRequestVerifyException("Unauthorized"); } - ShopifyCustomerRedactCommand shopifyCustomerRedactCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRedactCommand.class); - return ResponseEntity.ok().header("Content-Security-Policy", "frame-ancestors https://" + shopifyCustomerRedactCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com") - .build(); } /** @@ -70,15 +69,16 @@ public class ShopifyWebhooksController { HttpServletRequest request, HttpServletResponse response) { String requestBody = ShopifyHttpUtils.getRequestBody(request); + ShopifyShopRedactCommand shopifyShopRedactCommand = JSONObject.parseObject(requestBody, ShopifyShopRedactCommand.class); + response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyShopRedactCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com"); if (!shopifyRequestValidator.verify(requestBody, hmac)) { throw new ShopifyRequestVerifyException("Unauthorized"); } - ShopifyShopRedactCommand shopifyShopRedactCommand = JSONObject.parseObject(requestBody, ShopifyShopRedactCommand.class); + ShopifyStore shopifyShop = shopifyStoreService.getByShopifyShop(shopifyShopRedactCommand.getShop_domain()); if (shopifyShop == null) { return; } shopifyStoreService.modifyShopifyStore(shopifyShop.setStatus(0)); - response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyShopRedactCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com"); } }