Added nonce to authentication process

Author: Robert Wittman

README.md

@@ -27,8 +27,8 @@ storage engines, this SDK will not store these state variables for you. However,
 functions for generating and managing them
 
 ```php
-\Shopify\Auth::generateNonce() // Returns a hashed string of <store>.<timestamp>, using API Secret as key
-// hash_hmac('sha256', <store>.<timestamp>, \Shopify\Shopify::api_secret());s
+\Shopify\Auth::generateNonce();
+// Returns a hashed string of <store>.<timestamp>, using API Secret as key
 ```
 This will return a hashed string, composed by concatenating the store name with a timestamp, using the API Secret
 as the key.
@@ -46,11 +46,13 @@ This will return TRUE or FALSE, depending on if the nonce in the URL matches a n
 This function is automatically run during accessToken() in strict environments, so you shouldnt need to
 call it explicitly
 
+For full example, check out [Full Auth Example with Comments](examples/authentication.php)
 ### Authentication
 
 To use the SDK for OAuth purposes, you need to provide your api_key, api_secret, permissions, and redirect_uri
 
 ```php
+// Set our options for initializing the SDK
 $options = array(
     'api_key' => 'some_random_api_key',
     'api_secret' => 'some_random_api_secret',
@@ -60,14 +62,19 @@ $options = array(
 );
 \Shopify\Shopify::init($options);
 
-// Store this somewhere so we can compare it later
-$storageEngine->store($nonce);
 
-if(isset($_GET['code']))
+if(!isset($_GET['code']))
 {
+    $nonce = \Shopify\Auth::generateNonce();
+
+    // Store this somewhere so we can compare it later
+    $storageEngine->store($nonce);
+
     // Redirect to Shopify to start OAuth
     header("Location: ".\Shopify\Auth::authorizationUrl());
 } else {
+    $nonce = $storageEngine->retrieve($nonce);
+    \Shopify\Auth::setNonce($nonce);
 
     // We can go ahead and get the access token
     echo \Shopify\Auth::accessToken();
@@ -167,7 +174,7 @@ try {
 \\ Exception\CurlException => cURL failed to connect
 \\ Exception\ApiException        => There was an API error. [Invalid POST data, Invalid Endpoint, etc.]
 
-```
+```/.lung`q23 45v
 
 ## References
 

examples/authentication_no_strict.php

@@ -0,0 +1,34 @@
+<?php
+
+require_once 'path/to/vendor/autoload.php';
+
+// Set our arguments for the SDK. These should be stored in another file
+$options = [
+    'api_key'       => '<shopify_api_key>',
+    'api_secret'    => '<shopify_api_secret>',
+    'redirect_url'  => 'https://localhost/shopify',
+    'store'         => '<store_name>',
+    'permissions'   => 'read_products',
+    'strict'        => FALSE    // This disables response verifications
+];
+
+// Initialize the SDK using arguments
+\Shopify\Shopify::init($options);
+
+/* Now we check if we are starting an OAuth request request, or handling a
+   response from Shopify. Checking for ?code=<auth_code> should suffice */
+if( !isset( $_GET['code'] ) )
+{
+    header("Location: ".\Shopify\Auth::authorizationUrl());
+}
+else
+{
+    try {
+        $accessToken = \Shopify\Auth::accessToken();
+    } catch(Exception $e) {
+        echo $e->getMessage();
+        exit();
+    }
+
+    echo $accessToken; // 53e20e750c89274d02b53927135fd664
+}

examples/strict_authentication.php

@@ -0,0 +1,76 @@
+<?php
+
+require_once 'path/to/vendor/autoload.php';
+
+// Initialize our storage engine. Replace this with whichever storage mechanism you want to use
+$storageEngine = new StorageEngine();
+// Set our arguments for the SDK. These should be stored in another file
+$options = [
+    'api_key'       => '<shopify_api_key>',
+    'api_secret'    => '<shopify_api_secret>',
+    'redirect_url'  => 'https://localhost/shopify',
+    'store'         => '<store_name>',
+    'permissions'   => 'read_products',
+];
+
+// Initialize the SDK using arguments
+\Shopify\Shopify::init($options);
+
+/* Now we check if we are starting an OAuth request request, or handling a
+   response from Shopify. Checking for ?code=<auth_code> should suffice */
+if( !isset( $_GET['code'] ) )
+{
+    // We need to initiate the OAuth flow. Generate a nonce we can store for
+    // security purposes
+    $nonce = \Shopify\Auth::generateNonce();
+
+    // In order to compare the nonce when they return, it needs to be stored somewhere.
+    $storageEngine->store('auth_nonce', $nonce);
+
+    // We can now send the user to Shopify for authentication
+    header("Location: ".\Shopify\Auth::authorizationUrl());
+}
+else
+{
+    // We are handling an authentication resposne from Shopify. We need to validate the
+    // request, and then exchange the code for an access token
+
+    // First, we get the nonce we stored
+    $nonce = $storageEngine->retrieve('auth_nonce');
+    // Set the nonce property of \Shopify\Auth so it can compare response -> request
+    \Shopify\Auth::setNonce($nonce);
+    // Finally, attempt to get the access token. If there is no nonce present, or the
+    // store nonce does not match the one present in Shopify's response, or the HMAC
+    // signature fails, this will throw an exception
+    try {
+        $accessToken = \Shopify\Auth::accessToken();
+    } catch(Exception $e) {
+        echo $e->getMessage(); // Authentication failed for some reason
+        exit();
+    }
+
+    echo $accessToken; // 53e20e750c89274d02b53927135fd664
+}
+
+
+/**
+ * This is a very crude representation of session management.
+ * This could be replaced with DB storage, redis, or your frameworks session library
+ *
+ * **For demo purposes only**
+ */
+class StorageEngine {
+    public function __construct() {
+        if (session_status() == PHP_SESSION_NONE) {
+            session_start();
+        }
+    }
+
+    public function store($key, $value) {
+        $_SESSION[$key] = $value;
+    }
+
+    public function retrieve($key) {
+        return $_SESSION[$key];
+    }
+}

lib/Auth.php

@@ -37,7 +37,7 @@ public static function authorizationUrl()
         // Check if we require strict standards
         if(is_null(self::$nonce) && \Shopify\Shopify::strict())
         {
-            throw new Exception\ApiException("Trying to use strict API without nonce");
+            throw new Exception\ApiException('Strict API execution requires a nonce be set');
         }
         if(!is_null(self::$nonce)) $params['state'] = self::$nonce;
         return sprintf("https://%s/%s?%s", \Shopify\Shopify::store(), self::$auth_uri, http_build_query($params));
@@ -48,19 +48,20 @@ public static function authorizationUrl()
      * @param string $nonce
      * @return \Shopfiy\AccessToken
      */
-    public static function accessToken( $nonce = NULL )
+    public static function accessToken()
     {
         // Do any strict checking for our OAuth requests
         if(\Shopify\Shopify::strict())
         {
-            if( !self::checkNonce( $nonce ) ) throw new \Exception("Strict API execution requires a nonce for Authentication requests");
-            if( !\Shopify\Shopify::validateHmac() ) throw new Exception\ApiException("Strict API execution requires a valid HMAC signature");
+            if( is_null( self::$nonce ) ) throw new \Exception('No nonce was set. use Auth::setNonce($nonce) to set one');
+            if( !self::checkNonce( $nonce ) ) throw new \Exception("Authentication nonce failed verification");
+            if( !\Shopify\Shopify::validateHmac() ) throw new Exception\ApiException("HMAC signature failed verification");
         }
         return \Shopify\AccessToken::createFromCode($_GET['code']);
     }
 
     /**
-     * Set a nonce, used to secure API requests
+     * Set the nonce property
      * @param string $nonce
      */
     public static function setNonce($nonce)
@@ -73,7 +74,7 @@ public static function setNonce($nonce)
      * @param  string $nonce
      * @return boolean
      */
-    public static function checkNonce($nonce = NULL)
+    public static function checkNonce($nonce)
     {
         return $nonce === $_GET['state'];
     }
@@ -85,14 +86,14 @@ public static function getNonce()
 
     /**
      * Create a nonce to be used for authentication
-     *
-     * This can be substituted with whichever technique a developer wants to implement
-     *
      * @return string
      */
-    public static function generateNonce()
+    public static function generateNonce( $save = TRUE )
     {
         if(is_null(\Shopify\Shopify::api_secret())) throw new Exception\ApiException("API Secret required for nonce generation");
-        return hash_hmac('sha256', \Shopify\Shopify::store().'.'.time(),\Shopify\Shopify::api_secret() );
+        $nonce = hash_hmac('sha256', \Shopify\Shopify::store().'.'.time(),\Shopify\Shopify::api_secret() );
+
+        if($save) self::setNonce($nonce);
+        return $nonce;
     }
 }

lib/Http/Client.php

@@ -186,7 +186,7 @@ private function handleHttpCode($code)
                 break;
                 default: $msg = "An unknown error code [{$code}] was returned";
             }
-            throw new \Shopify\Exception\ApiException($msg);
+            throw new \Shopify\Exception\ApiException($msg, $code);
         }
     }