search

Shopify / omniauth-shopify-oauth2

Shopify OAuth2 Strategy for OmniAuth 1.0
http://shopify.github.io/omniauth-shopify-oauth2
91 stars 69 forks source link

Validate HMAC signature during callback phase #21

Closed mkdynamic closed 9 years ago

mkdynamic commented 9 years ago

As per: http://docs.shopify.com/api/authentication/oauth#verification

dylanahsmith commented 9 years ago

I'm sorry that this pull request got neglected. I've started watching this repo to try to avoid important pull requests from being neglected in the future.

I've opened pull request #26 to address this because

  1. Our documentation wasn't accurate about when sorting took place, which has been fixed. The key-value pair #{key}=#{value} is sorted, not just the keys, which can affect the order (e.g. the keys key and key1 wouldn't get ordered properly by just sorting the keys)
  2. We have since added escaping of delimiters like & to avoid transformations of the params after signing that wouldn't affect the signature. The documentation has been updated to reflect that.
  3. We already have implementations of HMAC signature calculation in Shopify and verification in the shopify_api gem, so it makes sense to copy that code to make sure it is accurate
  4. The test suite was badly in need of improvement to avoid more regressions, so I wanted to base tests for this on pull request #24

Thanks for your contribution.

mkdynamic commented 9 years ago

@dylanahsmith No worries, thanks for the update.