From 7eb70d2254bcc3dcc8edd6e160fdc9d6c3dcf2a0 Mon Sep 17 00:00:00 2001
From: Dinh Duy <d.dinh@shopware.com>
Date: Tue, 30 May 2023 23:56:54 +0700
Subject: [PATCH] `WebhookAuthenticator::authenticateGetRequest` now also
 consider `location-id` and `privileges`

---
 CHANGELOG.md                         |  2 ++
 src/Service/WebhookAuthenticator.php | 42 ++++++++++++++++------------
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6397ed65..8269b9ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,8 @@ Updates should follow the [Keep a CHANGELOG](http://keepachangelog.com/) princip
 - Added EndPointTrait for supporting to remove the unnecessary last slashes of an endpoint
 - Updated `AdminAuthenticator` and `Context` to remove the unnecessary last slashes of the provided endpoint
 - [Fix Call to a member function getSource() on null](https://github.com/vienthuong/shopware-php-sdk/issues/65)
+- `WebhookAuthenticator::authenticateGetRequest` now also consider `location-id` and `privileges`
+- [Fix GET Requests of Webhook are not validated correctly](https://github.com/vienthuong/shopware-php-sdk/issues/61)
 
 ### 1.7.3
 - [Fix Schema caching](https://github.com/vienthuong/shopware-php-sdk/pull/62)
diff --git a/src/Service/WebhookAuthenticator.php b/src/Service/WebhookAuthenticator.php
index 00e12a8c..075f615b 100644
--- a/src/Service/WebhookAuthenticator.php
+++ b/src/Service/WebhookAuthenticator.php
@@ -59,26 +59,32 @@ public static function authenticateGetRequest(string $shopSecret): bool
 
         $shop = new Shop($queries['shop-id'], $queries['shop-url'], $shopSecret);
 
-        $queryString = sprintf(
-            'shop-id=%s&shop-url=%s&timestamp=%s&sw-version=%s',
-            $shop->getShopId(),
-            $shop->getShopUrl(),
-            $queries['timestamp'] ?? null,
-            $queries['sw-version'] ?? null,
-        );
-
-        if (array_key_exists('sw-context-language', $queries) && array_key_exists('sw-context-language', $queries)) {
-            $queryString = sprintf(
-                'shop-id=%s&shop-url=%s&timestamp=%s&sw-version=%s&sw-context-language=%s&sw-user-language=%s',
-                $shop->getShopId(),
-                $shop->getShopUrl(),
-                $queries['timestamp'],
-                $queries['sw-version'],
-                $queries['sw-context-language'],
-                $queries['sw-user-language'],
-            );
+        $queryParams = [
+            'shop-id' => $shop->getShopId(),
+            'shop-url' => $shop->getShopUrl(),
+            'timestamp' => $queries['timestamp'],
+            'sw-version' => $queries['sw-version'],
+        ];
+
+        if (array_key_exists('sw-context-language', $queries)) {
+            $queryParams['sw-context-language'] = $queries['sw-context-language'];
         }
 
+        if (array_key_exists('sw-user-language', $queries)) {
+            $queryParams['sw-user-language'] = $queries['sw-user-language'];
+        }
+
+        if (array_key_exists('location-id', $queries)) {
+            $queryParams['location-id'] = $queries['location-id'];
+        }
+
+        if (array_key_exists('privileges', $queries)) {
+            $queryParams['privileges'] = urlencode($queries['privileges']);
+        }
+
+        $queryString = http_build_query($queryParams);
+
+
         $hmac = \hash_hmac('sha256', htmlspecialchars_decode($queryString), $shopSecret);
 
         return hash_equals($hmac, $queries['shopware-shop-signature']);