Fix oauth when state (or other params) contain values that would be url encoded. (#64)

Author: fodawim

oauth.go

@@ -65,17 +65,17 @@ func (app App) VerifyMessage(message, messageMAC string) bool {
 }
 
 // Verifying URL callback parameters.
-func (app App) VerifyAuthorizationURL(u *url.URL) bool {
+func (app App) VerifyAuthorizationURL(u *url.URL) (bool, error) {
 	q := u.Query()
 	messageMAC := q.Get("hmac")
 
 	// Remove hmac and signature and leave the rest of the parameters alone.
 	q.Del("hmac")
 	q.Del("signature")
 
-	message := q.Encode()
+	message, err := url.QueryUnescape(q.Encode())
 
-	return app.VerifyMessage(message, messageMAC)
+	return app.VerifyMessage(message, messageMAC), err
 }
 
 // Verifies a webhook http request, sent by Shopify.

oauth_test.go

@@ -63,14 +63,16 @@ func TestAppVerifyAuthorizationURL(t *testing.T) {
 	}
 
 	for _, c := range cases {
-		actual := app.VerifyAuthorizationURL(c.u)
+		actual, err := app.VerifyAuthorizationURL(c.u)
+		if err != nil {
+			t.Errorf("App.VerifyAuthorizationURL(..., %s) returned an error:", c.u, err)
+		}
 		if actual != c.expected {
 			t.Errorf("App.VerifyAuthorizationURL(..., %s): expected %v, actual %v", c.u, c.expected, actual)
 		}
 	}
 }
 
-
 func TestVerifyWebhookRequest(t *testing.T) {
 	setup()
 	defer teardown()