Problem with authentication in 5.18.2

[davidkdb]

Hi,

I think this happened in 5.18.2, and it's the same in 5.18.3. It worked in 5.17.0.

We're using .NET 3.1

public ActionResult App(string access)
                // Check if authentic
                var qs = _httpContextAccessor.HttpContext.Request.QueryString.Value;

                if (!(ShopifySharp.AuthorizationService.IsAuthenticRequest(qs, GlobalSettings.ShopifySecretKey)
                    || ShopifySharp.AuthorizationService.IsAuthenticProxyRequest(qs, GlobalSettings.ShopifySecretKey)))

The check always fail.

[davidkdb]

BTW: What I found was working is to get the Request.Headers into Kvps(), then find the referrer key, strip away the text (https....) before ?code= and feed this into IsAuthenticRequest.

So why does it not work when I feed all the headers without stripping away the https?

[nozzlegear]

Thanks for the report. Do you know which of the methods is failing? Those two methods use slightly different algorithms for verifying requests so it's possible that it's just one of them that's broken.

That said, I did just change how querystrings are parsed in 5.18.2 to fix a bug. Could you post some code showing how you're stripping the text before ?code=? Hopefully I can use that to narrow down the problem and write a test case for it.

[davidkdb]

Both methods are failing, since none of them return a positive result.

// Try to find the referer in headers, and strip away the text before ?code=
                    List<KeyValuePair<string, StringValues>> headers =
                        Request.Headers.ToKvps();
                    string referer = "";
                    foreach (KeyValuePair<string, StringValues> item in headers)
                    {
                        if (item.Key == "Referer")
                        {
                            referer = item.Value;
                            break;
                        }
                    }

                    int foundAt = referer.IndexOf("?code=");
                    if (foundAt > -1)
                    {
                        referer=referer.Substring(foundAt);
                    }

                    if (!(ShopifySharp.AuthorizationService.IsAuthenticRequest(referer, GlobalSettings.ShopifySecretKey)
                        || ShopifySharp.AuthorizationService.IsAuthenticProxyRequest(referer, GlobalSettings.ShopifySecretKey)))
                    {

[davidkdb]

@nozzlegear This would probably never be the case with querystring, but the headers.

So it should be stripped when checking headers.

[nozzlegear]

Sorry, I'm a little confused. You're getting the querystring from the referrer header?

[davidkdb]

Yes, it does not seem to come in the querystring

[nozzlegear]

That sounds kinda strange, it seems like something else might be altering your requests if the querystring isn't available on the request object. You can't use Request.Query and pass that to ShopifySharp instead?

Either way, are you able to copy/paste what the referrer header looks like before your code modifies it? There shouldn't be any danger posting it here as long as you don't post your Shopify secret key as well.