search

ctrlaltdylan / shopify-nextjs-toolbox

A set of tools to authenticate NextJs apps with Shopify's OAuth handshake and AppBridge Session Tokens
161 stars 21 forks source link

Feature/verify webhook middleware. #4

Closed devopsangel closed 3 years ago

devopsangel commented 3 years ago

I hope that will fit to implementation.

ctrlaltdylan commented 3 years ago

I'm going to need some time to test this before I merge.

I'm also not sure if Shopify quilt provides this middleware too so we wouldn't necessarily have to include it.

devopsangel commented 3 years ago

Currently, I am handling webhooks that way. Which quilt middleware are you referring?

I am aware only koa-shopify-webhooks where I used before. I could not stick that node middleware...

const { receiveWebhook } = require('@shopify/koa-shopify-webhooks');

const webhook = receiveWebhook({
        secret: SHOPIFY_API_SECRET_KEY,
    });
    const router = new Router({ prefix: '/webhooks' });

    // app/uninstalled
    router.post('/app/uninstalled', webhook, async (ctx) => {
        const shop = ctx.request.header['x-shopify-shop-domain'];
        console.log(`> [INFO] Received webhook(post) -- shop <${shop}>`);

        await appUninstall({ shop });
        ctx.statusCode = 200;
        ctx.body = '';
    });
devopsangel commented 3 years ago

Tested further and found one thing I did not realize. rawBody comes after bodyParser() middleware so currently that filed does not exist in request. So it does not calculate hmac properly. 

const generatedHmac = await createHmac('sha256', SHOPIFY_API_PRIVATE_KEY)
                .update(rawBody, 'utf8')
                .digest('base64');

open to your suggestion how to add verifyWebhook middleware.

devopsangel commented 3 years ago

Added commit to handle properly rawBody. Open for suggestion how to handle that may be differently. It seems loosing the body .... with that implementation.

Tested .....

event - compiled successfully
> [INFO] Received webhook(app/uninstalled) -- shop <zoobuilder.myshopify.com>
Verify: jR4ZDM72gYWJQtQwwlvHnyeHNP5m0xs3Z2= === jR4ZDM72gYWJQtQwwlvHnyeHNP5m0xs3Z2=
ctrlaltdylan commented 3 years ago

I was referring to https://github.com/Shopify/quilt but it seems like all middleware Koa specific and not Connect compatible. So disregard that comment. Looks like we'll have to make Connect compatible middleware to be Next.js compatible.

Just a couple of issues:

  1. This branch was made off of your other PR branch and instead of master
  2. The middleware exports a config that is needed in the Next.JS API handler itself, I think this should be purely middleware.
  3. There is no documentation for end user use
  4. There are no tests (I'm adding a test runner and example)

So I'll work on task 4 and have an example spec to work off of.

devopsangel commented 3 years ago

Yep, it is not compatible with quilt.

  1. Yeah it seems I made feature/verify-webhook out of the master where I pushed first PR.
  2. agree should be pure middleware. I am still having issue with it. Some reference what I tried https://github.com/vercel/next.js/discussions/13405
  3. docs there unless u want to expand it more.

I am going to cancel that PR I still need to make it work properly.