msb_52843
/
dalong_mall
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upgrade shopify response Content-Security-Policy

Browse Source
master
ycfxx 3 years ago
parent cf1529b2f5
commit b28aca3e44
2 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File

5
src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
Unescape View File

@ -44,6 +44,7 @@ public class ShopifyAuthTemplateController {
@RequestParam("hmac") String hmac, @RequestParam("hmac") String hmac,
@RequestParam("timestamp") String timestamp, @RequestParam("timestamp") String timestamp,
HttpServletResponse response) { HttpServletResponse response) {
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com");
if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) { if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) {
throw new BadRequestException("Parameter shop is invalid."); throw new BadRequestException("Parameter shop is invalid.");
} }
@ -51,7 +52,6 @@ public class ShopifyAuthTemplateController {
throw new ShopifyRequestVerifyException("This request parameters is invalid"); throw new ShopifyRequestVerifyException("This request parameters is invalid");
} }
ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop); ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop);
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com");
return "redirect:" + shopifyPermissionURL.getUrl(); return "redirect:" + shopifyPermissionURL.getUrl();
} }
@ -74,7 +74,7 @@ public class ShopifyAuthTemplateController {
@RequestParam("shop") String shop, @RequestParam("shop") String shop,
@RequestParam("timestamp") String timestamp, @RequestParam("timestamp") String timestamp,
HttpServletResponse response) { HttpServletResponse response) {
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com");
if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) { if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) {
throw new ShopifyRequestVerifyException("Parameter shop is invalid."); throw new ShopifyRequestVerifyException("Parameter shop is invalid.");
} }
@ -97,7 +97,6 @@ public class ShopifyAuthTemplateController {
} }
String redirectUri = PlatformEnvironment.getEnv().concatUrl("/auth.html#/shopify/login?code=" + code + "&hmac=" + hmac + "&host=" + host + "&state=" + state + "&shop=" + shop + "&timestamp=" + timestamp); String redirectUri = PlatformEnvironment.getEnv().concatUrl("/auth.html#/shopify/login?code=" + code + "&hmac=" + hmac + "&host=" + host + "&state=" + state + "&shop=" + shop + "&timestamp=" + timestamp);
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shop + ".myshopify.com https://admin.shopify.com");
return "redirect:" + redirectUri; return "redirect:" + redirectUri;
} }

16
src/main/java/au/com/royalpay/payment/manage/shopify/hooks/ShopifyWebhooksController.java
Unescape View File

@ -37,11 +37,11 @@ public class ShopifyWebhooksController {
HttpServletRequest request, HttpServletRequest request,
HttpServletResponse response) { HttpServletResponse response) {
String requestBody = ShopifyHttpUtils.getRequestBody(request); String requestBody = ShopifyHttpUtils.getRequestBody(request);
ShopifyCustomerRequestCommand shopifyCustomerRequestCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRequestCommand.class);
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyCustomerRequestCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com");
if (!shopifyRequestValidator.verify(requestBody, hmac)) { if (!shopifyRequestValidator.verify(requestBody, hmac)) {
throw new ShopifyRequestVerifyException("Unauthorized"); throw new ShopifyRequestVerifyException("Unauthorized");
} }
ShopifyCustomerRequestCommand shopifyCustomerRequestCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRequestCommand.class);
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyCustomerRequestCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com");
} }
/** /**
@ -49,16 +49,15 @@ public class ShopifyWebhooksController {
* *
*/ */
@PostMapping("/customer/erasure") @PostMapping("/customer/erasure")
public ResponseEntity<Void> customerRedact(@RequestHeader("X-Shopify-Hmac-SHA256") String hmac, public void customerRedact(@RequestHeader("X-Shopify-Hmac-SHA256") String hmac,
HttpServletRequest request, HttpServletRequest request,
HttpServletResponse response) { HttpServletResponse response) {
String requestBody = ShopifyHttpUtils.getRequestBody(request); String requestBody = ShopifyHttpUtils.getRequestBody(request);
ShopifyCustomerRedactCommand shopifyCustomerRedactCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRedactCommand.class);
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyCustomerRedactCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com");
if (!shopifyRequestValidator.verify(requestBody, hmac)) { if (!shopifyRequestValidator.verify(requestBody, hmac)) {
throw new ShopifyRequestVerifyException("Unauthorized"); throw new ShopifyRequestVerifyException("Unauthorized");
} }
ShopifyCustomerRedactCommand shopifyCustomerRedactCommand = JSONObject.parseObject(requestBody, ShopifyCustomerRedactCommand.class);
return ResponseEntity.ok().header("Content-Security-Policy", "frame-ancestors https://" + shopifyCustomerRedactCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com")
.build();
} }
/** /**
@ -70,15 +69,16 @@ public class ShopifyWebhooksController {
HttpServletRequest request, HttpServletRequest request,
HttpServletResponse response) { HttpServletResponse response) {
String requestBody = ShopifyHttpUtils.getRequestBody(request); String requestBody = ShopifyHttpUtils.getRequestBody(request);
ShopifyShopRedactCommand shopifyShopRedactCommand = JSONObject.parseObject(requestBody, ShopifyShopRedactCommand.class);
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyShopRedactCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com");
if (!shopifyRequestValidator.verify(requestBody, hmac)) { if (!shopifyRequestValidator.verify(requestBody, hmac)) {
throw new ShopifyRequestVerifyException("Unauthorized"); throw new ShopifyRequestVerifyException("Unauthorized");
} }
ShopifyShopRedactCommand shopifyShopRedactCommand = JSONObject.parseObject(requestBody, ShopifyShopRedactCommand.class);
ShopifyStore shopifyShop = shopifyStoreService.getByShopifyShop(shopifyShopRedactCommand.getShop_domain()); ShopifyStore shopifyShop = shopifyStoreService.getByShopifyShop(shopifyShopRedactCommand.getShop_domain());
if (shopifyShop == null) { if (shopifyShop == null) {
return; return;
} }
shopifyStoreService.modifyShopifyStore(shopifyShop.setStatus(0)); shopifyStoreService.modifyShopifyStore(shopifyShop.setStatus(0));
response.setHeader("Content-Security-Policy", "frame-ancestors https://" + shopifyShopRedactCommand.getShop_domain() + ".myshopify.com https://admin.shopify.com");
} }
} }

Write Preview
Loading…
Cancel
Save