Fixing a vulnerability related to access to store data. (#418)

* authorization after token verification, added a restriction preventing API routes from being accessed via a browser

* added forbidden web middleware groups to the configuration

Author: enmaboya

src/Http/Middleware/VerifyShopify.php

@@ -101,20 +101,29 @@ public function handle(Request $request, Closure $next)
             return $next($request);
         }
 
-        if (!Util::useNativeAppBridge()) {
-            $shop = $this->getShopIfAlreadyInstalled($request);
-            $storeResult = !$this->isApiRequest($request) && $shop;
+        $tokenSource = $this->getAccessTokenFromRequest($request);
 
-            if ($storeResult) {
-                $this->loginFromShop($shop);
+        if ($tokenSource === null) {
+            $forbiddenMiddlewareMatches = array_intersect(
+                Util::getShopifyConfig('forbidden_web_middleware_groups'),
+                $request->route()?->middleware() ?? []
+            );
 
-                return $next($request);
+            if (filled($forbiddenMiddlewareMatches)) {
+                throw new HttpException('Access denied.', Response::HTTP_FORBIDDEN);
             }
-        }
 
-        $tokenSource = $this->getAccessTokenFromRequest($request);
+            if (!Util::useNativeAppBridge()) {
+                $shop = $this->getShopIfAlreadyInstalled($request);
+                $storeResult = !$this->isApiRequest($request) && $shop;
+
+                if ($storeResult) {
+                    $this->loginFromShop($shop);
+
+                    return $next($request);
+                }
+            }
 
-        if ($tokenSource === null) {
             //Check if there is a store record in the database
             return $this->checkPreviousInstallation($request)
                 // Shop exists, token not available, we need to get one

src/resources/config/shopify-app.php

@@ -588,4 +588,16 @@
     'frontend_engine' => env('SHOPIFY_FRONTEND_ENGINE', 'BLADE'),
 
     'iframe_ancestors' => '',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Forbidden middleware groups
+    |--------------------------------------------------------------------------
+    |
+    | Routes prohibited from being opened in the browser.
+    |
+    */
+    'forbidden_web_middleware_groups' => [
+        'api',
+    ]
 ];

tests/Http/Middleware/VerifyShopifyTest.php

@@ -2,7 +2,9 @@
 
 namespace Osiset\ShopifyApp\Test\Http\Middleware;
 
+use Illuminate\Http\Response;
 use Illuminate\Support\Facades\Request;
+use Illuminate\Support\Facades\Route;
 use Osiset\ShopifyApp\Exceptions\HttpException;
 use Osiset\ShopifyApp\Exceptions\SignatureVerificationException;
 use Osiset\ShopifyApp\Http\Middleware\VerifyShopify;
@@ -318,7 +320,7 @@ public function testTokenProcessingAndMissMatchingShops(): void
         $this->runMiddleware(VerifyShopify::class, $newRequest);
     }
 
-    public function testNotNativeAppbridgeWithTokenProcessingAndLoginShop(): void
+    public function testNotNativeAppBridgeWithTokenProcessingAndLoginShop(): void
     {
         // Create a shop that matches the token from buildToken
         factory($this->model)->create(['name' => 'shop-name.myshopify.com']);
@@ -349,4 +351,33 @@ public function testNotNativeAppbridgeWithTokenProcessingAndLoginShop(): void
         $result = $this->runMiddleware(VerifyShopify::class, $newRequest);
         $this->assertTrue($result[0]);
     }
+
+    public function testAccessingForbiddenMiddlewareRouteFromBrowserReceivedAccessError(): void
+    {
+        $this->expectException(HttpException::class);
+        $this->expectExceptionMessage('Access denied');
+        $this->expectExceptionCode(Response::HTTP_FORBIDDEN);
+
+        // Create a shop that matches the token from buildToken
+        factory($this->model)->create(['name' => 'shop-name.myshopify.com']);
+        $this->app['config']->set('shopify-app.frontend_engine', 'REACT');
+        $this->app['config']->set('shopify-app.forbidden_web_middleware_groups', ['api']);
+        $this->app['router']->get('/api/some/endpoint', fn () => true)->middleware(['api']);
+
+        // Setup the request
+        $currentRequest = Request::instance();
+        $newRequest = $currentRequest->duplicate(
+            query: [
+                'shop' => 'shop-name.myshopify.com',
+            ],
+            server: [
+                'HTTP_Authorization' => "Bearer {$this->buildToken()}",
+                'REQUEST_URI' => 'api/some/endpoint',
+            ]
+        );
+        $route = Route::getRoutes()->match($newRequest);
+        $newRequest->setRouteResolver(fn () => $route);
+
+        $this->runMiddleware(VerifyShopify::class, $newRequest);
+    }
 }

tests/Traits/ApiControllerTest.php

@@ -12,8 +12,8 @@ public function testApiWithoutToken(): void
         $shop = factory($this->model)->create();
 
         $response = $this->getJson('/api', ['HTTP_X-Shop-Domain' => $shop->name]);
-        $response->assertStatus(Response::HTTP_BAD_REQUEST);
-        $response->assertExactJson(['error' => 'Session token is invalid.']);
+        $response->assertStatus(Response::HTTP_FORBIDDEN);
+        $response->assertExactJson(['error' => 'Access denied.']);
     }
 
     public function testApiWithToken(): void