Shopify header signature validation

Author: acoumb

src/Umbraco.Cms.Integrations.OAuthProxy/Controllers/ShopifyComplianceController.cs

@@ -1,8 +1,9 @@
 using Microsoft.AspNetCore.Mvc;
+using Umbraco.Cms.Integrations.OAuthProxy.Filters;
 
 namespace Umbraco.Cms.Integrations.OAuthProxy.Controllers
 {
-    [ApiController]
+	[ApiController]
     public class ShopifyComplianceController : Controller
     {
         /// <summary>
@@ -11,6 +12,7 @@ public class ShopifyComplianceController : Controller
         /// <returns></returns>
         [HttpPost]
         [Route("/shopify-compliance/v1/customer/data-request")]
+        [SignatureValidation]
         public IActionResult CustomerDataRequest() => Ok();
 
         /// <summary>
@@ -19,6 +21,7 @@ public class ShopifyComplianceController : Controller
         /// <returns></returns>
         [HttpPost]
         [Route("/shopify-compliance/v1/customer/data-redact")]
+        [SignatureValidation]
         public IActionResult CustomerDataRedact() => Ok();
 
         /// <summary>
@@ -27,6 +30,7 @@ public class ShopifyComplianceController : Controller
         /// <returns></returns>
         [HttpPost]
         [Route("/shopify-compliance/v1/shop/data-redact")]
+        [SignatureValidation]
         public IActionResult ShopDataRedact() => Ok();
     }
 }

src/Umbraco.Cms.Integrations.OAuthProxy/Filters/SignatureValidationAttribute.cs

@@ -0,0 +1,47 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using System;
+using System.IO;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+using System.Threading.Tasks;
+using Umbraco.Cms.Integrations.OAuthProxy.Configuration;
+
+namespace Umbraco.Cms.Integrations.OAuthProxy.Filters
+{
+	public class SignatureValidationAttribute : ActionFilterAttribute
+	{
+		private const string HeaderKey = "X-Shopify-Hmac-Sha256";
+
+        public override async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
+		{
+			var appSettings = context.HttpContext.RequestServices.GetService<IOptions<AppSettings>>().Value;
+
+			var hmacHeaderValues = context.HttpContext.Request.Headers
+				.FirstOrDefault(kvp => kvp.Key.Equals(HeaderKey, StringComparison.OrdinalIgnoreCase)).Value;
+
+			if (hmacHeaderValues.Count == 0)
+			{
+				context.Result = new UnauthorizedResult();
+				return;
+			}
+
+			string hmacHeader = hmacHeaderValues.First();
+
+			HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(appSettings.ShopifyClientSecret));
+
+			var bodyStream = new StreamReader(context.HttpContext.Request.Body);
+			string requestBody = await bodyStream.ReadToEndAsync();
+			string hash = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(requestBody)));
+
+			if (hash != hmacHeader)
+			{
+				context.Result = new UnauthorizedResult();
+				return;
+			}
+		}
+	}
+}