Question 11567 in Shopify Question posted in
The Shopify help center can be found here.

Shopify Multipass created_at Field

I am currently trying to implement a login to Shopify over the Storefront API via Multipass.

However, what it isn’t clear to me from the Documentation on that Page, how the "created_at" Field is used. Since it states that this field should be filled with the current timestamp.
But what if the same users logs in a second time via Multipass, should it be filled with the timestamp of the second login.
Or should the original Multipass token be stored somewhere, and reused at a second login, instead of generating a new one?

Tags:

2

Answers


  1. 0

    How can someone login a second time? If they are already logged in, they would not essentially be able to re-login without logging out. If they logged out, the multi-pass would assign a new timestamp. When would this flow occur of a user logging in a second time and not being issued a brand new login? How would they do this?

    Login or Signup to reply.
  2. 0

    Yes you need to set it always to the current time. I guess it stands for "token created at".

    This is the code I use in Python:

    class Multipass:
    def __init__(self, secret):
        key = SHA256.new(secret.encode('utf-8')).digest()
        self.encryptionKey = key[0:16]
        self.signatureKey = key[16:32]

    def generate_token(self, customer_data_hash):
        customer_data_hash['created_at'] = datetime.datetime.utcnow().isoformat()
        cipher_text = self.encrypt(json.dumps(customer_data_hash))
        return urlsafe_b64encode(cipher_text + self.sign(cipher_text))

    def generate_url(self, customer_data_hash, url):
        token = self.generate_token(customer_data_hash).decode('utf-8')
        return '{0}/account/login/multipass/{1}'.format(url, token)

    def encrypt(self, plain_text):
        plain_text = self.pad(plain_text)
        iv = get_random_bytes(AES.block_size)
        cipher = AES.new(self.encryptionKey, AES.MODE_CBC, iv)
        return iv + cipher.encrypt(plain_text.encode('utf-8'))

    def sign(self, secret):
        return HMAC.new(self.signatureKey, secret, SHA256).digest()

    @staticmethod
    def pad(s):
        return s + (AES.block_size - len(s) % AES.block_size) * chr(AES.block_size - len(s) % AES.block_size)

    And so

    ...
customer_object = {
    **user,# customer data
    "verified_email": True
}
multipass = Multipass(multipass_secret)
return multipass.generate_url(customer_object, environment["url"])
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search