-
Notifications
You must be signed in to change notification settings - Fork 597
/
session.go
executable file
·102 lines (86 loc) · 2.62 KB
/
session.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package shopify
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
"os"
"regexp"
"strings"
"time"
"github.com/markbates/goth"
)
const (
shopifyHostnameRegex = `^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$`
)
// Session stores data during the auth process with Shopify.
type Session struct {
AuthURL string
AccessToken string
Hostname string
HMAC string
ExpiresAt time.Time
}
var _ goth.Session = &Session{}
// GetAuthURL will return the URL set by calling the `BeginAuth` function on the Shopify provider.
func (s Session) GetAuthURL() (string, error) {
if s.AuthURL == "" {
return "", errors.New(goth.NoAuthUrlErrorMessage)
}
return s.AuthURL, nil
}
// Authorize the session with Shopify and return the access token to be stored for future use.
func (s *Session) Authorize(provider goth.Provider, params goth.Params) (string, error) {
// Validate the incoming HMAC is valid.
// See: https://help.shopify.com/en/api/getting-started/authentication/oauth#verification
digest := fmt.Sprintf(
"code=%s&shop=%s&state=%s×tamp=%s",
params.Get("code"),
params.Get("shop"),
params.Get("state"),
params.Get("timestamp"),
)
h := hmac.New(sha256.New, []byte(os.Getenv("SHOPIFY_SECRET")))
h.Write([]byte(digest))
sha := hex.EncodeToString(h.Sum(nil))
// Ensure our HMAC hash's match.
if sha != params.Get("hmac") {
return "", errors.New("Invalid HMAC received")
}
// Validate the hostname matches what we're expecting.
// See: https://help.shopify.com/en/api/getting-started/authentication/oauth#step-3-confirm-installation
re := regexp.MustCompile(shopifyHostnameRegex)
if !re.MatchString(params.Get("shop")) {
return "", errors.New("Invalid hostname received")
}
// Make the exchange for an access token.
p := provider.(*Provider)
token, err := p.config.Exchange(goth.ContextForClient(p.Client()), params.Get("code"))
if err != nil {
return "", err
}
// Ensure it's valid.
if !token.Valid() {
return "", errors.New("Invalid token received from provider")
}
s.AccessToken = token.AccessToken
s.Hostname = params.Get("hostname")
s.HMAC = params.Get("hmac")
return token.AccessToken, err
}
// Marshal the session into a string
func (s Session) Marshal() string {
b, _ := json.Marshal(s)
return string(b)
}
func (s Session) String() string {
return s.Marshal()
}
// UnmarshalSession wil unmarshal a JSON string into a session.
func (p *Provider) UnmarshalSession(data string) (goth.Session, error) {
s := &Session{}
err := json.NewDecoder(strings.NewReader(data)).Decode(s)
return s, err
}