Class: OmniAuth::Strategies::Shopify

Inherits:
OAuth2
  • Object
show all
Defined in:
lib/omniauth/strategies/shopify.rb

Constant Summary collapse

DEFAULT_SCOPE =

Available scopes: content themes products customers orders script_tags shipping read_* or write_*

'read_products'
SCOPE_DELIMITER =
','
MINUTE =
60
CODE_EXPIRES_AFTER =
10 * MINUTE

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.encoded_params_for_signature(params) ⇒ Object



89
90
91
92
93
94
# File 'lib/omniauth/strategies/shopify.rb', line 89

def self.encoded_params_for_signature(params)
  params = params.dup
  params.delete('hmac')
  params.delete('signature') # deprecated signature
  Rack::Utils.build_query(params.sort)
end

.hmac_sign(encoded_params, secret) ⇒ Object



96
97
98
# File 'lib/omniauth/strategies/shopify.rb', line 96

def self.hmac_sign(encoded_params, secret)
  OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, secret, encoded_params)
end

Instance Method Details

#authorize_paramsObject



147
148
149
150
151
152
# File 'lib/omniauth/strategies/shopify.rb', line 147

def authorize_params
  super.tap do |params|
    params[:scope] = normalized_scopes(params[:scope] || DEFAULT_SCOPE).join(SCOPE_DELIMITER)
    params[:grant_options] = ['per-user'] if options[:per_user_permissions]
  end
end

#build_access_tokenObject



143
144
145
# File 'lib/omniauth/strategies/shopify.rb', line 143

def build_access_token
  @built_access_token ||= super
end

#callback_phaseObject



126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# File 'lib/omniauth/strategies/shopify.rb', line 126

def callback_phase
  return fail!(:invalid_site, CallbackError.new(:invalid_site, "OAuth endpoint is not a myshopify site.")) unless valid_site?
  return fail!(:invalid_signature, CallbackError.new(:invalid_signature, "Signature does not match, it may have been tampered with.")) unless valid_signature?

  token = build_access_token
  unless valid_scope?(token)
    return fail!(:invalid_scope, CallbackError.new(:invalid_scope, "Scope does not match, it may have been tampered with."))
  end
  unless valid_permissions?(token)
    return fail!(:invalid_permissions, CallbackError.new(:invalid_permissions, "Requested API access mode does not match."))
  end

  super
rescue ::OAuth2::Error => e
  fail!(:invalid_credentials, e)
end

#callback_urlObject



154
155
156
# File 'lib/omniauth/strategies/shopify.rb', line 154

def callback_url
  options[:callback_url] || full_host + script_name + callback_path
end

#fix_httpsObject



109
110
111
# File 'lib/omniauth/strategies/shopify.rb', line 109

def fix_https
  options[:client_options][:site] = options[:client_options][:site].gsub(/\Ahttp\:/, 'https:')
end

#normalized_scopes(scopes) ⇒ Object



83
84
85
86
87
# File 'lib/omniauth/strategies/shopify.rb', line 83

def normalized_scopes(scopes)
  scope_list = scopes.to_s.split(SCOPE_DELIMITER).map(&:strip).reject(&:empty?).uniq
  ignore_scopes = scope_list.map { |scope| scope =~ /\A(unauthenticated_)?write_(.*)\z/ && "#{$1}read_#{$2}" }.compact
  scope_list - ignore_scopes
end

#request_phaseObject



118
119
120
121
122
123
124
# File 'lib/omniauth/strategies/shopify.rb', line 118

def request_phase
  if valid_site?
    super
  else
    fail!(:invalid_site)
  end
end

#setup_phaseObject



113
114
115
116
# File 'lib/omniauth/strategies/shopify.rb', line 113

def setup_phase
  super
  fix_https
end

#valid_permissions?(token) ⇒ Boolean

Returns:

  • (Boolean)


100
101
102
103
104
105
106
107
# File 'lib/omniauth/strategies/shopify.rb', line 100

def valid_permissions?(token)
  return false unless token

  return true if options[:per_user_permissions] && token['associated_user']
  return true if !options[:per_user_permissions] && !token['associated_user']

  false
end

#valid_scope?(token) ⇒ Boolean

Returns:

  • (Boolean)


76
77
78
79
80
81
# File 'lib/omniauth/strategies/shopify.rb', line 76

def valid_scope?(token)
  params = options.authorize_params.merge(options_for("authorize"))
  return false unless token && params[:scope] && token['scope']
  expected_scope = normalized_scopes(params[:scope]).sort
  (expected_scope == token['scope'].split(SCOPE_DELIMITER).sort)
end

#valid_signature?Boolean

Returns:

  • (Boolean)


60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'lib/omniauth/strategies/shopify.rb', line 60

def valid_signature?
  return false unless request.POST.empty?

  params = request.GET
  signature = params['hmac']
  timestamp = params['timestamp']
  return false unless signature && timestamp

  return false unless timestamp.to_i > Time.now.to_i - CODE_EXPIRES_AFTER

  new_secret = options.client_secret
  old_secret = options.old_client_secret

  validate_signature(new_secret) || (old_secret && validate_signature(old_secret))
end

#valid_site?Boolean

Returns:

  • (Boolean)


56
57
58
# File 'lib/omniauth/strategies/shopify.rb', line 56

def valid_site?
  !!(/\A(https|http)\:\/\/[a-zA-Z0-9][a-zA-Z0-9\-]*\.#{Regexp.quote(options[:myshopify_domain])}[\/]?\z/ =~ options[:client_options][:site])
end