Changes underlying code to seperate some concerns

gnikyt · Dec 6, 2022 · df8c687 · df8c687
1 parent 1544375
commit df8c687
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -109,11  109,11 @@ func main() {
     FUNCTIONS
 
     func WebhookVerify(key string, fn http.HandlerFunc) http.HandlerFunc
-        Public webhook verify function wrapper. Can be used with any framework
-        tapping into net/http. Simply pass in the secret key for the Shopify app.
-        Example: `WebhookVerify("abc123", anotherHandler)`.
         Public webhook verify wrapper. Can be used with any framework tapping into
         net/http. Simply pass in the secret key for the Shopify app. Example:
         `WebhookVerify("abc123", anotherHandler)`.
 
-    func WebhookVerifyRequest(key string, w http.ResponseWriter, r *http.Request) (ok bool)
     func WebhookVerifyRequest(key string, w http.ResponseWriter, r *http.Request) bool
         Webhook verify request from HTTP. Returns a usable handler. Pass in the
         secret key for the Shopify app and the next handler.`
 

diff --git a/http_shopify_webhook.go b/http_shopify_webhook.go
@@ -9,15  9,14 @@ import (
 	"net/http"
 )
 
-// Public webhook verify function wrapper.
 // Public webhook verify wrapper.
 // Can be used with any framework tapping into net/http.
 // Simply pass in the secret key for the Shopify app.
 // Example: `WebhookVerify("abc123", anotherHandler)`.
 func WebhookVerify(key string, fn http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Verify and if all is well, run the next handler.
-		ok := WebhookVerifyRequest(key, w, r)
-		if ok {
 		if ok := WebhookVerifyRequest(key, w, r); ok {
 			fn(w, r)
 		}
 	}
@@ -26,39  25,49 @@ func WebhookVerify(key string, fn http.HandlerFunc) http.HandlerFunc {
 // Webhook verify request from HTTP.
 // Returns a usable handler.
 // Pass in the secret key for the Shopify app and the next handler.`
-func WebhookVerifyRequest(key string, w http.ResponseWriter, r *http.Request) (ok bool) {
 func WebhookVerifyRequest(key string, w http.ResponseWriter, r *http.Request) bool {
 	// HMAC from request headers and the shop.
 	shmac := r.Header.Get("X-Shopify-Hmac-Sha256")
 	shop := r.Header.Get("X-Shopify-Shop-Domain")
 
 	if shop == "" {
 		// No shop provided.
 		http.Error(w, "Missing shop domain", http.StatusBadRequest)
 		return false
 	}
 
 	if shmac == "" {
 		// No HMAC provided.
 		http.Error(w, "Missing signature", http.StatusBadRequest)
 		return false
 	}
 
 	// Read the body and put it back.
 	bb, _ := ioutil.ReadAll(r.Body)
 	r.Body.Close()
 	r.Body = ioutil.NopCloser(bytes.NewBuffer(bb))
 
 	// Create a signature to compare.
 	lhmac := newSignature(key, bb)
 
 	// Verify all is ok.
-	ok = verifyRequest(key, shop, shmac, bb)
-	if !ok {
 	if ok := isValidSignature(lhmac, shmac); !ok {
 		http.Error(w, "Invalid webhook signature", http.StatusBadRequest)
-		return
-	}
-
-	return
-}
-
-// Do the actual work.
-// Take the request body, the secret key,
-// Attempt to reproduce the same HMAC from the request.
-func verifyRequest(key string, shop string, shmac string, bb []byte) bool {
-	if shop == "" {
-		// No shop provided.
 		return false
 	}
 	return true
 }
 
-	// Create an hmac of the body with the secret key to compare.
 // Create an HMAC of the body (bb) with the secret key (key).
 // Returns a string.
 func newSignature(key string, bb []byte) string {
 	h := hmac.New(sha256.New, []byte(key))
 	h.Write(bb)
-	enc := base64.StdEncoding.EncodeToString(h.Sum(nil))
 	return base64.StdEncoding.EncodeToString(h.Sum(nil))
 }
 
-	return enc == shmac
 // Compares the created HMAC signature with the request's HMAC signature.
 // Returns bool of comparison result.
 func isValidSignature(lhmac string, shmac string) bool {
 	return lhmac == shmac
 }
diff --git a/http_shopify_webhook_test.go b/http_shopify_webhook_test.go
@@ -13,9  13,10 @@ func TestVerifyRequest(t *testing.T) {
 	// Setup a simple body with a matching HMAC.
 	body := []byte(`{"key":"value"}`)
 	hmac := "7iASoA8WSbw19M/h lgrLr2ly/LvgnE9bcLsk9gflvs="
-	shop := "example.myshopify.com"
 
-	if ok := verifyRequest("secret", shop, hmac, body); !ok {
 	// Create a signature
 	lhmac := newSignature("secret", body)
 	if ok := isValidSignature(lhmac, hmac); !ok {
 		t.Errorf("expected request data to verify")
 	}
 }
@@ -24,17  25,19 @@ func TestVerifyRequestError(t *testing.T) {
 	// Setup a simple body with a matching HMAC, but missing shop.
 	body := []byte(`{"key":"value"}`)
 	hmac := "ee2012a00f1649bc35f4cfe1fa582b2ebda5cbf2ef82713d6dc2ec93d81f96fb"
-	shop := ""
 
-	if ok := verifyRequest("secret", shop, hmac, body); ok {
 	// Create a signature
 	lhmac := newSignature("secret", body)
 	if ok := isValidSignature(lhmac, hmac); ok {
 		t.Errorf("expected request data to not verify, but it did")
 	}
 
-	// Now add the shop, but make the HMAC not match.
-	shop = "example.myshopify.com"
 	// HMAC which does not match body content.
 	hmac = "7iASoA8WSbw19M/h "
 
-	if ok := verifyRequest("secret", shop, hmac, body); ok {
 	// Create a signature
 	lhmac = newSignature("secret", body)
 	if ok := isValidSignature(lhmac, hmac); ok {
 		t.Errorf("expected request data to not verify, but it did")
 	}
 }
@@ -49,7  52,6 @@ func TestNetHttpSuccess(t *testing.T) {
 
 	// Setup the server with our data.
 	rec, ran := setupServer(key, shop, hmac, body)
-
 	if c := rec.Code; c != http.StatusOK {
 		t.Errorf("expected status code %v got %v", http.StatusOK, c)
 	}
@@ -69,7  71,6 @@ func TestNetHttpFailure(t *testing.T) {
 
 	// Setup the server with our data.
 	rec, ran := setupServer(key, shop, hmac, body)
-
 	if c := rec.Code; c != http.StatusBadRequest {
 		t.Errorf("expected status code %v got %v", http.StatusBadRequest, c)
 	}
@@ -99,6  100,5 @@ func setupServer(key string, shop string, hmac string, body string) (*httptest.R
 	// Create the handler and serve with our recorder and request.
 	h := WebhookVerify(key, nh)
 	h.ServeHTTP(rec, req)
-
 	return rec, ran
 }