GET Requests are not validated correctly

[bilobait-lohrmann]

Currently Shopware is using GET URLs with the parameters location-id and privileges these parameters are missing in the validation funtion, therefore the calculates hashes are wrong. Following a proposed fix in the file WebhookAuthenticator

public static function authenticateGetRequest(string $shopSecret): bool { $queryString = $_SERVER['QUERY_STRING']; $queries = [];

    parse_str($queryString, $queries);

    $shop = new Shop($queries['shop-id'], $queries['shop-url'], $shopSecret);

    $queryString = sprintf(
        'shop-id=%s&shop-url=%s&timestamp=%s&sw-version=%s',
        $shop->getShopId(),
        $shop->getShopUrl(),
        $queries['timestamp'],
        $queries['sw-version'],
    );

    if (array_key_exists('sw-context-language', $queries) && array_key_exists('sw-context-language', $queries)) {
        $queryString = sprintf(
            'shop-id=%s&shop-url=%s&timestamp=%s&sw-version=%s&sw-context-language=%s&sw-user-language=%s',
            $shop->getShopId(),
            $shop->getShopUrl(),
            $queries['timestamp'],
            $queries['sw-version'],
            $queries['sw-context-language'],
            $queries['sw-user-language'],
        );
    }

    if (array_key_exists('location-id', $queries) && array_key_exists('privileges', $queries)) {
        $queryString = sprintf(
            'location-id=%s&privileges=%s',
            $queries['location-id'],
            urlencode($queries['privileges'])
        ) . '&' . $queryString;
    }

    $hmac = \hash_hmac('sha256', htmlspecialchars_decode($queryString), $shopSecret);

    return hash_equals($hmac, $queries['shopware-shop-signature']);
}

[silverDuy]

Hi @bilobait-lohrmann , thank you for your suggestion.

I have created this PR https://github.com/vienthuong/shopware-php-sdk/pull/71 to fix this issue

[vienthuong]

Feel free to open in case there're any issues