Merge pull request #1250 from Shopify/liz/auth-fulfillment-service

[Feature] Add authentication for fulfillment service requests

Author: lizkenyon

.changeset/fair-nails-hear.md

@@ -0,0 +1,5 @@
+---
+"@shopify/shopify-api": minor
+---
+
+Add function to authenticate fulfillment service requests

packages/shopify-api/docs/reference/fulfillment-service/README.md

@@ -0,0 +1,9 @@
+# shopify.fulfillmentService
+
+This object contains functions used to authenticate [Fulfillment Service](https://shopify.dev/docs/apps/fulfillment/fulfillment-service-apps/manage-fulfillments) requests coming from Shopify.
+
+| Property                  | Description                                                         |
+| ------------------------- | ------------------------------------------------------------------- |
+| [validate](./validate.md) | Verify whether a request is a valid fulfillment service request. |
+
+[Back to shopifyApi](../shopifyApi.md)

packages/shopify-api/docs/reference/fulfillment-service/validate.md

@@ -0,0 +1,66 @@
+# shopify.fulfillmentService.validate
+
+Takes in a raw request and the raw body for that request, and validates that it's a legitimate fulfillment service request.
+
+Refer to [the fulfillment service documentation](https://shopify.dev/docs/apps/fulfillment/fulfillment-service-apps/manage-fulfillments#step-3-act-on-fulfillment-requests) for more information on how this validation works.
+
+## Example
+
+```ts
+app.post('/fulfillment_order_notification', express.text({type: '*/*'}), async (req, res) => {
+  const result = await shopify.fulfillmentService.validate({
+    rawBody: req.body, // is a string
+    rawRequest: req,
+    rawResponse: res,
+  });
+
+  if (!result.valid) {
+    console.log(`Received invalid fulfillment service request: ${result.reason}`);
+    res.send(400);
+  }
+
+  res.send(200);
+});
+```
+
+## Parameters
+
+Receives an object containing:
+
+### rawBody
+
+`string` | :exclamation: required
+
+The raw body of the request received by the app.
+
+### rawRequest
+
+`AdapterRequest` | :exclamation: required
+
+The HTTP Request object used by your runtime.
+
+### rawResponse
+
+`AdapterResponse` | :exclamation: required for Node.js
+
+The HTTP Response object used by your runtime. Required for Node.js.
+
+## Return
+
+Returns an object containing:
+
+### valid
+
+`boolean`
+
+Whether the request is a valid fulfillment service request from Shopify.
+
+### If valid is `false`:
+
+#### reason
+
+`ValidationErrorReason`
+
+The reason why the check was considered invalid.
+
+[Back to shopify.fulfillmentService](./README.md)

packages/shopify-api/docs/reference/shopifyApi.md

@@ -172,7 +172,8 @@ This function returns an object containing the following properties:
 | [session](./session/README.md)      | Object containing functions to manage Shopify sessions.                                                                                                 |
 | [webhooks](./webhooks/README.md)    | Object containing functions to configure and handle Shopify webhooks.                                                                                   |
 | [billing](./billing/README.md)      | Object containing functions to enable apps to bill merchants.                                                                                           |
-| [flow](./flow/README.md)            | Object containing functions to authenticate Flow extension requests.                                                                                    |
+| [flow](./flow/README.md)            | Object containing functions to authenticate Flow extension requests.
+| [fulfillment service](./fulfillment-service/README.md)            | Object containing functions to authenticate and create fulfillment service requests.                                                                                |
 | [utils](./utils/README.md)          | Object containing general functions to help build apps.                                                                                                 |
 | [rest](../guides/rest-resources.md) | Object containing OO representations of the Admin REST API. See the [API reference documentation](https://shopify.dev/docs/api/admin-rest) for details. |
 

packages/shopify-api/lib/error.ts

@@ -127,5 +127,4 @@ export class BillingError extends ShopifyError {
     this.errorData = errorData;
   }
 }
-
 export class FeatureDeprecatedError extends ShopifyError {}

packages/shopify-api/lib/flow/__tests__/flow.test.ts

@@ -6,7 +6,7 @@ import {
   type NormalizedRequest,
 } from '../../../runtime';
 import {testConfig} from '../../__tests__/test-config';
-import {FlowValidationErrorReason} from '../types';
+import {ValidationErrorReason} from '../../utils/types';
 
 describe('flow', () => {
   describe('validate', () => {
@@ -31,7 +31,7 @@ describe('flow', () => {
         // THEN
         expect(result).toMatchObject({
           valid: false,
-          reason: FlowValidationErrorReason.MissingHmac,
+          reason: ValidationErrorReason.MissingHmac,
         });
       });
 
@@ -55,7 +55,7 @@ describe('flow', () => {
         // THEN
         expect(result).toMatchObject({
           valid: false,
-          reason: FlowValidationErrorReason.InvalidHmac,
+          reason: ValidationErrorReason.InvalidHmac,
         });
       });
 
@@ -84,7 +84,7 @@ describe('flow', () => {
         // THEN
         expect(result).toMatchObject({
           valid: false,
-          reason: FlowValidationErrorReason.MissingBody,
+          reason: ValidationErrorReason.MissingBody,
         });
       });
     });

packages/shopify-api/lib/flow/types.ts

@@ -2,17 +2,16 @@ import {
   HmacValidationType,
   ValidationInvalid,
   ValidationValid,
+  ValidateParams,
 } from '../utils/types';
 import {validateHmacFromRequestFactory} from '../utils/hmac-validator';
 import {ConfigInterface} from '../base-types';
 
-import {FlowValidateParams} from './types';
-
 export function validateFactory(config: ConfigInterface) {
   return async function validate({
     rawBody,
     ...adapterArgs
-  }: FlowValidateParams): Promise<ValidationInvalid | ValidationValid> {
+  }: ValidateParams): Promise<ValidationInvalid | ValidationValid> {
     return validateHmacFromRequestFactory(config)({
       type: HmacValidationType.Flow,
       rawBody,

packages/shopify-api/lib/flow/validate.ts

@@ -0,0 +1,119 @@
+import {shopifyApi} from '../..';
+import {ShopifyHeader} from '../../types';
+import {
+  createSHA256HMAC,
+  HashFormat,
+  type NormalizedRequest,
+} from '../../../runtime';
+import {testConfig} from '../../__tests__/test-config';
+import {ValidationErrorReason} from '../../utils/types';
+
+describe('fulfillment service', () => {
+  describe('validate', () => {
+    describe('failure cases', () => {
+      it('fails if the HMAC header is missing', async () => {
+        // GIVEN
+        const shopify = shopifyApi(testConfig());
+
+        const payload = {field: 'value'};
+        const req: NormalizedRequest = {
+          method: 'GET',
+          url: 'https://my-app.my-domain.io',
+          headers: {},
+        };
+
+        // WHEN
+        const result = await shopify.fulfillmentService.validate({
+          rawBody: JSON.stringify(payload),
+          rawRequest: req,
+        });
+
+        // THEN
+        expect(result).toMatchObject({
+          valid: false,
+          reason: ValidationErrorReason.MissingHmac,
+        });
+      });
+
+      it('fails if the HMAC header is invalid', async () => {
+        // GIVEN
+        const shopify = shopifyApi(testConfig());
+
+        const payload = {field: 'value'};
+        const req: NormalizedRequest = {
+          method: 'GET',
+          url: 'https://my-app.my-domain.io',
+          headers: {[ShopifyHeader.Hmac]: 'invalid'},
+        };
+
+        // WHEN
+        const result = await shopify.fulfillmentService.validate({
+          rawBody: JSON.stringify(payload),
+          rawRequest: req,
+        });
+
+        // THEN
+        expect(result).toMatchObject({
+          valid: false,
+          reason: ValidationErrorReason.InvalidHmac,
+        });
+      });
+
+      it('fails if the body is empty', async () => {
+        // GIVEN
+        const shopify = shopifyApi(testConfig());
+
+        const req: NormalizedRequest = {
+          method: 'GET',
+          url: 'https://my-app.my-domain.io',
+          headers: {
+            [ShopifyHeader.Hmac]: await createSHA256HMAC(
+              shopify.config.apiSecretKey,
+              '',
+              HashFormat.Base64,
+            ),
+          },
+        };
+
+        // WHEN
+        const result = await shopify.fulfillmentService.validate({
+          rawBody: '',
+          rawRequest: req,
+        });
+
+        // THEN
+        expect(result).toMatchObject({
+          valid: false,
+          reason: ValidationErrorReason.MissingBody,
+        });
+      });
+    });
+
+    it('succeeds if the body and HMAC header are correct', async () => {
+      // GIVEN
+      const shopify = shopifyApi(testConfig());
+
+      const payload = {field: 'value'};
+      const req: NormalizedRequest = {
+        method: 'GET',
+        url: 'https://my-app.my-domain.io',
+        headers: {
+          [ShopifyHeader.Hmac]: await createSHA256HMAC(
+            shopify.config.apiSecretKey,
+            JSON.stringify(payload),
+            HashFormat.Base64,
+          ),
+        },
+      };
+
+      // WHEN
+      const result = await shopify.fulfillmentService.validate({
+        rawBody: JSON.stringify(payload),
+        rawRequest: req,
+      });
+
+      // THEN
+      expect(result).toMatchObject({valid: true});
+    });
+  });
+});

packages/shopify-api/lib/fulfillment-service/__tests__/fulfillment-service.test.ts

@@ -0,0 +1,11 @@
+import {ConfigInterface} from '../base-types';
+
+import {validateFactory} from './validate';
+
+export function fulfillmentService(config: ConfigInterface) {
+  return {
+    validate: validateFactory(config),
+  };
+}
+
+export type FulfillmentService = ReturnType<typeof fulfillmentService>;

packages/shopify-api/lib/fulfillment-service/index.ts

@@ -0,0 +1,21 @@
+import {ConfigInterface} from '../base-types';
+import {validateHmacFromRequestFactory} from '../utils/hmac-validator';
+import {
+  HmacValidationType,
+  ValidateParams,
+  ValidationInvalid,
+  ValidationValid,
+} from '../utils/types';
+
+export function validateFactory(config: ConfigInterface) {
+  return async function validate({
+    rawBody,
+    ...adapterArgs
+  }: ValidateParams): Promise<ValidationInvalid | ValidationValid> {
+    return validateHmacFromRequestFactory(config)({
+      type: HmacValidationType.FulfillmentService,
+      rawBody,
+      ...adapterArgs,
+    });
+  };
+}

packages/shopify-api/lib/fulfillment-service/validate.ts

@@ -15,6 +15,7 @@ import {logger, ShopifyLogger} from './logger';
 import {SHOPIFY_API_LIBRARY_VERSION} from './version';
 import {restClientClass} from './clients/admin/rest/client';
 import {ShopifyFlow, shopifyFlow} from './flow';
+import {FulfillmentService, fulfillmentService} from './fulfillment-service';
 
 export * from './error';
 export * from './session/classes';
@@ -27,7 +28,7 @@ export * from './billing/types';
 export * from './clients/types';
 export * from './session/types';
 export * from './webhooks/types';
-export * from './flow/types';
+export * from './utils/types';
 
 export interface Shopify<
   Params extends ConfigParams = ConfigParams,
@@ -44,6 +45,7 @@ export interface Shopify<
   logger: ShopifyLogger;
   rest: Resources;
   flow: ShopifyFlow;
+  fulfillmentService: FulfillmentService;
 }
 
 export function shopifyApi<
@@ -71,6 +73,7 @@ export function shopifyApi<
     webhooks: shopifyWebhooks(validatedConfig),
     billing: shopifyBilling(validatedConfig),
     flow: shopifyFlow(validatedConfig),
+    fulfillmentService: fulfillmentService(validatedConfig),
     logger: logger(validatedConfig),
     rest: {} as Resources,
   };

packages/shopify-api/lib/index.ts

@@ -1,6 +1,16 @@
+import {AdapterArgs} from '../../runtime/types';
+
 export enum HmacValidationType {
   Flow = 'flow',
   Webhook = 'webhook',
+  FulfillmentService = 'fulfillment_service',
+}
+
+export interface ValidateParams extends AdapterArgs {
+  /**
+   * The raw body of the request.
+   */
+  rawBody: string;
 }
 
 export const ValidationErrorReason = {