UNPKG

@code-nl/shopify-hmac

Version:

Shopify HMAC lib to verify Shopify calls

92 lines (68 loc) 3.05 kB
const chai = require('chai'); const assert = chai.assert; const sinon = require('sinon'); const { ShopifyWebhookHMAC } = require("../index"); describe("HMAC Webhook", () => { let apiSecret; before(() => { apiSecret = "hush"; }); after(() => {}); it("is able to generate HMAC based on a request body", (done) => { const request = { rawBody: Buffer.from(`{"test":"testing"}`, 'utf8') }; const generatedHmac = ShopifyWebhookHMAC.generate(request, apiSecret); const expectedHmac = "iv7fO2bQBlDXhdx9zlk9Q+pDHWUsD0RzfMBaz3VGaxE="; assert.equal(generatedHmac, expectedHmac); done(); }); it("is able to verify a request body with a valid HMAC", (done) => { const request = { rawBody: Buffer.from(`{"test":"testing"}`, 'utf8'), header: () => {} }; // init a stub for the header to be able to monitor it's usage const requestHeaderStub = sinon.stub(request, "header"); requestHeaderStub.withArgs("X-Shopify-Hmac-Sha256").returns("iv7fO2bQBlDXhdx9zlk9Q+pDHWUsD0RzfMBaz3VGaxE="); requestHeaderStub.returns("different header"); const verified = ShopifyWebhookHMAC.verify(request, apiSecret); assert.isTrue(requestHeaderStub.calledOnce, "Header is not read."); assert.equal(requestHeaderStub.args[0][0], "X-Shopify-Hmac-Sha256"); assert.isTrue(verified, "HMAC is not verified against value in header."); requestHeaderStub.restore(); done(); }); it("is able to reject a request body with an invalid HMAC", (done) => { const request = { rawBody: Buffer.from(`{"test":"testing"}`, 'utf8'), header: () => { } }; // init a stub for the header to be able to monitor it's usage const requestHeaderStub = sinon.stub(request, "header"); requestHeaderStub.withArgs("X-Shopify-Hmac-Sha256").returns("jv7fO2bQBlDXhdx9zlk9Q+pDHWUsD0RzfMBaz3VGaxE="); requestHeaderStub.returns("different header"); const verified = ShopifyWebhookHMAC.verify(request, apiSecret); assert.isTrue(requestHeaderStub.calledOnce, "Header is not read."); assert.equal(requestHeaderStub.args[0][0], "X-Shopify-Hmac-Sha256"); assert.isFalse(verified, "HMAC is verified against value in header."); requestHeaderStub.restore(); done(); }); it("is able to reject a request body without any HMAC", (done) => { const request = { rawBody: Buffer.from(`{"test":"testing"}`, 'utf8'), header: () => { } }; // init a stub for the header to be able to monitor it's usage const requestHeaderStub = sinon.stub(request, "header"); requestHeaderStub.withArgs("X-Shopify-Hmac-Sha256").returns(null); requestHeaderStub.returns("different header"); const verified = ShopifyWebhookHMAC.verify(request, apiSecret); assert.isTrue(requestHeaderStub.calledOnce, "Header is not read."); assert.equal(requestHeaderStub.args[0][0], "X-Shopify-Hmac-Sha256"); assert.isFalse(verified, "HMAC is verified against value in header."); requestHeaderStub.restore(); done(); }); });