module ShopifyApp::AppProxyVerification
def calculated_signature(query_hash_without_signature)
def calculated_signature(query_hash_without_signature) sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(",")}" }.sort.join OpenSSL::HMAC.hexdigest( OpenSSL::Digest.new("sha256"), ShopifyApp.configuration.secret, sorted_params, ) end
def query_string_valid?(query_string)
def query_string_valid?(query_string) query_hash = Rack::Utils.parse_query(query_string) signature = query_hash.delete("signature") return false if signature.nil? ActiveSupport::SecurityUtils.secure_compare( calculated_signature(query_hash), signature, ) end
def verify_proxy_request
def verify_proxy_request head(:forbidden) unless query_string_valid?(request.query_string) end