✨ [oauth] Add oauth hmac signature validation function (#147)

qw-in · web-flow · commit 0eca48d151b8 · 2022-06-28T09:47:56.000-07:00
* Working with ids

* Try _qs variant - even uglier

* Docs

* Split into two functions

* Clean up, document, and change name a bit

* Remove extra exports &amp; document safe characters

* Remove missed __all__ list
diff --git a/spylib/oauth/__init__.py b/spylib/oauth/__init__.py
@@ -4,11 +4,13 @@
     exchange_token,
 )
 from .models import OfflineTokenModel, OnlineTokenModel
+from .signature_validation import validate_signed_query_string
 
 __all__ = [
     'exchange_token',
     'exchange_offline_token',
     'exchange_online_token',
     'OfflineTokenModel',
     'OnlineTokenModel',
+    'validate_signed_query_string',
 ]
diff --git a/spylib/oauth/signature_validation.py b/spylib/oauth/signature_validation.py
@@ -0,0 +1,51 @@
+from json import dumps
+from typing import List, Optional, Tuple
+from urllib.parse import parse_qsl, urlencode
+
+from spylib.hmac import validate
+
+
+def validate_signed_query_string(query_string: str, *, api_secret_key: str):
+    """Validates that a query string has been signed by Shopify.
+
+    [Implements the parsing algorithm defined by Shopify here](https://shopify.dev/apps/auth/oauth/getting-started#step-7-verify-a-request).
+    Including the special case [`ids` parameter parsing](https://shopify.dev/apps/auth/oauth/getting-started#ids-array-parameter)
+
+
+    Args:
+        query_string: A valid query string. `hmac=123&test=456`
+        api_secret_key: The api secret key from Shopify partners.
+
+    Raises:
+        Exception: `ValueError`
+    """
+
+    signature: Optional[str] = None
+    query_params: List[Tuple[str, str]] = []
+
+    # I tried a number of options here to avoid doing
+    # manual parsing and string manipulation. `parse_qs`
+    # can work as long as you pass `doseq=True` & `quote_via=quote``
+    # to urlencode. It does not, however, handle the ids param.
+    # The code ended up being cleaner this way in one loop.
+
+    ids: List[str] = []
+    for key, value in parse_qsl(query_string, strict_parsing=True):
+        if key == 'hmac':
+            signature = value
+            continue
+        if key == 'ids[]':
+            if not ids:
+                query_params.append(('ids', ''))
+            ids.append(value)
+            continue
+        query_params.append((key, value))
+
+    # `safe` param via: https://stackoverflow.com/a/49244224
+    message = urlencode(query_params, safe=':/').replace('ids=', f'ids={dumps(ids)}')
+
+    validate(
+        sent_hmac=signature or '',
+        message=message,
+        secret=api_secret_key,
+    )
diff --git a/tests/oauth/test_signature_validation.py b/tests/oauth/test_signature_validation.py
@@ -0,0 +1,27 @@
+import pytest
+
+# Initially tested with real data generated by Shopify and
+# a valid secret key. Then once passing, swapped characters
+# in the query strings out with random & generated a new hmac
+# with a fake secret key.
+
+API_SECRET_KEY = 'fake_shopify123secret456key789'
+
+install = 'hmac=fe078eb09b2b418b5db8c4efd2093ccab0855f28b3bc7d99e14c4971cf4ae670&host=XbFtofRsfgmNkF7qz32ytwZKHeAy7LPosJhqt93&shop=example-store.myshopify.com&timestamp=1654212701'
+embedded = 'hmac=3ec71fde88e45edee545bd79ff92da068661ec6298dcfbfb9da8f357dc16729b&host=XbFtofRsfgmNkF7qz32ytwZKHeAy7LPosJhqt93&locale=en-CA&session=76ef4wam8rhmm4qdertc5z36qu42i349syobtivqua9ih6hh667akenccbcur9de&shop=example-store.myshopify.com&timestamp=1654212956'
+admin_link = 'hmac=38a63775f637952cfcd9ef387367fad7ab0ffec892061c383031aacbb5c881ed&host=XbFtofRsfgmNkF7qz32ytwZKHeAy7LPosJhqt93&id=4729471893592&locale=en-CA&session=76ef4wam8rhmm4qdertc5z36qu42i349syobtivqua9ih6hh667akenccbcur9de&shop=example-store.myshopify.com&timestamp=1654214567'
+bulk_link = 'hmac=c1de8aff907271dd12d191f9ba41f1080c630c8b223c7706341a2329f4df2c7f&host=XbFtofRsfgmNkF7qz32ytwZKHeAy7LPosJhqt93&ids%5B%5D=4729471893592&ids%5B%5D=4751729295448&ids%5B%5D=4751914860632&ids%5B%5D=4751918727256&ids%5B%5D=6752260456536&locale=en-CA&session=76ef4wam8rhmm4qdertc5z36qu42i349syobtivqua9ih6hh667akenccbcur9de&shop=example-store.myshopify.com&timestamp=1654214623'
+
+valid_params = [
+    pytest.param(install, API_SECRET_KEY, id='install'),
+    pytest.param(embedded, API_SECRET_KEY, id='embedded'),
+    pytest.param(admin_link, API_SECRET_KEY, id='admin link'),
+    pytest.param(bulk_link, API_SECRET_KEY, id='admin bulk link'),
+]
+
+
+@pytest.mark.parametrize('query_string,api_secret_key', valid_params)
+def test_signature_validation(query_string, api_secret_key):
+    from spylib.oauth import validate_signed_query_string
+
+    validate_signed_query_string(query_string=query_string, api_secret_key=api_secret_key)

Original file line number	Diff line number	Diff line change
`@@ -4,11 +4,13 @@`
`4`	`4`	`exchange_token,`
`5`	`5`	`)`
`6`	`6`	`from .models import OfflineTokenModel, OnlineTokenModel`
	`7`	`+from .signature_validation import validate_signed_query_string`
`7`	`8`
`8`	`9`	`__all__ = [`
`9`	`10`	`'exchange_token',`
`10`	`11`	`'exchange_offline_token',`
`11`	`12`	`'exchange_online_token',`
`12`	`13`	`'OfflineTokenModel',`
`13`	`14`	`'OnlineTokenModel',`
	`15`	`+ 'validate_signed_query_string',`
`14`	`16`	`]`