shopify_api 11.0.0 → 11.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e6ef6d1ca6d9c8e54ddd8fd1c4ca34fdb015e2fe1157c1a101810c8036a69b02
-  data.tar.gz: 94cf5af5bf1e14d8fa1728bb87d0c138f92bebcdbb16d47885a2e2ce73ffba81
+  metadata.gz: 480de35765a695c4111ca43f241270a12a7eb4a22c83844fa5820a27ac829125
+  data.tar.gz: 5d20da61c0cad987a0b6048cf6a10460af29e80df2d7c89617e24e12fc5f1049
 SHA512:
-  metadata.gz: 505926c8d97d9ec73a4dbab76ff42aabf7f0559c503450ada931c51f900a62540ea52cfe4c8e02877a86f515b50b5f7c7f6536fde6d760ff44337d8e68bc6ed5
-  data.tar.gz: 84c6d2c78256cd4b84290ba324d3825ed2365aad7e142bd7f0ca0275f5f9c48d9f2251ff9a022cc2bb663a3a25c5d6c9841af25558a2dd154f62323305e4fd85
+  metadata.gz: 68662d27963ec681ca2b1604e11991f33ae19b3833711828743ac17905c5ed62ed37d2ca425b2042ea2093608ece1cc14d2bc2052f0f6b71c42d21b667e7ef71
+  data.tar.gz: febcfc8ca74c8bf13529d71d91ef6083075c011edb4aeda539b3e5a7d003471a2536a94180ba182b8bbf335ac7f7d9f4752e49ddfac08d1897e02880b24bbff8

data/CHANGELOG.md

@@ -4,6 +4,12 @@ Note: For changes to the API, see https://shopify.dev/changelog?filter=api
 
 ## Unreleased
 
+N/A
+
+## Version 11.0.1
+
+- [#990](https://github.com/Shopify/shopify-api-ruby/pull/991) Validate `hmac` signature of OAuth callback using both old and new API secrets
+
 ## Version 11.0.0
 
 - [#987](https://github.com/Shopify/shopify_api/pull/987) ⚠️ [Breaking] Add REST resources for July 2022 API version, remove support and REST resources for July 2021 (`2021-07`) API version

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    shopify_api (11.0.0)
+    shopify_api (11.0.1)
       concurrent-ruby
       hash_diff
       httparty

data/lib/shopify_api/utils/hmac_validator.rb

@@ -13,18 +13,28 @@ module ShopifyAPI
         def validate(verifiable_query)
           return false unless verifiable_query.hmac
 
-          received_signature = verifiable_query.hmac
-          computed_signature = compute_signature(verifiable_query.to_signable_string)
-          OpenSSL.secure_compare(computed_signature, received_signature)
+          result = validate_signature(verifiable_query, Context.api_secret_key)
+          if result || Context.old_api_secret_key.blank?
+            result
+          else
+            validate_signature(verifiable_query, T.must(Context.old_api_secret_key))
+          end
         end
 
         private
 
-        sig { params(signable_string: String).returns(String) }
-        def compute_signature(signable_string)
+        sig { params(verifiable_query: VerifiableQuery, secret: String).returns(T::Boolean) }
+        def validate_signature(verifiable_query, secret)
+          received_signature = verifiable_query.hmac
+          computed_signature = compute_signature(verifiable_query.to_signable_string, secret)
+          OpenSSL.secure_compare(computed_signature, received_signature)
+        end
+
+        sig { params(signable_string: String, secret: String).returns(String) }
+        def compute_signature(signable_string, secret)
           OpenSSL::HMAC.hexdigest(
             OpenSSL::Digest.new("sha256"),
-            ShopifyAPI::Context.api_secret_key,
+            secret,
             signable_string,
           )
         end

data/lib/shopify_api/version.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module ShopifyAPI
-  VERSION = "11.0.0"
+  VERSION = "11.0.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_api
 version: !ruby/object:Gem::Version
-  version: 11.0.0
+  version: 11.0.1
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-07-04 00:00:00.000000000 Z
+date: 2022-07-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby