Documentation You are here: start » v » 2.0 » sso

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
v:2.0:sso [2019/05/01 02:03]
adam [The Details]
v:2.0:sso [2019/11/04 07:30]
foxybrett [The Details]
Line 65: Line 65:
   * ''​fc_auth_token'':​ The authentication token is a SHA-1 hash of the FoxyCart customer ID (available through the [[api|API]]),​ the expiration timestamp, and [[v:​2.0:​store_secret|the store'​s secret key]]. These values are separated by ''​|''​ (the pipe symbol). Here's what it might look like in PHP:<​code php>   * ''​fc_auth_token'':​ The authentication token is a SHA-1 hash of the FoxyCart customer ID (available through the [[api|API]]),​ the expiration timestamp, and [[v:​2.0:​store_secret|the store'​s secret key]]. These values are separated by ''​|''​ (the pipe symbol). Here's what it might look like in PHP:<​code php>
 $auth_token = sha1($customer_id . '​|'​ . $timestamp . '​|'​ . $foxycart_secret_key);​ $auth_token = sha1($customer_id . '​|'​ . $timestamp . '​|'​ . $foxycart_secret_key);​
-</​code>​ or in Ruby: <code ruby>​Digest::​SHA1.hexdigest("#​{customer_id}|#​{timestamp}|#​{foxycart_secret_key}"​)</​code>​+</​code>​ or in Ruby: <code ruby>​Digest::​SHA1.hexdigest("#​{customer_id}|#​{timestamp}|#​{foxycart_secret_key}"​)</​code>​ or JavaScript: <code javascript>​const crypto = require('​crypto'​);​ 
 +module.exports.generateSsoUri = function (customerId,​ timestamp, secret, sessionId) { 
 +  if (!customerId || !timestamp || !secret) { 
 +    return false; 
 +  } 
 +  let stringToSign = `${customerId}|${timestamp}|${secret}`;​ 
 +  let token = crypto.createHash('​sha1'​).update(""​ + stringToSign).digest('​hex'​);​ 
 +  let uri = `https://​${storeDomain}/​checkout?​fc_customer_id=${customerId}&​timestamp=${timestamp}&​fc_auth_token=${token}`;​ 
 +  if (sessionId && validator.isAlphanumeric(sessionId)) { 
 +    uri += `&​fcsid=${sessionId}`;​ 
 +  } 
 +  return uri; 
 +}</​code>​
     * It is critically important to note that the ''​timestamp''​ value you hash must match the ''​timestamp''​ value you send in the clear (below). Again, the ''​timestamp''​ provided //to// your endpoint must not be used when passed back to FoxyCart, as that timestamp will already be in the past.     * It is critically important to note that the ''​timestamp''​ value you hash must match the ''​timestamp''​ value you send in the clear (below). Again, the ''​timestamp''​ provided //to// your endpoint must not be used when passed back to FoxyCart, as that timestamp will already be in the past.
   * ''​fcsid'':​ The FoxyCart session ID. This is necessary to prevent issues with users with 3rd party cookies disabled and stores that are not using a custom subdomain.   * ''​fcsid'':​ The FoxyCart session ID. This is necessary to prevent issues with users with 3rd party cookies disabled and stores that are not using a custom subdomain.
Line 246: Line 258:
  
 Important things to note: Important things to note:
-  * The API token at the start of the script will need to be set to your store'​s ​API key, and similarly the URL to redirect to at the bottom of the script will also need to be updated.+  * The API token at the start of the script will need to be set to your [[v:​2.0:​store_secret|store'​s ​secret ​key]], and similarly the URL to redirect to at the bottom of the script will also need to be updated.
   * The check for the auth token and the timestamp act as the validation that this request is legitimately from the receipt - it's important that these checks are completed   * The check for the auth token and the timestamp act as the validation that this request is legitimately from the receipt - it's important that these checks are completed
   * Not included above is the actual code to log the user in on your website. This will be different depending on the authentication system you're using. Consult the documentation for your system for how to approach that.   * Not included above is the actual code to log the user in on your website. This will be different depending on the authentication system you're using. Consult the documentation for your system for how to approach that.

Site Tools