BigCommerce App 回调处理

当前配置

• Auth Callback URL: https://1380ce593ae2.ngrok.io/auth
• Load Callback URL: https://1380ce593ae2.ngrok.io/load
• Uninstall Callback URL: https://1380ce593ae2.ngrok.io/uninstall

官方文档

Single-Click App Callbacks: https://developer.bigcommerce.com/api-docs/apps/guide/callbacks
Verifying the signed payload: https://developer.bigcommerce.com/api-docs/apps/guide/callbacks#verifying-the-signed-payload

回调参数

{"signed_payload":["eyJ1c2VyIjp7ImlkIjoxODk3NTQwLCJlbWFpbCI6InRlc3RAaW9iZXRhLmNvbSJ9LCJvd25lciI6eyJpZCI6MTg5NzU0MCwiZW1haWwiOiJ0ZXN0QGlvYmV0YS5jb20ifSwiY29udGV4dCI6InN0b3Jlcy9zdzd2MGlkenhxIiwic3RvcmVfaGFzaCI6InN3N3YwaWR6eHEiLCJ0aW1lc3RhbXAiOjE2MTIyNjg2ODMuNDYzODcxN30=.N2M4ZjhmNjgxMTczZTk3MWM1YTgxNWE1NDRhOWYxZjIxMzRjMmYzMjExMWYxZDA3NzIwOWIyZjljMmJmYmZjZQ=="]}

Base64解码后：

（1）data:

{"user":{"id":1897540,"email":"test@appblog.cn"},"owner":{"id":1897540,"email":"test@appblog.cn"},"context":"stores/sw7v0idzxq","store_hash":"sw7v0idzxq","timestamp":1612269767.6191726}

（2）sign: 39583f9c6020c1f80f450e935d387bfd1917788c7569a7e863686ae13e118a9f

{
    "user":{
        "id":1897540,
        "email":"test@appblog.cn"
    },
    "owner":{
        "id":1897540,
        "email":"test@appblog.cn"
    },
    "context":"stores/sw7v0idzxq",
    "store_hash":"sw7v0idzxq",
    "timestamp":1612269767.6191726
}

回调处理

private static final String REGISTRATION_ID = SecurityBeansConfig.BIGCOMMERCE_REGISTRATION_ID;

@Resource
private OAuth2AuthorizedClientService clientService;

@Value("${bigcommerce.client.client_secret}")
private String clientSecret;

@RequestMapping(path = SecurityConfig.LOAD_PATH, method = RequestMethod.GET)
public String load(Model model, @RequestParam("signed_payload") String signedPayload) {
    log.info("HomeController.load, signed_payload: {}", signedPayload);
    if (StringUtils.isNotBlank(signedPayload)) {
        String[] signedPayloads = signedPayload.split("\\.");
        if (signedPayloads.length == 2) {
            String data = new String(Base64.decodeBase64(signedPayloads[0]));
            String sign = new String(Base64.decodeBase64(signedPayloads[1]));
            log.info("data: {}, sign: {}", data, sign);
            try {
                boolean verified = HmacUtil.verifyHmacSHA256(data, sign, clientSecret);
                if (verified) {
                    BigcommerceContext bigcommerceContext = JacksonUtil.toJSONObject(data, BigcommerceContext.class);
                    if (bigcommerceContext != null) {
                        SecurityContext context = SecurityContextHolder.getContext();
                        if (context != null && context.getAuthentication() != null) {
                            Authentication principal = context.getAuthentication();
                            if (principal != null) {
                                String shopDomain = String.format("store-%s.mybigcommerce.com", bigcommerceContext.getStoreHash());
                                OAuth2AuthorizedClient client = clientService.loadAuthorizedClient(REGISTRATION_ID, shopDomain);

                                if (client != null) {
                                    // this store "has not been installed", or salt and passwords are outdated
                                    String apiKey = client.getClientRegistration().getClientId();
                                    OAuth2AuthenticationToken oauth2Authentication = new OAuth2AuthenticationToken(
                                            new BigcommerceStore(client.getPrincipalName(), client.getAccessToken().getTokenValue(), apiKey),
                                            null,
                                            REGISTRATION_ID);
                                    SecurityContextHolder.getContext().setAuthentication(oauth2Authentication);

                                    model.addAttribute("shopDomain", bigcommerceContext.getStoreHash());
                                    return "success";
                                }
                            }
                        }
                    }
                }
            } catch (Exception e) {
                log.error("", e);
            }
        }
    }
    return "authError";
}

public class HmacUtil {

    public static String hmacSHA256(String data, String key) throws Exception {
        Mac sha256Hmac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secretKey = new SecretKeySpec(key.getBytes(), "HmacSHA256");
        sha256Hmac.init(secretKey);
        byte[] array = sha256Hmac.doFinal(data.getBytes());
        StringBuilder sb = new StringBuilder();
        for (byte item : array) {
            sb.append(Integer.toHexString((item & 0xFF) | 0x100).substring(1, 3));
        }
        return sb.toString();
    }

    public static boolean verifyHmacSHA256(String text, String sign, String key) throws Exception {
        String mySign = hmacSHA256(text, key);
        if (mySign.equalsIgnoreCase(sign)) {
            return true;
        } else {
            return false;
        }
    }
}