Verify hmac in `setup` callback
EiNSTeiN- opened this issue · 0 comments
EiNSTeiN- commented
I'm opening this issue so I can fix it later on. In the setup
callback we set the shop url from the query parameters. Since we allow the authorize phase to be initiated in response to a GET request, it's possible for someone to maliciously force a user to go through the oauth flow, and the app will receive a valid access token in response, all without user interaction. It would be much better to avoid csrf login, so we should verify the hmac and timestamp in the url in the setup
callback before initiating the authorize phase.