Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify hmac in setup callback #52

Open
EiNSTeiN- opened this issue Oct 20, 2016 · 0 comments
Open

Verify hmac in setup callback #52

EiNSTeiN- opened this issue Oct 20, 2016 · 0 comments
Assignees
@EiNSTeiN-

Comments

@EiNSTeiN-
Copy link
Contributor

I'm opening this issue so I can fix it later on. In the setup callback we set the shop url from the query parameters. Since we allow the authorize phase to be initiated in response to a GET request, it's possible for someone to maliciously force a user to go through the oauth flow, and the app will receive a valid access token in response, all without user interaction. It would be much better to avoid csrf login, so we should verify the hmac and timestamp in the url in the setup callback before initiating the authorize phase.
@EiNSTeiN- EiNSTeiN- self-assigned this Oct 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EiNSTeiN- EiNSTeiN-

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@EiNSTeiN-