From 8b8e2ea050458e976e00059dd50ee7ba9ff7ab3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EA=A6=8C=EA=A6=AB=EA=A6=B6=EA=A6=8F=EA=A7=80=EA=A6=A6?= =?UTF-8?q?=EA=A6=BF=EA=A6=A7=EA=A6=AE=EA=A6=91=EA=A6=A9=EA=A6=AD=EA=A7=80?= Date: Thu, 22 Sep 2022 15:59:10 +0800 Subject: Merge sessiontoken.h --- configure.ac | 3 +-- sessiontoken.h | 37 ------------------------------------- shopify.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- 3 files changed, 43 insertions(+), 49 deletions(-) delete mode 100644 sessiontoken.h diff --git a/configure.ac b/configure.ac index aa2530f..bae8f59 100644 --- a/configure.ac +++ b/configure.ac @@ -1,11 +1,10 @@ -AC_INIT([shopify], [0.0], [erik@darapsa.co.id]) +AC_INIT([shopify], [0.0], [prabowo@darapsa.org]) AM_INIT_AUTOMAKE([-Wall -Werror foreign]) AC_PROG_CC AM_PROG_AR LT_INIT PKG_CHECK_MODULES([DEPS], [libmicrohttpd libgcrypt gnutls libpcre2-8 libcurl json-c]) AC_CHECK_HEADERS([fcntl.h]) -AC_CHECK_HEADER_STDBOOL AC_C_INLINE AC_CHECK_FUNCS([strrchr]) AC_FUNC_MALLOC diff --git a/sessiontoken.h b/sessiontoken.h deleted file mode 100644 index cff077c..0000000 --- a/sessiontoken.h +++ /dev/null @@ -1,37 +0,0 @@ -#include - -static inline bool sessiontoken_isvalid(const char *token, const char *api_key, - const char *api_secret_key, const char *shop) -{ - struct l8w8jwt_decoding_params params; - l8w8jwt_decoding_params_init(¶ms); - params.alg = L8W8JWT_ALG_HS256; - params.jwt = (char *)token; - params.jwt_length = strlen(token); - params.verification_key = (unsigned char *)api_secret_key; - params.verification_key_length = strlen(api_secret_key); - params.validate_exp = 1; - params.validate_nbf = 1; - params.validate_aud = (char *)api_key; - - enum l8w8jwt_validation_result validation; - struct l8w8jwt_claim *claims; - size_t claims_len; - int decode = l8w8jwt_decode(¶ms, &validation, &claims, &claims_len); - - struct l8w8jwt_claim *dest - = l8w8jwt_get_claim(claims, claims_len, "dest", 4); - _Bool iss_isvalid = !strncmp(dest->value, - l8w8jwt_get_claim(claims, claims_len, "iss", 3)->value, - dest->value_length); - if (validation != L8W8JWT_NBF_FAILURE) - printf("nbf invalid\n"); - printf("JWT payload sub: %s\n", - l8w8jwt_get_claim(claims, claims_len, "sub", 3)->value); - l8w8jwt_free_claims(claims, claims_len); - - return decode == L8W8JWT_SUCCESS - && (validation == L8W8JWT_VALID - || validation == L8W8JWT_NBF_FAILURE) - && iss_isvalid; -} diff --git a/shopify.c b/shopify.c index eca8e7f..a3cd6d8 100644 --- a/shopify.c +++ b/shopify.c @@ -1,4 +1,3 @@ -#include #include #include #define PCRE2_CODE_UNIT_WIDTH 8 @@ -9,8 +8,8 @@ #include #include #include +#include #include "shopify.h" -#include "sessiontoken.h" #define AUTH_URL \ "https://%s/oauth/authorize?client_id=%s&scope=%s&redirect_uri=%s%s"\ @@ -44,9 +43,6 @@ #define EMBEDDED_URL "https://%s/apps/%s/" #define EMBEDDED_URL_LEN strlen(EMBEDDED_URL) - strlen("%s") * 2 -extern inline bool sessiontoken_isvalid(const char *, const char *, - const char *, const char *); - struct parameter { char *key; char *val; @@ -244,7 +240,7 @@ static enum MHD_Result handle_request(void *cls, struct MHD_Connection *con, const char *val = params[i].val; if (strcmp(key, "hmac")) { size_t query_len = query ? strlen(query) : 0; - bool ampersand_len = i != nparams - 1; + _Bool ampersand_len = i != nparams - 1; query = realloc(query, query_len + strlen(key) + strlen("=") + strlen(val) + ampersand_len + 1); @@ -307,6 +303,7 @@ static enum MHD_Result handle_request(void *cls, struct MHD_Connection *con, } else { free(params); params = NULL; + char *referer = NULL; MHD_get_connection_values(con, MHD_HEADER_KIND, iterate, (char **[]){ &session_token, &referer }); @@ -320,6 +317,7 @@ static enum MHD_Result handle_request(void *cls, struct MHD_Connection *con, free(referer); return MHD_NO; } + referer = &referer[app_url_len + 1]; char *tofree = referer; char *pair = NULL; @@ -333,13 +331,47 @@ static enum MHD_Result handle_request(void *cls, struct MHD_Connection *con, free(tofree); return MHD_NO; } + pair = &pair[key_len]; - shop_len = (strchrnul(pair, '&') - pair) * sizeof(char); + shop_len = strchrnul(pair, '&') - pair; shop = malloc(shop_len + 1); strlcpy(shop, pair, shop_len + 1); free(tofree); - if (!match(shop) || !sessiontoken_isvalid(session_token, - api_key, api_secret_key, shop)) { + if (!match(shop)) { + free(session_token); + free(shop); + return MHD_NO; + } + + struct l8w8jwt_decoding_params params; + l8w8jwt_decoding_params_init(¶ms); + params.alg = L8W8JWT_ALG_HS256; + params.jwt = (char *)session_token; + params.jwt_length = strlen(session_token); + params.verification_key = (unsigned char *)api_secret_key; + params.verification_key_length = strlen(api_secret_key); + params.validate_exp = 1; + params.validate_nbf = 1; + params.validate_aud = (char *)api_key; + enum l8w8jwt_validation_result validation; + struct l8w8jwt_claim *claims; + size_t claims_len; + int decode = l8w8jwt_decode(¶ms, &validation, &claims, + &claims_len); + if (validation != L8W8JWT_NBF_FAILURE) + printf("JWT payload nbf is invalid.\n"); + struct l8w8jwt_claim *dest + = l8w8jwt_get_claim(claims, claims_len, "dest", 4); + _Bool iss_valid = !strncmp( l8w8jwt_get_claim(claims, + claims_len, "iss", 3)->value, + dest->value, dest->value_length); + printf("JWT payload sub: %s\n", l8w8jwt_get_claim(claims, + claims_len, "sub", 3)->value); + l8w8jwt_free_claims(claims, claims_len); + if (decode != L8W8JWT_SUCCESS + || validation != L8W8JWT_VALID + && validation != L8W8JWT_NBF_FAILURE + || !iss_valid) { free(session_token); free(shop); return MHD_NO; @@ -348,7 +380,7 @@ static enum MHD_Result handle_request(void *cls, struct MHD_Connection *con, char *host = NULL; size_t host_len = 0; - bool embedded = false; + _Bool embedded = 0; char *dec_host = NULL; size_t dec_host_len = 0; if (params) { -- cgit v1.2.3