Unverified Commit 3654247c authored by Tim Anema's avatar Tim Anema Committed by GitHub
Browse files

Merge branch 'master' into additional_data_for_koa_auth

parents 0a6e2d14 4ae1efc3
......@@ -10,6 +10,14 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
- Provide user data via Koa Session
## [3.1.72] - 2020-10-16
- Removes `safe-compare` as a dependency, preferring Node's `crypto.timingSafeEqual` [1470](https://github.com/Shopify/quilt/pull/1470) | [2](https://github.com/Shopify/koa-shopify-auth/issues/2)
## [3.1.71] - 2020-10-16
- Bad release (misaligned tags). Please use `3.1.72` instead.
## [3.1.70] - 2020-09-08
- No changes from 3.1.68
......
......@@ -9,9 +9,9 @@ Sister module to [`@shopify/shopify-express`](https://www.npmjs.com/package/@sho
Features you might know from the express module like the webhook middleware and proxy will be presented as their [own packages instead](https://github.com/Shopify/quilt/blob/master/packages/koa-shopify-graphql-proxy/README.md).
## Warning: 3.1.61-3.1.62 vulnerable to reflected XSS
## Warning: versions prior to 3.1.68 vulnerable to reflected XSS
Versions 3.1.61 and 3.1.62 are vulnerable to a reflected XSS attack. Please update to the latest version to protect your app.
Versions prior to 3.1.68 are vulnerable to a reflected XSS attack. Please update to the latest version to protect your app.
## Installation
......
## Releasing koa-shopify-auth
1. Check the Semantic Versioning page for info on how to version the new release: http://semver.org
1. Ensure your local repo is up-to-date
```
git checkout master && git pull
```
1. Add an entry for the new release to `CHANGELOG.md`, and/or move the contents from the *Unreleased* to the new release
1. Stage the `CHANGELOG.md` file
```
git add CHANGELOG.md
```
1. To update the version, create the appropriate tag, commit all staged changes and push to the remote repository
```
yarn version [ --patch | --minor | --major ]
```
Select the applicable option to the `yarn version` command to increment the appropriate part of the version number, i.e., for a version of `x.y.z`,
- `--patch` to increment the `z`
- `--minor` to increment the `y`
- `--major` to increment the `x`
The `preversion` and `postversion` scripts in `package.json` take care of the pre (testing) and post (pushing) actions.
1. Login to `shipit` and press Deploy on the appropriate commit (the commit description will be the version number).
{
"name": "@shopify/koa-shopify-auth",
"version": "3.1.70",
"version": "3.1.72",
"license": "MIT",
"description": "Middleware to authenticate a Koa application with Shopify",
"main": "dist/src/index.js",
......@@ -9,7 +9,9 @@
"test": "jest",
"build": "tsc",
"lint": "eslint",
"prepublishOnly": "yarn run build"
"prepublishOnly": "yarn run build",
"preversion": "yarn test",
"postversion": "git push origin master --follow-tags && echo \"Log in to shipit to deploy version $npm_package_version\""
},
"publishConfig": {
"access": "public"
......@@ -27,7 +29,6 @@
"@shopify/network": "^1.5.0",
"koa-compose": ">=3.0.0 <4.0.0",
"nonce": "^1.0.4",
"safe-compare": "^1.1.2",
"tslib": "^1.9.3"
},
"devDependencies": {
......@@ -35,7 +36,7 @@
"@shopify/jest-koa-mocks": "^2.2.3",
"@types/koa": "^2.0.0",
"@types/koa-compose": "*",
"@types/safe-compare": "^1.1.0",
"@types/node": "^14.11.2",
"babel-preset-shopify": "^21.0.0",
"eslint": "^7.8.1",
"jest": "^26.4.2",
......
// Copied from https://github.com/Shopify/shopify_app
const requestStorageAccess = (shop: string, prefix = '/') => {
const requestStorageAccess = (shop: string, prefix = '') => {
return `(function() {
function redirect() {
var targetInfo = {
myshopifyUrl: "https://${encodeURIComponent(shop)}",
hasStorageAccessUrl: "${prefix}auth/inline?shop=${encodeURIComponent(
hasStorageAccessUrl: "${prefix}/auth/inline?shop=${encodeURIComponent(
shop,
)}",
doesNotHaveStorageAccessUrl: "${prefix}auth/enable_cookies?shop=${encodeURIComponent(
doesNotHaveStorageAccessUrl: "${prefix}/auth/enable_cookies?shop=${encodeURIComponent(
shop,
)}",
appTargetUrl: "${prefix}?shop=${encodeURIComponent(shop)}"
appTargetUrl: "${prefix}/?shop=${encodeURIComponent(shop)}"
}
if (window.top == window.self) {
......
import crypto from 'crypto';
export default function safeCompare(stringA: string, stringB: string) {
const aLen = Buffer.byteLength(stringA);
const bLen = Buffer.byteLength(stringB);
if (aLen !== bLen) {
return false
}
// Turn strings into buffers with equal length
// to avoid leaking the length
const buffA = Buffer.alloc(aLen, 0, 'utf8');
buffA.write(stringA);
const buffB = Buffer.alloc(bLen, 0, 'utf8');
buffB.write(stringB);
return crypto.timingSafeEqual(buffA, buffB);
}
\ No newline at end of file
import safeCompare from '../safe-compare'
const hmac = '7c66606415117ff9744a2a9b2be1712a15928b5ef474ab1a9ff5dc36b7dcaed8';
describe('safeCompare', () => {
it('returns true when values are the same', () => {
expect(safeCompare(hmac, hmac)).toBe(true);
});
it('returns false when values are different', () => {
expect(safeCompare(hmac, 'not hmac')).toBe(false);
});
});
import validateHmac from '../validate-hmac';
jest.mock('safe-compare', () => {
jest.mock('../safe-compare', () => {
return jest.fn((first: string, second: string) => first === second);
});
const safeCompare = jest.requireMock('safe-compare');
const safeCompare = jest.requireMock('../safe-compare');
const data = {fiz: 'buzz', foo: 'bar'};
const secret = 'some secret';
const hmac = '7c66606415117ff9744a2a9b2be1712a15928b5ef474ab1a9ff5dc36b7dcaed8';
......
......@@ -2,7 +2,7 @@ import querystring from 'querystring';
import crypto from 'crypto';
import {Context} from 'koa';
import safeCompare from 'safe-compare';
import safeCompare from './safe-compare';
export default function validateHmac(
hmac: string,
......
......@@ -1429,6 +1429,11 @@
resolved "https://registry.yarnpkg.com/@types/node/-/node-14.6.4.tgz#a145cc0bb14ef9c4777361b7bbafa5cf8e3acb5a"
integrity sha512-Wk7nG1JSaMfMpoMJDKUsWYugliB2Vy55pdjLpmLixeyMi7HizW2I/9QoxsPCkXl3dO+ZOVqPumKaDUv5zJu2uQ==
"@types/node@^14.11.2":
version "14.11.2"
resolved "https://registry.yarnpkg.com/@types/node/-/node-14.11.2.tgz#2de1ed6670439387da1c9f549a2ade2b0a799256"
integrity sha512-jiE3QIxJ8JLNcb1Ps6rDbysDhN4xa8DJJvuC9prr6w+1tIh+QAbYyNF3tyiZNLDBIuBCf4KEcV2UvQm/V60xfA==
"@types/normalize-package-data@^2.4.0":
version "2.4.0"
resolved "https://registry.yarnpkg.com/@types/normalize-package-data/-/normalize-package-data-2.4.0.tgz#e486d0d97396d79beedd0a6e33f4534ff6b4973e"
......@@ -1449,11 +1454,6 @@
resolved "https://registry.yarnpkg.com/@types/range-parser/-/range-parser-1.2.3.tgz#7ee330ba7caafb98090bece86a5ee44115904c2c"
integrity sha512-ewFXqrQHlFsgc09MK5jP5iR7vumV/BYayNC6PgJO2LPe8vrnNFyjQjSppfEngITi0qvfKtzFvgKymGheFM9UOA==
"@types/safe-compare@^1.1.0":
version "1.1.0"
resolved "https://registry.yarnpkg.com/@types/safe-compare/-/safe-compare-1.1.0.tgz#47ed9b9ca51a3a791b431cd59b28f47fa9bf1224"
integrity sha512-1ri+LJhh0gRxIa37IpGytdaW7yDEHeJniBSMD1BmitS07R1j63brcYCzry+l0WJvGdEKQNQ7DYXO2epgborWPw==
"@types/serve-static@*":
version "1.13.5"
resolved "https://registry.yarnpkg.com/@types/serve-static/-/serve-static-1.13.5.tgz#3d25d941a18415d3ab092def846e135a08bbcf53"
......@@ -1858,24 +1858,6 @@ bser@2.1.1:
dependencies:
node-int64 "^0.4.0"
buffer-alloc-unsafe@^1.1.0:
version "1.1.0"
resolved "https://registry.yarnpkg.com/buffer-alloc-unsafe/-/buffer-alloc-unsafe-1.1.0.tgz#bd7dc26ae2972d0eda253be061dba992349c19f0"
integrity sha512-TEM2iMIEQdJ2yjPJoSIsldnleVaAk1oW3DBVUykyOLsEsFmEc9kn+SFFPz+gl54KQNxlDnAwCXosOS9Okx2xAg==
buffer-alloc@^1.2.0:
version "1.2.0"
resolved "https://registry.yarnpkg.com/buffer-alloc/-/buffer-alloc-1.2.0.tgz#890dd90d923a873e08e10e5fd51a57e5b7cce0ec"
integrity sha512-CFsHQgjtW1UChdXgbyJGtnm+O/uLQeZdtbDo8mfUgYXCHSM1wgrVxXm6bSyrUuErEb+4sYVGCzASBRot7zyrow==
dependencies:
buffer-alloc-unsafe "^1.1.0"
buffer-fill "^1.0.0"
buffer-fill@^1.0.0:
version "1.0.0"
resolved "https://registry.yarnpkg.com/buffer-fill/-/buffer-fill-1.0.0.tgz#f8f78b76789888ef39f205cd637f68e702122b2c"
integrity sha1-+PeLdniYiO858gXNY39o5wISKyw=
buffer-from@^1.0.0:
version "1.1.1"
resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.1.1.tgz#32713bc028f75c02fdb710d7c7bcec1f2c6070ef"
......@@ -4669,13 +4651,6 @@ safe-buffer@^5.0.1, safe-buffer@^5.1.2:
resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.1.tgz#1eaf9fa9bdb1fdd4ec75f58f9cdb4e6b7827eec6"
integrity sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==
safe-compare@^1.1.2:
version "1.1.4"
resolved "https://registry.yarnpkg.com/safe-compare/-/safe-compare-1.1.4.tgz#5e0128538a82820e2e9250cd78e45da6786ba593"
integrity sha512-b9wZ986HHCo/HbKrRpBJb2kqXMK9CEWIE1egeEvZsYn69ay3kdfl9nG3RyOcR+jInTDf7a86WQ1d4VJX7goSSQ==
dependencies:
buffer-alloc "^1.2.0"
safe-regex@^1.1.0:
version "1.1.0"
resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-1.1.0.tgz#40a3669f3b077d1e943d44629e157dd48023bf2e"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment