security.php 897 B

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
  1. <?php
  2. include_once('config.php');
  3. $params = $_GET;
  4. $hmac = (isset($_GET['hmac']) ? $_GET['hmac'] : '');
  5. $params = array_diff_key($params, array('hmac' => ''));
  6. ksort($params);
  7. $computed_hmac = hash_hmac('sha256', http_build_query($params), SHARED_SECRET);
  8. if(!isset($_GET['shop']))
  9. {
  10. echo SHOP_REQUIRED;
  11. exit;
  12. }
  13. if(strpos($_GET['shop'],SHOPIFY_DOMAIN) == FALSE)
  14. {
  15. echo ACCESS_DENIED;
  16. exit;
  17. }
  18. if(isset($_GET['state']) && $_GET['state'] != NONCE)
  19. {
  20. echo ACCESS_DENIED;
  21. exit;
  22. }
  23. if (!hash_equals($hmac, $computed_hmac))
  24. {
  25. echo ACCESS_DENIED;
  26. exit;
  27. }
  28. if(isset($_GET['client_id']) && $_GET['client_id'] != API_KEY)
  29. {
  30. echo ACCESS_DENIED;
  31. exit;
  32. }
  33. if(isset($_GET['client_secret']) && $_GET['client_secret'] != SHARED_SECRET)
  34. {
  35. echo ACCESS_DENIED;
  36. exit;
  37. }
  38. if(isset($_GET['code']) && $_GET['code'] == '')
  39. {
  40. echo ACCESS_DENIED;
  41. exit;
  42. }