Signatures do not expire

[darrynten]

The verifyRequest method does not check the freshness of the signature, which means the signatures are still valid after expiration on Shopify.

It should be possible to configure an expiration and check the timestamp at L524.

[gnikyt]

@darrynten Ah, would there ever be a situation where this would happen? (maybe on webhooks running?)

I guess a simple check of timestamp is within the last 5-10 mins?

[gnikyt]

Hey @darrynten Just seeing if you seen the above ;) what do you suggest.

[darrynten]

According to the Shopify docs it seems like this value is returned from Shopify themselves when doing oauth.

[darrynten]

I guess a simple check of timestamp is within the last 5-10 mins?

I think it's a little more complex than this. What value does Shopify return?

[gnikyt]

Ah this is for online tokens through however, it doesn't give an expires for offline tokens I don't believe.

[asacarter]

Would it be a good idea to return the expires_in, so that we can set a cookie that expires at the same time and use a cache instead of sending requests on every page load?

[gnikyt]

Yes, going to put this in my todos.