Cached Timestamp Value

mberwanger
Tourist
5 0 0

The following is a series of requests made by clicking on the application name in my embedded app

 

GET /oauth2/authorization/shopify?hmac=7f0cfdcf4917ffbbcfbb7b8c6d7f7b9227d2236d2f5089c0503611d435016b59&locale=en&shop=XXXXXX.myshopify.com&timestamp=1569095575 HTTP/1.1
Host: XXXXXX.ngrok.io
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: nested-navigate
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: km_ai=be5alatSZFKp1vDxuNWAIS06k9o%3D; km_lv=x; kvcd=1569084531763; JSESSIONID=B3781B84734308118C13A2CA27120A3B
X-Forwarded-Proto: https
X-Forwarded-For: 96.234.50.48

 

Another click on the app name:

 

GET /oauth2/authorization/shopify?hmac=7f0cfdcf4917ffbbcfbb7b8c6d7f7b9227d2236d2f5089c0503611d435016b59&locale=en&shop=XXXXXX.myshopify.com&timestamp=1569095575 HTTP/1.1
Host: XXXXXX.ngrok.io
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: nested-navigate
DNT: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: km_ai=be5alatSZFKp1vDxuNWAIS06k9o%3D; km_lv=x; kvcd=1569084531763; JSESSIONID=286508C69435DAF92C569DEC196202A0
X-Forwarded-Proto: https
X-Forwarded-For: 96.234.50.48

 

Please note that the timestamp value in the query string between the requests is the same even though the clicks are minutes apart. My application is throwing an exception (org.springframework.security.access.AccessDeniedException: Invalid timestamp (system timestamp: 1569095731, request timestamp: 1569095575)) because it verifies that the request timestamp is within a 60 secs sliding window to prevent replay attacks. Is it possible to ensure that all requests made to an embedded application include a non-cached timestamp value? Thanks.

 

-Martin

Replies 4 (4)
Alex
Shopify Staff
Shopify Staff
1561 81 333

I'm not able to replicate this currently, are you? Or is this intermittent?

 

For the example you shared, could you provide me with a shop ID as found on /shop.json? That will help me identify the area of the logs I should be checking out much easier.

 

Cheers.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

mberwanger
Tourist
5 0 0

Please see the attached video that will walk you through the behavior I am experiencing:

 

Alex
Shopify Staff
Shopify Staff
1561 81 333

Hey @mberwanger.

 

Thanks a bunch for this.

 

So at first I thought maybe this was an introduced behaviour, but it seems to have actually existed for some time (years). The sentiment right now is that we're going to explore solutions to this although it was considered working as intended until now, but we don't have an easy fix for this one at the moment, so it might take a bit of time to implement.

 

Thoughts and feedback much appreciated of course, as always.

Alex | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

alextucker
Shopify Staff (Retired)
Shopify Staff (Retired)
1 0 0

@mberwanger I just wanted to let you know that we have fixed this issue. You should no longer see cached timestamp values on requests to your embedded app.