Skip to content
This repository has been archived by the owner on Apr 11, 2024. It is now read-only.

Don't include extra params when calculating local hmac #196

Merged
merged 5 commits into from
Jun 11, 2021
Merged

Don't include extra params when calculating local hmac #196

merged 5 commits into from
Jun 11, 2021

Conversation

t-kelly
Copy link
Contributor

@t-kelly t-kelly commented Jun 11, 2021

WHY are these changes introduced?

Encountered a situation where the returned query contained an extra key:value (shopify: ['callback']) which was then added to the local HMAC querystring and resulted in a false match and broken auth flow.

WHAT is this pull request doing?

This change makes sure we are only passing the key:values we want when creating the local hmac.

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)
  • Minor: New feature (non-breaking change which adds functionality)
  • Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have added a changelog entry, prefixed by the type of change noted above
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs)

@t-kelly t-kelly requested a review from paulomarg June 11, 2021 01:38
@t-kelly t-kelly self-assigned this Jun 11, 2021
@t-kelly t-kelly requested a review from a team as a code owner June 11, 2021 01:38
paulomarg
paulomarg approved these changes Jun 11, 2021
View reviewed changes
Copy link
Contributor

@paulomarg paulomarg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing, thank you for this! I had a question around host, but once that's resolved I'm happy for this to be merged.

src/utils/hmac-validator.ts Outdated Show resolved Hide resolved
@paulomarg
Copy link
Contributor

We got some nice CI errors (I think we're not expecting the host to be in the AuthQuery type).

Just checking: did you make sure that the hash matches on an actual request with the host?

paulomarg
paulomarg reviewed Jun 11, 2021
View reviewed changes
src/auth/oauth/types.ts Outdated
shopify?: string[];
}

export interface LocalHmacQuery {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the extra type here? We'll just ignore fields that we don't care about, so it wouldn't hurt to just use AuthQuery instead, would it?

src/utils/hmac-validator.ts Outdated
const {hmac, code, timestamp, state, shop} = query;
const localHmac = generateLocalHmac({code, timestamp, state, shop});
const {hmac, code, timestamp, state, shop, host} = query;
const localHmac = generateLocalHmac({code, timestamp, state, shop, ...host && {host}});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also realized that we might want to do this in generateLocalHmac instead, to make sure we're always filtering out the keys we don't want.

@t-kelly t-kelly merged commit 8be97dc into main Jun 11, 2021
@t-kelly t-kelly deleted the dont-include-extra-params-hmac branch June 11, 2021 14:58
@shopify-shipit shopify-shipit bot temporarily deployed to production June 11, 2021 17:36 Inactive
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@paulomarg paulomarg paulomarg approved these changes

Assignees

@t-kelly t-kelly

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@t-kelly @paulomarg