From b5d28207529d176568bd8e439a2a8cfb14845543 Mon Sep 17 00:00:00 2001
From: Peter Chaula <petercchaula@gmail.com>
Date: Mon, 15 Aug 2016 13:33:22 +0200
Subject: [PATCH 1/2] Include state in auth url

It seems like if you follow Shopify OAuth Documentation and include the **state** parameter for verification the **hmac** verification fails on the client server size. My assumption is that Shopify includes **state** in calculation  of the hash

>https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}&state={nonce}

>{nonce} - a randomly selected value provided by your application, which is unique for each authorization request. During the OAuth >callback phase, your application must check that this value matches the one you provided during authorization. This mechanism is >important for the security of your application.

[Shopify docs](https://help.shopify.com/api/guides/authentication/oauth#scopes)
---
 shopify.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/shopify.php b/shopify.php
index de04736..af76233 100644
--- a/shopify.php
+++ b/shopify.php
@@ -15,12 +15,20 @@ public function __construct($shop_domain, $token, $api_key, $secret) {
 	}
 
 	// Get the URL required to request authorization
-	public function getAuthorizeUrl($scope, $redirect_url='') {
+	public function getAuthorizeUrl($scope, $redirect_url='', $state = null) {
+		
+		if($state === null){
+		    $state = sha1(time());
+		}
+		
 		$url = "https://{$this->shop_domain}/admin/oauth/authorize?client_id={$this->api_key}&scope=" . urlencode($scope);
 		if ($redirect_url != '')
 		{
 			$url .= "&redirect_uri=" . urlencode($redirect_url);
 		}
+		
+		$url .='&state=' urlencode($redirect_url);
+		
 		return $url;
 	}
 
@@ -79,7 +87,7 @@ public function validateSignature($query)
 
 		$dataString = array();
 		foreach ($query as $key => $value) {
-			if(!in_array($key, array('shop', 'timestamp', 'code'))) continue;
+			if(!in_array($key, array('shop', 'timestamp', 'code', 'state'))) continue;
 
 			$key = str_replace('=', '%3D', $key);
 			$key = str_replace('&', '%26', $key);

From 5e2cfbd64508bb01bcf0dd8c3b6cd808ebeb1de2 Mon Sep 17 00:00:00 2001
From: Peter Chaula <petercchaula@gmail.com>
Date: Mon, 15 Aug 2016 13:36:53 +0200
Subject: [PATCH 2/2] Update shopify.php

---
 shopify.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/shopify.php b/shopify.php
index af76233..92a7d45 100644
--- a/shopify.php
+++ b/shopify.php
@@ -22,13 +22,12 @@ public function getAuthorizeUrl($scope, $redirect_url='', $state = null) {
 		}
 		
 		$url = "https://{$this->shop_domain}/admin/oauth/authorize?client_id={$this->api_key}&scope=" . urlencode($scope);
+		$url .='&state=' urlencode($state);
 		if ($redirect_url != '')
 		{
 			$url .= "&redirect_uri=" . urlencode($redirect_url);
 		}
 		
-		$url .='&state=' urlencode($redirect_url);
-		
 		return $url;
 	}