Webhook verification working

Author: gnikyt

README.md

@@ -78,6 +78,7 @@ Open `app/Http/Kernel.php` find `routeMiddleware` array. Add a new line with:
 
 ```php
 'auth.shop' => \OhMyBrew\ShopifyApp\Middleware\AuthShop::class,
+'auth.webhook' => \OhMyBrew\ShopifyApp\Middleware\AuthWebhook::class,
 ```
 
 ### Jobs

docs/creating-webhooks.md

@@ -78,4 +78,5 @@ Route::post(
     '/webhook/some-string-here',
     'App\Http\Controllers\CustomWebhookController'
 )
+->middleware('auth.middleware')
 ```

src/ShopifyApp/Middleware/AuthWebhook.php

@@ -15,6 +15,17 @@ class AuthWebhook
      */
     public function handle(Request $request, Closure $next)
     {
-      // ... validate HMAC and headers
+        $hmac = request()->header('x-shopify-hmac-sha256');
+        $shop = request()->header('x-shopify-shop-domain');
+        $data = request()->getContent();
+
+        $hmacLocal = hash_hmac('sha256', $data, config('shopify-app.api_secret'));
+        if ($hmac !== $hmacLocal || empty($shop)) {
+            // Issue with HMAC or missing shop header
+            abort(401, 'Invalid webhook signature');
+        }
+
+        // All good, process webhook
+        return $next($request);
     }
 }

src/ShopifyApp/resources/routes.php

@@ -70,5 +70,6 @@
         '/webhook/{type}',
         'OhMyBrew\ShopifyApp\Controllers\WebhookController@handle'
     )
+    ->middleware('auth.webhook')
     ->name('webhook');
 });

tests/AuthWebhookMiddlewareTest.php

@@ -1,17 +1,67 @@
 <?php namespace OhMyBrew\ShopifyApp\Test;
 
 use OhMyBrew\ShopifyApp\Middleware\AuthWebhook;
-use Illuminate\Support\Facades\Input;
+use Illuminate\Support\Facades\Queue;
+
+if (!class_exists('App\Jobs\OrdersCreateJob')) {
+    require 'OrdersCreateJobStub.php';
+}
 
 class AuthWebhookMiddlewareTest extends TestCase
 {
+    /**
+     * @expectedException Symfony\Component\HttpKernel\Exception\HttpException
+     * @expectedExceptionMessage Invalid webhook signature
+     */
+    public function testDenysForMissingShopHeader()
+    {
+        request()->header('x-shopify-hmac-sha256', '1234');
+        (new AuthWebhook)->handle(request(), function($request) { });
+    }
+
+    /**
+     * @expectedException Symfony\Component\HttpKernel\Exception\HttpException
+     * @expectedExceptionMessage Invalid webhook signature
+     */
+    public function testDenysForMissingHmacHeader()
+    {
+        request()->header('x-shopify-shop-domain', 'example.myshopify.com');
+        (new AuthWebhook)->handle(request(), function($request) { });
+    }
+
     public function testRuns()
     {
-        $called = false;
-        $result = (new AuthWebhook)->handle(request(), function($request) use(&$called) {
-            $called = true;
-        });
+        Queue::fake();
+        
+        $response = $this->call(
+            'post',
+            '/webhook/orders-create',
+            [], [], [],
+            [
+                'HTTP_CONTENT_TYPE' => 'application/json',
+                'HTTP_X_SHOPIFY_SHOP_DOMAIN' => 'example.myshopify.com',
+                'HTTP_X_SHOPIFY_HMAC_SHA256' => '8432614ea1ce63b77959195b0e5e1e8469bfb7890e40ab51fb9c3ac26f8b050c', // Matches fixture data and API secret
+            ],
+            file_get_contents(__DIR__.'/fixtures/webhook.json')
+        );
+        $response->assertStatus(201);
+    }
 
-        $this->assertEquals($called);
+    public function testInvalidHmacWontRun()
+    {
+        Queue::fake();
+        
+        $response = $this->call(
+            'post',
+            '/webhook/orders-create',
+            [], [], [],
+            [
+                'HTTP_CONTENT_TYPE' => 'application/json',
+                'HTTP_X_SHOPIFY_SHOP_DOMAIN' => 'example.myshopify.com',
+                'HTTP_X_SHOPIFY_HMAC_SHA256' => '8432614ea1ce63b77959195b0e5e1e8469bfb7890e40ab51fb9c3ac26f8b050c', // Matches fixture data and API secret
+            ],
+            file_get_contents(__DIR__.'/fixtures/webhook.json') . 'invalid'
+        );
+        $response->assertStatus(401);
     }
 }

tests/Kernel.php

@@ -18,6 +18,7 @@ class Kernel extends \Orchestra\Testbench\Http\Kernel
         'throttle'   => \Illuminate\Routing\Middleware\ThrottleRequests::class,
 
         // Added for testing
-        'auth.shop'  => \OhMyBrew\ShopifyApp\Middleware\AuthShop::class
+        'auth.shop'  => \OhMyBrew\ShopifyApp\Middleware\AuthShop::class,
+        'auth.webhook'  => \OhMyBrew\ShopifyApp\Middleware\AuthWebhook::class
     ];
 }

tests/WebhookControllerTest.php

@@ -3,15 +3,34 @@
 use \ReflectionMethod;
 use Illuminate\Support\Facades\Queue;
 
-require 'OrdersCreateJobStub.php';
+if (!class_exists('App\Jobs\OrdersCreateJob')) {
+    require 'OrdersCreateJobStub.php';
+}
 
 class WebhookControllerTest extends TestCase
 {
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->headers = [
+            'HTTP_CONTENT_TYPE' => 'application/json',
+            'HTTP_X_SHOPIFY_SHOP_DOMAIN' => 'example.myshopify.com',
+            'HTTP_X_SHOPIFY_HMAC_SHA256' => '8432614ea1ce63b77959195b0e5e1e8469bfb7890e40ab51fb9c3ac26f8b050c', // Matches fixture data and API secret
+        ];
+    }
+
     public function testShouldReturn201ResponseOnSuccess()
     {
         Queue::fake();
 
-        $response = $this->call('post', '/webhook/orders-create');
+        $response = $this->call(
+            'post',
+            '/webhook/orders-create',
+            [], [], [],
+            $this->headers,
+            file_get_contents(__DIR__.'/fixtures/webhook.json')
+        );
         $response->assertStatus(201);
 
         Queue::assertPushed(\App\Jobs\OrdersCreateJob::class);
@@ -20,7 +39,13 @@ public function testShouldReturn201ResponseOnSuccess()
 
     public function testShouldReturnErrorResponseOnFailure()
     {
-        $response = $this->call('post', '/webhook/products-create');
+        $response = $this->call(
+            'post',
+            '/webhook/products-create',
+            [], [], [],
+            $this->headers,
+            file_get_contents(__DIR__.'/fixtures/webhook.json')
+        );
         $response->assertStatus(500);
         $this->assertEquals('Missing webhook job: \App\Jobs\ProductsCreateJob', $response->exception->getMessage());
     }
@@ -50,10 +75,7 @@ public function testWebhookShouldRecieveData()
             'post',
             '/webhook/orders-create',
             [], [], [],
-            [
-                'HTTP_CONTENT_TYPE' => 'application/json',
-                'HTTP_X_SHOPIFY_SHOP_DOMAIN' => 'example.myshopify.com'
-            ],
+            $this->headers,
             file_get_contents(__DIR__.'/fixtures/webhook.json')
         );
         $response->assertStatus(201);