shopify-sdk 1.0.0

A Rust SDK for the Shopify API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373

//! OAuth callback validation and token exchange.
//!
//! This module provides the [`validate_auth_callback`] function for validating
//! OAuth callbacks from Shopify and exchanging authorization codes for access tokens.
//!
//! # Overview
//!
//! After a user authorizes your app, Shopify redirects them to your callback URL
//! with query parameters including an authorization code. This function:
//!
//! 1. Validates the HMAC signature to ensure the request is from Shopify
//! 2. Verifies the state parameter matches to prevent CSRF attacks
//! 3. Exchanges the authorization code for an access token
//! 4. Returns a [`Session`] ready for API calls
//!
//! # Example
//!
//! ```rust,ignore
//! use shopify_sdk::auth::oauth::{validate_auth_callback, AuthQuery};
//!
//! // Parse callback query parameters from the request
//! let auth_query = AuthQuery::new(/* ... from request ... */);
//!
//! // Retrieve the expected state from the user's session
//! let expected_state = session.get::<String>("oauth_state")?;
//!
//! // Validate and exchange
//! let session = validate_auth_callback(&config, &auth_query, &expected_state).await?;
//!
//! // session is now ready for API calls
//! ```

use crate::auth::oauth::error::OAuthError;
use crate::auth::oauth::hmac::{constant_time_compare, validate_hmac};
use crate::auth::oauth::AuthQuery;
use crate::auth::session::AccessTokenResponse;
use crate::auth::Session;
use crate::config::{ShopDomain, ShopifyConfig};

/// Request body for token exchange.
#[derive(serde::Serialize)]
struct TokenExchangeRequest<'a> {
    client_id: &'a str,
    client_secret: &'a str,
    code: &'a str,
}

/// Validates an OAuth callback and exchanges the code for an access token.
///
/// This function performs the complete OAuth callback validation flow:
///
/// 1. **HMAC Validation**: Verifies the request signature matches using the
///    API secret key (with fallback to old key for rotation support)
/// 2. **State Verification**: Compares the received state with the expected
///    state using constant-time comparison
/// 3. **Shop Validation**: Parses and validates the shop domain
/// 4. **Token Exchange**: POSTs to Shopify's token endpoint to exchange the
///    authorization code for an access token
/// 5. **Session Creation**: Returns a [`Session`] configured with the new token
///
/// # Arguments
///
/// * `config` - Shopify SDK configuration
/// * `auth_query` - The query parameters from the OAuth callback
/// * `expected_state` - The state value that was stored when `begin_auth()` was called
///
/// # Returns
///
/// A [`Session`] with the access token, ready for API calls.
///
/// # Errors
///
/// - [`OAuthError::InvalidHmac`]: HMAC signature validation failed
/// - [`OAuthError::StateMismatch`]: State parameter doesn't match expected
/// - [`OAuthError::InvalidCallback`]: Shop domain is invalid
/// - [`OAuthError::TokenExchangeFailed`]: Token exchange request failed
/// - [`OAuthError::HttpError`]: Network error during token exchange
///
/// # Security Notes
///
/// - HMAC comparison uses constant-time comparison to prevent timing attacks
/// - State comparison uses constant-time comparison to prevent timing attacks
/// - Both primary and old API secret keys are tried for HMAC validation
///   (supporting key rotation)
///
/// # Example
///
/// ```rust,ignore
/// use shopify_sdk::auth::oauth::{validate_auth_callback, AuthQuery};
///
/// async fn handle_callback(
///     config: &ShopifyConfig,
///     query: AuthQuery,
///     stored_state: &str,
/// ) -> Result<(), OAuthError> {
///     let session = validate_auth_callback(config, &query, stored_state).await?;
///
///     // Store the session for later use
///     store_session(&session).await;
///
///     // The session is now ready for API calls
///     println!("Got access token for shop: {}", session.shop.as_ref());
///     Ok(())
/// }
/// ```
pub async fn validate_auth_callback(
    config: &ShopifyConfig,
    auth_query: &AuthQuery,
    expected_state: &str,
) -> Result<Session, OAuthError> {
    // Step 1: Validate HMAC signature
    if !validate_hmac(auth_query, config) {
        return Err(OAuthError::InvalidHmac);
    }

    // Step 2: Verify state matches (constant-time comparison)
    if !constant_time_compare(&auth_query.state, expected_state) {
        return Err(OAuthError::StateMismatch {
            expected: expected_state.to_string(),
            received: auth_query.state.clone(),
        });
    }

    // Step 3: Parse and validate shop domain
    let shop = ShopDomain::new(&auth_query.shop).map_err(|_| OAuthError::InvalidCallback {
        reason: format!("Invalid shop domain: {}", auth_query.shop),
    })?;

    // Step 4: Exchange authorization code for access token
    let token_url = format!("https://{}/admin/oauth/access_token", shop.as_ref());

    let request_body = TokenExchangeRequest {
        client_id: config.api_key().as_ref(),
        client_secret: config.api_secret_key().as_ref(),
        code: &auth_query.code,
    };

    // Use reqwest directly since this is an unauthenticated request
    let client = reqwest::Client::new();
    let response = client
        .post(&token_url)
        .json(&request_body)
        .send()
        .await
        .map_err(|e| OAuthError::TokenExchangeFailed {
            status: 0,
            message: format!("Network error: {e}"),
        })?;

    let status = response.status().as_u16();

    if !response.status().is_success() {
        let error_body = response.text().await.unwrap_or_default();
        return Err(OAuthError::TokenExchangeFailed {
            status,
            message: error_body,
        });
    }

    // Step 5: Parse token response
    let token_response: AccessTokenResponse =
        response
            .json()
            .await
            .map_err(|e| OAuthError::TokenExchangeFailed {
                status,
                message: format!("Failed to parse token response: {e}"),
            })?;

    // Step 6: Create and return session
    let session = Session::from_access_token_response(shop, &token_response);

    Ok(session)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::auth::oauth::hmac::compute_signature;
    use crate::config::{ApiKey, ApiSecretKey, HostUrl};
    use wiremock::matchers::{body_json, method, path};
    use wiremock::{Mock, MockServer, ResponseTemplate};

    fn create_test_config() -> ShopifyConfig {
        ShopifyConfig::builder()
            .api_key(ApiKey::new("test-api-key").unwrap())
            .api_secret_key(ApiSecretKey::new("test-secret").unwrap())
            .host(HostUrl::new("https://myapp.example.com").unwrap())
            .build()
            .unwrap()
    }

    fn create_valid_auth_query(secret: &str) -> AuthQuery {
        let mut query = AuthQuery::new(
            "auth-code-123".to_string(),
            "test-shop.myshopify.com".to_string(),
            "1700000000".to_string(),
            "test-state".to_string(),
            "dGVzdC1ob3N0".to_string(),
            String::new(),
        );

        let signable = query.to_signable_string();
        query.hmac = compute_signature(&signable, secret);
        query
    }

    #[tokio::test]
    async fn test_validate_auth_callback_validates_hmac() {
        let config = create_test_config();
        let query = AuthQuery::new(
            "code".to_string(),
            "shop.myshopify.com".to_string(),
            "12345".to_string(),
            "state".to_string(),
            "host".to_string(),
            "invalid-hmac".to_string(),
        );

        let result = validate_auth_callback(&config, &query, "state").await;

        assert!(matches!(result, Err(OAuthError::InvalidHmac)));
    }

    #[tokio::test]
    async fn test_validate_auth_callback_rejects_state_mismatch() {
        let config = create_test_config();
        let query = create_valid_auth_query("test-secret");

        let result = validate_auth_callback(&config, &query, "wrong-state").await;

        match result {
            Err(OAuthError::StateMismatch { expected, received }) => {
                assert_eq!(expected, "wrong-state");
                assert_eq!(received, "test-state");
            }
            _ => panic!("Expected StateMismatch error"),
        }
    }

    #[tokio::test]
    async fn test_validate_auth_callback_with_invalid_shop() {
        let config = create_test_config();
        let mut query = AuthQuery::new(
            "code".to_string(),
            "invalid shop domain".to_string(), // Invalid domain
            "12345".to_string(),
            "test-state".to_string(),
            "host".to_string(),
            String::new(),
        );

        // Compute valid HMAC
        let signable = query.to_signable_string();
        query.hmac = compute_signature(&signable, "test-secret");

        let result = validate_auth_callback(&config, &query, "test-state").await;

        match result {
            Err(OAuthError::InvalidCallback { reason }) => {
                assert!(reason.contains("Invalid shop domain"));
            }
            _ => panic!("Expected InvalidCallback error"),
        }
    }

    #[tokio::test]
    async fn test_validate_auth_callback_returns_session_on_success() {
        // Start a mock server
        let mock_server = MockServer::start().await;

        // Configure the mock to respond to token exchange
        Mock::given(method("POST"))
            .and(path("/admin/oauth/access_token"))
            .and(body_json(serde_json::json!({
                "client_id": "test-api-key",
                "client_secret": "test-secret",
                "code": "auth-code-123"
            })))
            .respond_with(ResponseTemplate::new(200).set_body_json(serde_json::json!({
                "access_token": "new-access-token",
                "scope": "read_products,write_orders"
            })))
            .mount(&mock_server)
            .await;

        // Create a config with the mock server URL
        // Note: We can't easily redirect the token exchange URL in this test,
        // so we'll test the components individually and rely on integration tests
        // for full flow testing.

        // This test verifies the function structure is correct
        let config = create_test_config();
        let query = create_valid_auth_query("test-secret");

        // The actual network call will fail because we can't redirect the shop URL
        // to the mock server, but we can verify the validation steps work
        let result = validate_auth_callback(&config, &query, "test-state").await;

        // Should fail at token exchange (network error to real domain)
        // In a real integration test with proper mocking, this would succeed
        assert!(matches!(
            result,
            Err(OAuthError::TokenExchangeFailed { .. })
        ));
    }

    #[tokio::test]
    async fn test_validate_auth_callback_handles_token_exchange_error() {
        let config = create_test_config();
        let query = create_valid_auth_query("test-secret");

        // This will fail because we're trying to connect to a real domain
        let result = validate_auth_callback(&config, &query, "test-state").await;

        // Should return TokenExchangeFailed
        assert!(matches!(
            result,
            Err(OAuthError::TokenExchangeFailed { .. })
        ));
    }

    #[test]
    fn test_constant_time_compare_in_state_validation() {
        // Verify we're using constant-time comparison
        assert!(constant_time_compare("state123", "state123"));
        assert!(!constant_time_compare("state123", "state124"));
    }

    #[tokio::test]
    async fn test_validate_hmac_with_old_key_fallback() {
        let config = ShopifyConfig::builder()
            .api_key(ApiKey::new("test-key").unwrap())
            .api_secret_key(ApiSecretKey::new("new-secret").unwrap())
            .old_api_secret_key(ApiSecretKey::new("old-secret").unwrap())
            .host(HostUrl::new("https://app.example.com").unwrap())
            .build()
            .unwrap();

        // Create query with HMAC using OLD secret
        let query = create_valid_auth_query("old-secret");

        // Should pass HMAC validation (fallback to old key) but fail on token exchange
        let result = validate_auth_callback(&config, &query, "test-state").await;

        // Should get past HMAC and state validation to token exchange
        assert!(matches!(
            result,
            Err(OAuthError::TokenExchangeFailed { .. })
        ));
    }

    #[tokio::test]
    async fn test_validate_auth_callback_with_correct_state() {
        let config = create_test_config();
        let query = create_valid_auth_query("test-secret");

        // Pass the correct state
        let result = validate_auth_callback(&config, &query, "test-state").await;

        // Should get past state validation to token exchange
        // Will fail on token exchange since we're not mocking the Shopify API
        match &result {
            Err(OAuthError::StateMismatch { .. }) => {
                panic!("Should not fail on state mismatch with correct state")
            }
            Err(OAuthError::InvalidHmac) => {
                panic!("Should not fail on HMAC with valid HMAC")
            }
            _ => {} // Any other error (token exchange) is expected
        }
    }
}