Home Explore Help
Sign In
Dachen
/
shopify_api
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Remove conditional check for params[:signature].

If the params have been passed to us but the signature is omitted that looks
like a malicious login attempt.
Jesse Storimer 14 years ago
parent
8081df1f2e
commit
fa0c83ea2d
2 changed files with 13 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      lib/shopify_api.rb
  2. 12 0
      test/shopify_api_test.rb

+ 1 - 1
lib/shopify_api.rb
View File 

@@ -122,7 +122,7 @@ module ShopifyAPI
 
     def initialize(url, token = nil, params = nil)
 
       self.url, self.token = url, token
 
 
-      if params && params[:signature]
 
+      if params
 
         unless self.class.validate_signature(params) && params[:timestamp].to_i > 24.hours.ago.utc.to_i
 
           raise "Invalid Signature: Possible malicious login" 
         end

+ 12 - 0
test/shopify_api_test.rb
View File 

@@ -17,5 +17,17 @@ class ShopifyApiTest < Test::Unit::TestCase
 
       session = ShopifyAPI::Session.new("testshop.myshopify.com", "any-token")
 
       assert session.valid?
 
     end
 
+    
+    should "not raise error without params" do
 
+      assert_nothing_raised do
 
+        session = ShopifyAPI::Session.new("testshop.myshopify.com", "any-token")
 
+      end
 
+    end
 
+    
+    should "raise error if params passed but signature omitted" do
 
+      assert_raises(RuntimeError) do
 
+        session = ShopifyAPI::Session.new("testshop.myshopify.com", "any-token", {'foo' => 'bar'})
 
+      end
 
+    end
 
   end
 
 end