Basic-Shopify-API icon indicating copy to clipboard operation
Basic-Shopify-API copied to clipboard

Published 20 hours ago verified publisher icon gnikyt

Signatures do not expire

Open darrynten opened this issue 5 years ago • 7 comments

The verifyRequest method does not check the freshness of the signature, which means the signatures are still valid after expiration on Shopify.

It should be possible to configure an expiration and check the timestamp at L524.

darrynten avatar Aug 12 '19 08:08 darrynten

@darrynten Ah, would there ever be a situation where this would happen? (maybe on webhooks running?)

I guess a simple check of timestamp is within the last 5-10 mins?

gnikyt avatar Aug 12 '19 13:08 gnikyt

Hey @darrynten Just seeing if you seen the above ;) what do you suggest.

gnikyt avatar Aug 19 '19 13:08 gnikyt

According to the Shopify docs it seems like this value is returned from Shopify themselves when doing oauth.

image

darrynten avatar Aug 21 '19 09:08 darrynten

I guess a simple check of timestamp is within the last 5-10 mins?

I think it's a little more complex than this. What value does Shopify return?

darrynten avatar Aug 21 '19 09:08 darrynten

Ah this is for online tokens through however, it doesn't give an expires for offline tokens I don't believe.

gnikyt avatar Aug 21 '19 14:08 gnikyt

Would it be a good idea to return the expires_in, so that we can set a cookie that expires at the same time and use a cache instead of sending requests on every page load?

asacarter avatar Mar 30 '21 15:03 asacarter

Yes, going to put this in my todos.

gnikyt avatar Mar 30 '21 16:03 gnikyt