@code-nl/shopify-hmac
Version:
Shopify HMAC lib to verify Shopify calls
92 lines (68 loc) • 3.05 kB
JavaScript
const chai = require('chai');
const assert = chai.assert;
const sinon = require('sinon');
const { ShopifyWebhookHMAC } = require("../index");
describe("HMAC Webhook", () => {
let apiSecret;
before(() => {
apiSecret = "hush";
});
after(() => {});
it("is able to generate HMAC based on a request body", (done) => {
const request = {
rawBody: Buffer.from(`{"test":"testing"}`, 'utf8')
};
const generatedHmac = ShopifyWebhookHMAC.generate(request, apiSecret);
const expectedHmac = "iv7fO2bQBlDXhdx9zlk9Q+pDHWUsD0RzfMBaz3VGaxE=";
assert.equal(generatedHmac, expectedHmac);
done();
});
it("is able to verify a request body with a valid HMAC", (done) => {
const request = {
rawBody: Buffer.from(`{"test":"testing"}`, 'utf8'),
header: () => {}
};
// init a stub for the header to be able to monitor it's usage
const requestHeaderStub = sinon.stub(request, "header");
requestHeaderStub.withArgs("X-Shopify-Hmac-Sha256").returns("iv7fO2bQBlDXhdx9zlk9Q+pDHWUsD0RzfMBaz3VGaxE=");
requestHeaderStub.returns("different header");
const verified = ShopifyWebhookHMAC.verify(request, apiSecret);
assert.isTrue(requestHeaderStub.calledOnce, "Header is not read.");
assert.equal(requestHeaderStub.args[0][0], "X-Shopify-Hmac-Sha256");
assert.isTrue(verified, "HMAC is not verified against value in header.");
requestHeaderStub.restore();
done();
});
it("is able to reject a request body with an invalid HMAC", (done) => {
const request = {
rawBody: Buffer.from(`{"test":"testing"}`, 'utf8'),
header: () => { }
};
// init a stub for the header to be able to monitor it's usage
const requestHeaderStub = sinon.stub(request, "header");
requestHeaderStub.withArgs("X-Shopify-Hmac-Sha256").returns("jv7fO2bQBlDXhdx9zlk9Q+pDHWUsD0RzfMBaz3VGaxE=");
requestHeaderStub.returns("different header");
const verified = ShopifyWebhookHMAC.verify(request, apiSecret);
assert.isTrue(requestHeaderStub.calledOnce, "Header is not read.");
assert.equal(requestHeaderStub.args[0][0], "X-Shopify-Hmac-Sha256");
assert.isFalse(verified, "HMAC is verified against value in header.");
requestHeaderStub.restore();
done();
});
it("is able to reject a request body without any HMAC", (done) => {
const request = {
rawBody: Buffer.from(`{"test":"testing"}`, 'utf8'),
header: () => { }
};
// init a stub for the header to be able to monitor it's usage
const requestHeaderStub = sinon.stub(request, "header");
requestHeaderStub.withArgs("X-Shopify-Hmac-Sha256").returns(null);
requestHeaderStub.returns("different header");
const verified = ShopifyWebhookHMAC.verify(request, apiSecret);
assert.isTrue(requestHeaderStub.calledOnce, "Header is not read.");
assert.equal(requestHeaderStub.args[0][0], "X-Shopify-Hmac-Sha256");
assert.isFalse(verified, "HMAC is verified against value in header.");
requestHeaderStub.restore();
done();
});
});