Skip to content
This repository was archived by the owner on Apr 11, 2024. It is now read-only.

Add Hmac timestamp validation on OAuth #671

Merged
merged 5 commits into from
Jan 10, 2023
Merged

Add Hmac timestamp validation on OAuth #671

merged 5 commits into from
Jan 10, 2023

Conversation

cquemin
Copy link
Contributor

@cquemin cquemin commented Jan 6, 2023

WHY are these changes introduced?

Fixes #570 #570

During the OAuth flow we receive an HMAC that has been computer over URL parameters. One of them is a timestamp. This timestamp wasn't validated therefore allowing potential replay attack to occur.

WHAT is this pull request doing?

This PR add timestamp validation to ensure the submitted timestamp is within a reasonable windows in the past or in the future
The tolerance should be big enough that it doesn't break anything. However if servers are widely desynchronized then this may be an issue, arguably something that 3p should fix. But does it means this should be a breaking change on our end?

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)
  • Minor: New feature (non-breaking change which adds functionality)
  • Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have added a changelog entry, prefixed by the type of change noted above
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs)

@cquemin cquemin requested a review from a team as a code owner January 6, 2023 19:46
paulomarg
paulomarg approved these changes Jan 6, 2023
View reviewed changes
paulomarg
paulomarg approved these changes Jan 10, 2023
View reviewed changes
lib/utils/__tests__/hmac-validator.test.ts
);
});

test('hmac with timestamp more than 10 seconds in the future throws InvalidHmacError', async () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: it's no longer 10 seconds :)

@cquemin cquemin merged commit 21696ab into main Jan 10, 2023
@cquemin cquemin deleted the cqu/hmac_timestamp_validation branch January 10, 2023 22:59
@shopify-shipit shopify-shipit bot temporarily deployed to production February 15, 2023 16:49 Inactive
@cquemin cquemin mentioned this pull request Mar 28, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@paulomarg paulomarg paulomarg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Validating the timestamp value during oauth
2 participants
@cquemin @paulomarg