请求来源无法验证 - Shopify

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了请求来源无法验证 - Shopify相关的知识,希望对你有一定的参考价值。

enter image description here我正在开发Shopify的应用程序。目前正处于开发阶段。到目前为止,我已成功设法授权该应用程序,然后使用Embedded App SDK将其重定向回管理页面。但是,当我返回管理页面时,它给我一个错误说Request origin cannot be verified

控制台显示Failed to load resource: the server responded with a status of 403 (Forbidden)控制台中的URL类似于https://myshop.myshopify.com/admin/apps/dfdjf4343343434343434bfdf/shopify/shopify/callback?code=ffdfdffd&hmac=fdfdfdfdfdfdfdfdfddfdfdfdfdf&shop=myshop.myshopify.com&state=151193864548800&timestamp=1511938648

fdfdfdfdfdfdfdfdfddfdfdfdfdf只是我已经替换的随机字符而不是哈希。仅供参考 - 我已从图像中删除了应用名称和用户个人资料名称以及头像。

答案

发生这种情况是因为,您无法匹配在cookie中设置的状态,同时使用重定向网址进行响应

const ShopifyToken = require('shopify-token')

const forwardingAddress = process.env.HOST

const shopifyToken = new ShopifyToken({
  sharedSecret: process.env.SHOPIFY_API_SECRET,
  redirectUri: forwardingAddress + '/shopify/callback',
  apiKey: process.env.SHOPIFY_API_KEY
})


const shopify = {
  // use this for authentication
  auth: (req, res, next) => {
    const shop = req.query.shop
    if (!shop) {
      return res.status(400).send('Missing shop parameter. Please add ?shop=your-development-shop.myshopify.com to your request')
    }
    const shopRegex = /^([w-]+).myshopify.com/i
    const shopName = shopRegex.exec(shop)[1]
    const state = shopifyToken.generateNonce()
    const url = shopifyToken.generateAuthUrl(shopName, scopes, state)
    res.cookie('state', state)
    res.redirect(url)
  },

  // use this as your callback function
  authCallback: async (req, res) => {
    const { shop, hmac, code, state } = req.query
    const stateCookie = cookie.parse(req.headers.cookie).state
    if (state !== stateCookie) {
    // you are unable to set proper state ("nonce") in this case, thus you are getting this error
      return res.status(403).send('Request origin cannot be verified')
    }
    if (!shop || !hmac || !code) {
      res.status(400).send('Required parameters missing')
    }
    let hmacVerified = shopifyToken.verifyHmac(req.query)
    console.log(`verifying -> ${hmacVerified}`)
    // DONE: Validate request is from Shopify
    if (!hmacVerified) {
      return res.status(400).send('HMAC validation failed')
    }
    const accessToken = await shopifyToken.getAccessToken(shop, code)
    const shopRequestUrl = 'https://' + shop + '/admin/shop.json'
    const shopRequestHeaders = {
      'X-Shopify-Access-Token': accessToken
    }
    try {
      const shopResponse = await request.get(shopRequestUrl, { headers: shopRequestHeaders })
      res.status(200).end(shopResponse)
    } catch (error) {
      res.status(error.statusCode).send(error.error.error_description)
    }
  }
}
另一答案

const express = require('express');
const router = express.Router();
const dotenv = require('dotenv').config();
const cookie = require('cookie');
const requestPromise = require('request-promise');
const ShopifyToken = require('shopify-token');

const scopes = "write_products";
const forwardingAddress = process.env.HOST;

var shopifyToken = new ShopifyToken({
sharedSecret: process.env.SHOPIFY_API_SECRET,
redirectUri: forwardingAddress + '/shopify/callback',
apiKey: process.env.SHOPIFY_API_KEY
})

router.get('/shopify', (req, res) => {
const shop = req.query.shop;
if (!shop) {
    return res.status(400).send('Missing shop parameter. Please add ?shop=your-development-shop.myshopify.com to your request')
}
const shopRegex = /^([w-]+).myshopify.com/i
const shopName = shopRegex.exec(shop)[1]
const state = shopifyToken.generateNonce();
const url = shopifyToken.generateAuthUrl(shopName, scopes, state);
res.cookie('state', state);
res.redirect(url);
});

router.get('/shopify/callback', (req, res) => {
const { shop, hmac, code, state } = req.query;
const stateCookie = cookie.parse(req.headers.cookie).state;

if (state !== stateCookie) {
    // you are unable to set proper state ("nonce") in this case, thus you are getting this error
    return res.status(403).send('Request origin cannot be verified')
}
if (!shop || !hmac || !code) {
    res.status(400).send('Required parameters missing')
}
let hmacVerified = shopifyToken.verifyHmac(req.query)
console.log(`verifying -> ${hmacVerified}`)

// DONE: Validate request is from Shopify
if (!hmacVerified) {
    return res.status(400).send('HMAC validation failed')
}
const accessToken = shopifyToken.getAccessToken(shop, code);
const shopRequestUrl = 'https://' + shop + '/admin/products.json'
const shopRequestHeaders = {
    'X-Shopify-Access-Token': accessToken
}
try {
    const shopResponse = requestPromise.get(shopRequestUrl, { headers: shopRequestHeaders })
    res.status(200).send(shopResponse)
} catch (error) {
    res.status(error.statusCode).send(error.error.error_description)
}

});

module.exports = router;

以上是关于请求来源无法验证 - Shopify的主要内容,如果未能解决你的问题,请参考以下文章

在 Heroku 上开发时,使用 GraphQL 的 Shopify 应用程序无法运行

在NestJS 中添加对Shopify 的WebHook 验证

shopify hmac验证php

Shopify API 跨域 Ajax 请求

Shopify API跨域Ajax请求

无法在 Liquid 代码、Shopify 中找到访问者的位置