Contents

module ShopifyApp
  module AppProxyVerification
    extend ActiveSupport::Concern

    included do
      if Rails.version >= '5.0'
        skip_before_action :verify_authenticity_token, raise: false
      else
        skip_before_action :verify_authenticity_token
      end

      before_action :verify_proxy_request
    end

    def verify_proxy_request
      return head :unauthorized unless query_string_valid?(request.query_string)
    end

    private

    def query_string_valid?(query_string)
      query_hash = Rack::Utils.parse_query(query_string)

      signature = query_hash.delete('signature')
      return false if signature.nil?

      ActiveSupport::SecurityUtils.secure_compare(
        calculated_signature(query_hash),
        signature
      )
    end

    def calculated_signature(query_hash_without_signature)
      sorted_params = query_hash_without_signature.collect{|k,v| "#{k}=#{Array(v).join(',')}"}.sort.join

      OpenSSL::HMAC.hexdigest(
        OpenSSL::Digest.new('sha256'),
        ShopifyApp.configuration.secret,
        sorted_params
      )
    end
  end
end

Version data entries

8 entries across 8 versions & 1 rubygems

Version	Path
shopify_app-7.2.8	lib/shopify_app/app_proxy_verification.rb
shopify_app-7.2.7	lib/shopify_app/app_proxy_verification.rb
shopify_app-7.2.6	lib/shopify_app/app_proxy_verification.rb
shopify_app-7.2.5	lib/shopify_app/app_proxy_verification.rb
shopify_app-7.2.3	lib/shopify_app/app_proxy_verification.rb
shopify_app-7.2.0	lib/shopify_app/app_proxy_verification.rb
shopify_app-7.1.1	lib/shopify_app/app_proxy_verification.rb
shopify_app-7.1.0	lib/shopify_app/app_proxy_verification.rb