Skip to content
This repository was archived by the owner on Apr 11, 2024. It is now read-only.

Add Hmac timestamp validation on OAuth#671

Merged
cquemin merged 5 commits intomainfrom
cqu/hmac_timestamp_validation
Jan 10, 2023
Merged

Add Hmac timestamp validation on OAuth#671
cquemin merged 5 commits intomainfrom
cqu/hmac_timestamp_validation

Conversation

@cquemin
Copy link
Copy Markdown
Contributor

@cquemin cquemin commented Jan 6, 2023

WHY are these changes introduced?

Fixes #570 #570

During the OAuth flow we receive an HMAC that has been computer over URL parameters. One of them is a timestamp. This timestamp wasn't validated therefore allowing potential replay attack to occur.

WHAT is this pull request doing?

This PR add timestamp validation to ensure the submitted timestamp is within a reasonable windows in the past or in the future
The tolerance should be big enough that it doesn't break anything. However if servers are widely desynchronized then this may be an issue, arguably something that 3p should fix. But does it means this should be a breaking change on our end?

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)
  • Minor: New feature (non-breaking change which adds functionality)
  • Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have added a changelog entry, prefixed by the type of change noted above
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs)

@cquemin cquemin requested a review from a team as a code owner January 6, 2023 19:46
paulomarg
paulomarg reviewed Jan 6, 2023
View reviewed changes
Comment thread lib/utils/hmac-validator.ts Outdated
paulomarg
paulomarg approved these changes Jan 6, 2023
View reviewed changes
Comment thread lib/utils/hmac-validator.ts
paulomarg
paulomarg reviewed Jan 6, 2023
View reviewed changes
Comment thread lib/utils/hmac-validator.ts Outdated
paulomarg
paulomarg approved these changes Jan 10, 2023
View reviewed changes
Comment thread lib/utils/__tests__/hmac-validator.test.ts
);
});

test('hmac with timestamp more than 10 seconds in the future throws InvalidHmacError', async () => {
Copy link
Copy Markdown
Contributor

@paulomarg paulomarg Jan 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: it's no longer 10 seconds :)

Comment thread lib/utils/hmac-validator.ts
@cquemin cquemin merged commit 21696ab into main Jan 10, 2023
@cquemin cquemin deleted the cqu/hmac_timestamp_validation branch January 10, 2023 22:59
@shopify-shipit shopify-shipit Bot temporarily deployed to production February 15, 2023 16:49 Inactive
@cquemin cquemin mentioned this pull request Mar 28, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@paulomarg paulomarg paulomarg approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Validating the timestamp value during oauth

2 participants

@cquemin @paulomarg