Fixed cURL instantiation

Author: Robert Wittman

README.md

@@ -7,32 +7,44 @@ This SDK was created to enable rapid efiicient development using Shopify's API.
 
 ## Installation
 
-```json
-{
-    "require" : {
-        "robby-bugatti/shopify-php-sdk": "1.0.0"
-    }
-}
-```
-or
+Easily install this package with composer
 
 ```shell
 composer require robby-bugatti/shopify-php-sdk
 ```
 
-then install
-
-```shell
-composer install
-```
-
 Before you can start using this SDK, you have to create a <a href="https://partners.shopify.com/">Shopify Application</a>
 You can now use the API key and secret to generate access tokens, which can then access a stores data
 
+### A Note on Strict Execution
+
+When the SDK is run, it defaults to running in a strict environment. This requires that:
+A) The HMAC Hash of request parameters matches output generated by your application's secret key
+B) Authentication responses contain a 'state' parameter that matches the one placed in the request
+
+Because you can be deploying your application in distributed environments, or be using any number of
+storage engines, this SDK will not store these state variables for you. However, it does expose a few
+functions for generating and managing them
+
+```php
+\Shopify\Auth::generateNonce() // Returns a hashed string of <store>.<timestamp>, using API Secret as key
+// hash_hmac('sha256', <store>.<timestamp>, \Shopify\Shopify::api_secret());s
+```
+This will return a hashed string, composed by concatenating the store name with a timestamp, using the API Secret
+as the key.
 
-## Usage / Examples
+```php
+\Shopify\Auth::setNonce( $nonce = NULL )
+```
+This will set a nonce in the Auth Object. It will be added to the authorizationUrl, and when required,
+compare it to the ?state=<nonce_here> returned by Shopify
 
-Essentially, there are 2 ways to initialize this SDK.
+```php
+\Shopify\Auth::checkNonce( $nonce = NULL )
+```
+This will return TRUE or FALSE, depending on if the nonce in the URL matches a nonce set through setNonce()
+This function is automatically run during accessToken() in strict environments, so you shouldnt need to
+call it explicitly
 
 ### Authentication
 
@@ -46,14 +58,17 @@ $options = array(
     'permissions' => "<permissions your applicaiton requires, comma separated>",
     'store' => "myshopify.domain.com"
 );
-
 \Shopify\Shopify::init($options);
 
+// Store this somewhere so we can compare it later
+$storageEngine->store($nonce);
+
 if(isset($_GET['code']))
 {
     // Redirect to Shopify to start OAuth
     header("Location: ".\Shopify\Auth::authorizationUrl());
 } else {
+
     // We can go ahead and get the access token
     echo \Shopify\Auth::accessToken();
     // This should return something that looks like this:
@@ -74,6 +89,7 @@ $options = array(
 
 You now have access to all the methods the SDK provides!
 
+
 ### Reading
 
 The SDK uses static methods to fetch data from Shopify

lib/Auth.php

@@ -33,6 +33,7 @@ public static function authorizationUrl()
             'client_id'     => \Shopify\Shopify::api_key(),
             'scope'         => \Shopify\Shopify::permissions()
         );
+
         // Check if we require strict standards
         if(is_null(self::$nonce) && \Shopify\Shopify::strict())
         {
@@ -44,15 +45,16 @@ public static function authorizationUrl()
 
     /**
      * Fetch an access token
+     * @param string $nonce
      * @return \Shopfiy\AccessToken
      */
-    public static function accessToken()
+    public static function accessToken( $nonce = NULL )
     {
         // Do any strict checking for our OAuth requests
         if(\Shopify\Shopify::strict())
         {
-            if( is_null(self::$nonce) || ! isset( $_GET['state'])) throw new \Exception("Strict API execution requires a nonce for Authentication requests");
-            if(!\Shopify\Shopify::strict() && !\Shopify\Shopify::validateHmac()) throw new Exception\ApiException("Strict API execution requires a valid HMAC signature");
+            if( !self::checkNonce( $nonce ) ) throw new \Exception("Strict API execution requires a nonce for Authentication requests");
+            if( !\Shopify\Shopify::validateHmac() ) throw new Exception\ApiException("Strict API execution requires a valid HMAC signature");
         }
         return \Shopify\AccessToken::createFromCode($_GET['code']);
     }
@@ -65,4 +67,32 @@ public static function setNonce($nonce)
     {
         self::$nonce = $nonce;
     }
+
+    /**
+     * Verify that nonces match
+     * @param  string $nonce
+     * @return boolean
+     */
+    public static function checkNonce($nonce = NULL)
+    {
+        return $nonce === $_GET['state'];
+    }
+
+    public static function getNonce()
+    {
+        return self::$nonce;
+    }
+
+    /**
+     * Create a nonce to be used for authentication
+     *
+     * This can be substituted with whichever technique a developer wants to implement
+     *
+     * @return string
+     */
+    public static function generateNonce()
+    {
+        if(is_null(\Shopify\Shopify::api_secret())) throw new Exception\ApiException("API Secret required for nonce generation");
+        return hash_hmac('sha256', \Shopify\Shopify::store().'.'.time(),\Shopify\Shopify::api_secret() );
+    }
 }

lib/Http/Client.php

@@ -115,9 +115,8 @@ public function request(Request $request)//$method, $url, $params = array(), $js
         // Execute our curl request
         curl_setopt_array($curl, $opts);
         $res_body = curl_exec($curl);
-        $errno = curl_errno($curl);
         $rcode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
-        curl_close($curl);
+        $errno = curl_errno($curl);
 
         // Check if curl instantiated, or throw an error
         if($res_body === false)
@@ -146,6 +145,7 @@ public function request(Request $request)//$method, $url, $params = array(), $js
         }
         unset($jsonBody);
 
+        curl_close($curl);
 
         $this->handleHttpCode($response->getHttpCode());
         return $response;
@@ -168,6 +168,7 @@ private function handleHttpCode($code)
                 case 404:
                     $msg = "That resource does not exist";
                 break;
+                case 400:
                 case 406:
                     $msg = "Request Information was Not Acceptable";
                 break;
@@ -180,6 +181,9 @@ private function handleHttpCode($code)
                 case 500:
                     $msg = "There was an error comunicating with Shopify";
                 break;
+                case 503:
+                    $msg = "Service unavailable. Is your domain set correctly?";
+                break;
                 default: $msg = "An unknown error code [{$code}] was returned";
             }
             throw new \Shopify\Exception\ApiException($msg);

tests/AuthTest.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace Shopify;
+
+class AuthTest extends TestCase
+{
+    // private $opts = [
+    //     'test' => TRUE,
+    //     'debug' => FALSE,
+    //     'strict' => FALSE,
+    //     'api_key' => '1231g3g24gq3v',
+    //     'api_secret' => "asdpaosidcoaij23r",
+    //     'redirect_uri' => "https://some_randomg_url",
+    //     'access_token' => 'asdifpaoisdjpfaoijsdfp',
+    //     'permissions' => "read_products,write_products",
+    //     'store' => "dev.myshopify.com"
+    // ];
+
+    public function testGenerateNonce()
+    {
+        $nonce = Auth::generateNonce();
+        $this->assertEquals($nonce, hash_hmac('sha256', Shopify::store().'.'.time(), Shopify::api_secret()));
+    }
+
+    public function testSetNonce()
+    {
+        Auth::setNonce('some-random-string');
+        $this->assertEquals(Auth::getNonce(), 'some-random-string');
+    }
+
+    public function testAuthorizationUrl()
+    {
+        Auth::setNonce('some-random-string');
+        $url = Auth::authorizationUrl();
+        $query_string = parse_url($url, PHP_URL_QUERY);
+        $params = [];
+        parse_str($query_string, $params);
+        $this->assertNotNull($params['state']);
+        $this->assertEquals($params['state'], 'some-random-string');
+    }
+}

tests/Http/ClientTest.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace Shopify;
+
+class ClientTest extends TestCase
+{
+    protected $client;
+
+    public function setUp()
+    {
+        $this->client = new Http\Client();
+    }
+
+    /**
+     * @expectedException \Shopify\Exception\ApiException
+     */
+    public function testClientInvalidDomain()
+    {
+        $request = new Http\Request('0.0.0.0', 'GET', [], []);
+        $response = $this->client->request($request);
+    }
+
+    /**
+     * @expectedException \Shopify\Exception\CurlException
+     */
+    public function testClientInitFailure()
+    {
+        $request = new Http\Request('http://test-shop/admin/products.json' ,'GET', [], []);
+        $response = $this->client->request($request);
+    }
+}

tests/TestCase.php

@@ -5,9 +5,19 @@
 class TestCase extends \PHPUnit_Framework_TestCase
 {
     protected $client;
-
+    private $opts = [
+        'test' => TRUE,
+        'debug' => FALSE,
+        'strict' => FALSE,
+        'api_key' => '1231g3g24gq3v',
+        'api_secret' => "asdpaosidcoaij23r",
+        'redirect_uri' => "https://some_randomg_url",
+        'access_token' => 'asdifpaoisdjpfaoijsdfp',
+        'permissions' => "read_products,write_products",
+        'store' => "dev.myshopify.com"
+    ];
     public function setUp()
     {
-        Shopify::init(['test' => TRUE]);
+        Shopify::init($this->opts);
     }
 }