当前配置
- Auth Callback URL: https://1380ce593ae2.ngrok.io/auth
- Load Callback URL: https://1380ce593ae2.ngrok.io/load
- Uninstall Callback URL: https://1380ce593ae2.ngrok.io/uninstall
官方文档
Single-Click App Callbacks: https://developer.bigcommerce.com/api-docs/apps/guide/callbacks
Verifying the signed payload: https://developer.bigcommerce.com/api-docs/apps/guide/callbacks#verifying-the-signed-payload
回调参数
{"signed_payload":["eyJ1c2VyIjp7ImlkIjoxODk3NTQwLCJlbWFpbCI6InRlc3RAaW9iZXRhLmNvbSJ9LCJvd25lciI6eyJpZCI6MTg5NzU0MCwiZW1haWwiOiJ0ZXN0QGlvYmV0YS5jb20ifSwiY29udGV4dCI6InN0b3Jlcy9zdzd2MGlkenhxIiwic3RvcmVfaGFzaCI6InN3N3YwaWR6eHEiLCJ0aW1lc3RhbXAiOjE2MTIyNjg2ODMuNDYzODcxN30=.N2M4ZjhmNjgxMTczZTk3MWM1YTgxNWE1NDRhOWYxZjIxMzRjMmYzMjExMWYxZDA3NzIwOWIyZjljMmJmYmZjZQ=="]}Base64解码后:
(1)data:
{"user":{"id":1897540,"email":"test@appblog.cn"},"owner":{"id":1897540,"email":"test@appblog.cn"},"context":"stores/sw7v0idzxq","store_hash":"sw7v0idzxq","timestamp":1612269767.6191726}(2)sign: 39583f9c6020c1f80f450e935d387bfd1917788c7569a7e863686ae13e118a9f
{
"user":{
"id":1897540,
"email":"test@appblog.cn"
},
"owner":{
"id":1897540,
"email":"test@appblog.cn"
},
"context":"stores/sw7v0idzxq",
"store_hash":"sw7v0idzxq",
"timestamp":1612269767.6191726
}回调处理
private static final String REGISTRATION_ID = SecurityBeansConfig.BIGCOMMERCE_REGISTRATION_ID;
@Resource
private OAuth2AuthorizedClientService clientService;
@Value("${bigcommerce.client.client_secret}")
private String clientSecret;
@RequestMapping(path = SecurityConfig.LOAD_PATH, method = RequestMethod.GET)
public String load(Model model, @RequestParam("signed_payload") String signedPayload) {
log.info("HomeController.load, signed_payload: {}", signedPayload);
if (StringUtils.isNotBlank(signedPayload)) {
String[] signedPayloads = signedPayload.split("\\.");
if (signedPayloads.length == 2) {
String data = new String(Base64.decodeBase64(signedPayloads[0]));
String sign = new String(Base64.decodeBase64(signedPayloads[1]));
log.info("data: {}, sign: {}", data, sign);
try {
boolean verified = HmacUtil.verifyHmacSHA256(data, sign, clientSecret);
if (verified) {
BigcommerceContext bigcommerceContext = JacksonUtil.toJSONObject(data, BigcommerceContext.class);
if (bigcommerceContext != null) {
SecurityContext context = SecurityContextHolder.getContext();
if (context != null && context.getAuthentication() != null) {
Authentication principal = context.getAuthentication();
if (principal != null) {
String shopDomain = String.format("store-%s.mybigcommerce.com", bigcommerceContext.getStoreHash());
OAuth2AuthorizedClient client = clientService.loadAuthorizedClient(REGISTRATION_ID, shopDomain);
if (client != null) {
// this store "has not been installed", or salt and passwords are outdated
String apiKey = client.getClientRegistration().getClientId();
OAuth2AuthenticationToken oauth2Authentication = new OAuth2AuthenticationToken(
new BigcommerceStore(client.getPrincipalName(), client.getAccessToken().getTokenValue(), apiKey),
null,
REGISTRATION_ID);
SecurityContextHolder.getContext().setAuthentication(oauth2Authentication);
model.addAttribute("shopDomain", bigcommerceContext.getStoreHash());
return "success";
}
}
}
}
}
} catch (Exception e) {
log.error("", e);
}
}
}
return "authError";
}public class HmacUtil {
public static String hmacSHA256(String data, String key) throws Exception {
Mac sha256Hmac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKey = new SecretKeySpec(key.getBytes(), "HmacSHA256");
sha256Hmac.init(secretKey);
byte[] array = sha256Hmac.doFinal(data.getBytes());
StringBuilder sb = new StringBuilder();
for (byte item : array) {
sb.append(Integer.toHexString((item & 0xFF) | 0x100).substring(1, 3));
}
return sb.toString();
}
public static boolean verifyHmacSHA256(String text, String sign, String key) throws Exception {
String mySign = hmacSHA256(text, key);
if (mySign.equalsIgnoreCase(sign)) {
return true;
} else {
return false;
}
}
}
