Cached Timestamp Value

Highlighted

The following is a series of requests made by clicking on the application name in my embedded app

 

GET /oauth2/authorization/shopify?hmac=7f0cfdcf4917ffbbcfbb7b8c6d7f7b9227d2236d2f5089c0503611d435016b59&locale=en&shop=XXXXXX.myshopify.com&timestamp=1569095575 HTTP/1.1
Host: XXXXXX.ngrok.io
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: nested-navigate
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: km_ai=be5alatSZFKp1vDxuNWAIS06k9o%3D; km_lv=x; kvcd=1569084531763; JSESSIONID=B3781B84734308118C13A2CA27120A3B
X-Forwarded-Proto: https
X-Forwarded-For: 96.234.50.48

 

Another click on the app name:

 

GET /oauth2/authorization/shopify?hmac=7f0cfdcf4917ffbbcfbb7b8c6d7f7b9227d2236d2f5089c0503611d435016b59&locale=en&shop=XXXXXX.myshopify.com&timestamp=1569095575 HTTP/1.1
Host: XXXXXX.ngrok.io
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: nested-navigate
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: km_ai=be5alatSZFKp1vDxuNWAIS06k9o%3D; km_lv=x; kvcd=1569084531763; JSESSIONID=286508C69435DAF92C569DEC196202A0
X-Forwarded-Proto: https
X-Forwarded-For: 96.234.50.48

 

Please note that the timestamp value in the query string between the requests is the same even though the clicks are minutes apart. My application is throwing an exception (org.springframework.security.access.AccessDeniedException: Invalid timestamp (system timestamp: 1569095731, request timestamp: 1569095575)) because it verifies that the request timestamp is within a 60 secs sliding window to prevent replay attacks. Is it possible to ensure that all requests made to an embedded application include a non-cached timestamp value? Thanks.

 

-Martin

0 Likes
Shopify Staff
Shopify Staff
1558 77 232

I'm not able to replicate this currently, are you? Or is this intermittent?

 

For the example you shared, could you provide me with a shop ID as found on /shop.json? That will help me identify the area of the logs I should be checking out much easier.

 

Cheers.

0 Likes

Please see the attached video that will walk you through the behavior I am experiencing:

 

0 Likes
Shopify Staff
Shopify Staff
1558 77 232

Hey @mberwanger.

 

Thanks a bunch for this.

 

So at first I thought maybe this was an introduced behaviour, but it seems to have actually existed for some time (years). The sentiment right now is that we're going to explore solutions to this although it was considered working as intended until now, but we don't have an easy fix for this one at the moment, so it might take a bit of time to implement.

 

Thoughts and feedback much appreciated of course, as always.

0 Likes