When OAuth occurs, the server must validate that the received HMAC matches the computed HMAC.
That’s fine, but what about the timestamp? Shouldn’t there be some validation to check that the timestamp parameter is within some certain tolerance threshold to avoid someone trying to reuse a valid HMAC (found in some logs for example)? I’m not seeing any guidance on how to handle this in the official Shopify libraries.
I am seeing some timestamps done more than an hour ago. So I have to fail those.
And some of my stats seems to indicate this has gotten gradually worse the last 30 days, in the start of the period there were 0-3 timeouts, today there was more than 20 timeouts. Number of users is about the same.
As far as I can tell, even the official Shopify libraries for Ruby and Node don’t even bother checking the age of the timestamps.