Shopify Multipass : Elixir Implementation

fireproofsocks · March 6, 2019, 11:34pm

I’m working on an Elixir implementation of Shopify’s Multipass feature – it’s basically a single-sign-on (SSO) flow that lets your app handle authentication, and on success, it produces a URL that when clicked will cause a customer record to be upserted into Shopify. They include working examples of how to do this in PHP and Ruby, but I cannot make it work in Elixir.

You have to enable the feature and they give you a 32 character shared secret key.

# Example key from Shopify Admin
multipass_secret = "1234567890abcdef1234567890abcdef"

customer_data = %{
  email: "test@test.shopify.com",
  created_at: DateTime.to_iso8601(Timex.now()),  # <-- the token will only be valid for a small timeframe around this timestamp.
}

key_material = :crypto.hash(:sha256, multipass_secret)
# Split the key into 2 binaries each containing exactly 16 bytes
<< encryption_key::binary-size(16), signature_key::binary-size(16) >> = key_material

customer_data_as_string = Jason.encode!(customer_data)

# Initialization Vector
ivec = :crypto.strong_rand_bytes(16)

to_add = 16 - rem(byte_size(customer_data_as_string), 16)
padded = customer_data_as_string <> :binary.copy(<<to_add>>, to_add)

cipher_text = ivec <> :crypto.block_encrypt(:aes_cbc128, encryption_key, ivec, padded)
signature = :crypto.hmac(:sha256, signature_key, cipher_text)
message = cipher_text <> signature

token = Base.encode16(message, case: :lower)

"https://yourstore.myshopify.com/account/login/multipass/#{token}"

Note that this feature is only available in Shopify Plus accounts.

Links I’ve been pouring over:

Does anyone have some pointers on converting this? Thanks!

Ninigi · March 7, 2019, 12:52am

Do you get a meaningful error? What exactly happens when you try this?

fireproofsocks · March 7, 2019, 1:19am

No error on generation, but when I click the link to head over to Shopify, I get a bad request error. Using the PHP or Ruby code samples results in a working link that logs me into the Shopify store.

Ninigi · March 7, 2019, 3:55am

Before diving too deep into this, can you try

token = Base.url_encode64(message)

EDIT

I took the provided ruby code on the Shopify documentation, replaced dynamic values with static values (the json string and iv) and used the resulting token to set up a simple test.

I think you already had it:

multipass_secret = "1234567890abcdef1234567890abcdef"

customer_data = %{
  email: "test@test.shopify.com",
  created_at: "2019-03-07T11:34:51.153+09:00"
}

key_material = :crypto.hash(:sha256, multipass_secret)
# Split the key into 2 binaries each containing exactly 16 bytes
<< encryption_key::binary-size(16), signature_key::binary-size(16) >> = key_material

customer_data_as_string = Jason.encode!(customer_data)

# Initialization Vector
ivec = "testieivphrasefo" # :crypto.strong_rand_bytes(16)

to_add = 16 - rem(byte_size(customer_data_as_string), 16)
padded = customer_data_as_string <> :binary.copy(<<to_add>>, to_add)

cipher_text = ivec <> :crypto.block_encrypt(:aes_cbc128, encryption_key, ivec, padded)

signature = :crypto.hmac(:sha256, signature_key, cipher_text)

message = cipher_text <> signature

Base.url_encode64(message)
# Should give you:
# "dGVzdGllaXZwaHJhc2VmbxNXNKV-epmKd9gZPxrsFbqUbYcYVFjtPSleoB-61FpmhCtibtr8cxudaPBvk8QBqdggqsOofjr21PdwM4qvHNNJh8jyMzH9emUfjxNLj2M6dZ5BGyBlFhF7OWQHWljxQywhqP7RCC0klKG_zYwlNm8="

Just change Base.encode16/2 to Base.url_encode64/1

fireproofsocks · March 7, 2019, 5:07pm

WOW. That has to be the best typo I’ve made in weeks! Base 16?!? I was so focused on the hard parts of the crypto stuff that I didn’t pay attention to the last bit. THANK YOU!!

fireproofsocks · March 7, 2019, 5:22pm

For the record, here is the complete working proof-of-concept code:

# Use your multipass secret from the Shopify Dashboard: Settings -> Checkout 
multipass_secret = "1234567890abcdef1234567890abcdef"
block_size = 16

customer_data = %{
  email: "test@test.shopify.com",
  created_at: DateTime.to_iso8601(Timex.now()), # Must be a current time
}

# Split the secret into 2 binary keys each containing exactly 16 bytes
key_material = :crypto.hash(:sha256, multipass_secret)
<< encryption_key::binary-size(16), signature_key::binary-size(16) >> = key_material

# Encode the message payload
customer_data_as_string = Jason.encode!(customer_data)

# Initialization Vector
ivec = :crypto.strong_rand_bytes(block_size)

# Padding
to_add = block_size - rem(byte_size(customer_data_as_string), block_size)
padded = customer_data_as_string <> :binary.copy(<<to_add>>, to_add)

# Manually pad the message with the IV
cipher_text = ivec <> :crypto.block_encrypt(:aes_cbc128, encryption_key, ivec, padded)
signature = :crypto.hmac(:sha256, signature_key, cipher_text)
message = cipher_text <> signature

token = Base.url_encode64(message, case: :lower)

# The magic multipass link to your site:
"https://yoursite.myshopify.com/account/login/multipass/#{token}"

maz · March 7, 2019, 5:37pm

It’s so easy to mess-up crypto.

NobbZ · March 7, 2019, 5:40pm

Yeah. That might be the reason behind the first rule of the crypto club:

Don’t do crypto (on your own)

Ninigi · March 8, 2019, 12:23am

Good to hear you solved it

If you have some spare time, a pull request to implement multipass would be more than welcome!

fireproofsocks · March 8, 2019, 1:38am

Sure – the process does require that customer data be JSON encoded. Can you recommend how to nicely implement that as a dependency? Or should I restructure the input to make the user do the JSON encoding outside of your package?

Ninigi · March 8, 2019, 5:10am

the package already uses Poison for json processing, so I think you should not have to introduce a new dependency

fireproofsocks · March 8, 2019, 7:54pm

PR for exshopify was merged and is available in version 0.9.0: https://hex.pm/packages/exshopify
PR for https://github.com/nsweeting/shopify/pull/65