[WIP] - Function to authenticate flow requests

Shopify · Sep 8, 2023 · 09b8469 · 09b8469
1 parent b583318
commit 09b8469
Show file tree

Hide file tree

Showing 4 changed files with 108 additions and 0 deletions.
diff --git a/lib/flow/index.ts b/lib/flow/index.ts
@@ -0,0 +1,11 @@
+import {ConfigInterface} from '../base-types';
+
+import {validateFactory} from './validate';
+
+export function shopifyFlow(config: ConfigInterface) {
+  return {
+    validate: validateFactory(config),
+  };
+}
+
+export type ShopifyFlow = ReturnType<typeof shopifyFlow>;
diff --git a/lib/flow/types.ts b/lib/flow/types.ts
@@ -0,0 +1,20 @@
+import {AdapterArgs} from '../../runtime/types';
+
+export interface FlowValidateParams extends AdapterArgs {
+  rawBody: string;
+}
+
+export enum FlowValidationErrorReason {
+  MissingBody = 'missing_body',
+  MissingHmac = 'missing_hmac',
+  InvalidHmac = 'invalid_hmac',
+}
+
+export interface FlowValidationInvalid {
+  valid: false;
+  reason: FlowValidationErrorReason;
+}
+
+export interface FlowValidationValid {
+  valid: true;
+}
diff --git a/lib/flow/validate.ts b/lib/flow/validate.ts
@@ -0,0 +1,74 @@
+import {abstractConvertRequest, getHeader} from '../../runtime/http';
+import {createSHA256HMAC} from '../../runtime/crypto';
+import {HashFormat} from '../../runtime/crypto/types';
+import {ConfigInterface} from '../base-types';
+import {safeCompare} from '../auth/oauth/safe-compare';
+import {logger} from '../logger';
+
+import {
+  FlowValidateParams,
+  FlowValidationInvalid,
+  FlowValidationValid,
+  FlowValidationErrorReason,
+} from './types';
+
+export function validateFactory(config: ConfigInterface) {
+  return async function validate({
+    rawBody,
+    ...adapterArgs
+  }: FlowValidateParams): Promise<FlowValidationInvalid | FlowValidationValid> {
+    const request = await abstractConvertRequest(adapterArgs);
+
+    if (!rawBody.length) {
+      fail(FlowValidationErrorReason.MissingBody, config);
+    }
+
+    const hmac = getHeader(request.headers, 'hmac');
+
+    if (!hmac) {
+      return fail(FlowValidationErrorReason.MissingHmac, config);
+    }
+
+    if (await hmacIsValid(config.apiSecretKey, rawBody, hmac)) {
+      return succeed(config);
+    }
+
+    return fail(FlowValidationErrorReason.InvalidHmac, config);
+  };
+}
+
+async function fail(
+  reason: FlowValidationErrorReason,
+  config: ConfigInterface,
+): Promise<FlowValidationInvalid> {
+  const log = logger(config);
+  await log.debug('Flow request is not valid');
+
+  return {
+    valid: false,
+    reason,
+  };
+}
+
+async function succeed(config: ConfigInterface): Promise<FlowValidationValid> {
+  const log = logger(config);
+  await log.debug('Flow request is not valid');
+
+  return {
+    valid: true,
+  };
+}
+
+async function hmacIsValid(
+  secret: string,
+  rawBody: string,
+  hmac: string,
+): Promise<boolean> {
+  const generatedHash = await createSHA256HMAC(
+    secret,
+    rawBody,
+    HashFormat.Base64,
+  );
+
+  return safeCompare(generatedHash, hmac);
+}
diff --git a/lib/index.ts b/lib/index.ts
@@ -15,6 +15,7 @@ import {shopifyWebhooks, ShopifyWebhooks} from './webhooks';
 import {shopifyBilling, ShopifyBilling} from './billing';
 import {logger, ShopifyLogger} from './logger';
 import {SHOPIFY_API_LIBRARY_VERSION} from './version';
+import {ShopifyFlow, shopifyFlow} from './flow';
 
 export * from './error';
 export * from './session/classes';
@@ -44,6 +45,7 @@ export interface Shopify<
   billing: ShopifyBilling;
   logger: ShopifyLogger;
   rest: T;
+  flow: ShopifyFlow;
 }
 
 export function shopifyApi<T extends ShopifyRestResources>(
@@ -62,6 +64,7 @@ export function shopifyApi<T extends ShopifyRestResources>(
     billing: shopifyBilling(validatedConfig),
     logger: logger(validatedConfig),
     rest: {} as T,
+    flow: shopifyFlow(validatedConfig),
   };
 
   if (restResources) {