Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
This repository was archived by the owner on Apr 11, 2024. It is now read-only.
/shopify-api-jsPublic archive

Allows setting a domain-wide cookie in the oauth flow#905

Open
cmelendez wants to merge5 commits intoShopify:main
base:main
Choose a base branch
Loading
fromcmelendez:cookie_paths

Conversation

@cmelendez
Copy link

@cmelendezcmelendez commentedJun 6, 2023
edited
Loading

WHY are these changes introduced?

Some OAuth flows require a domain-wide cookie instead of the usual behavior that only works within the starting domain. For example, if you start the OAuth flow inapi.example.com and then redirect the user toapp.example.com to finish it, you'll get a CookieNotFound error (check out issue#686).

WHAT is this pull request doing?

Allows to set an optionalcookieDomain param when callingshopifyApi.

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)

Checklist

  • I have usedyarn changeset to create a draft changelog entry (do NOT update theCHANGELOG.md file manually)
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs)

gusbueno, idangozlan, longergrass, asaf-r-6, and vaultmicroSeongwoo reacted with heart emojiagrohs reacted with eyes emoji
@cmelendezcmelendez requested a review froma team as acode ownerJune 6, 2023 13:50
@cmelendez
Copy link
Author

Forgot to add that this PR also changes the default path when setting the auth cookie.

Currently the auth cookie is valid only on exactly thesame domain and thesame path that started the OAuth flow, which works great when creating an app using Shopify's CLI but fails on other cases.

An example where the current config fails:

  1. OAuth flow starts inhttps://api.example.com/auth/start. The SDK sets the cookie on theapi.example.com domain and/auth/start path.
  2. OAuth flow ends inhttps://dashboard.example.com/login/oauth with an error (CookieNotFound) because it won't be able to find the auth cookie since the domain and path doesn't match.

The PR changes the default behavior by making the auth cookie available on the root path but at the same time it allows setting a specific domain where to make the cookie readable, but if not domain is set then the current behavior of using the initial domain is kept.

@arabovs
Copy link

Nice work!

vaultmicroSeongwoo reacted with thumbs up emoji

@rodrigogsqquid
Copy link

Awesome work. I hope an admin merges this soon.

vaultmicroSeongwoo reacted with thumbs up emoji

@gusbueno
Copy link

gusbueno commentedJun 22, 2023
edited
Loading

Yes please let's merge it 🙇🏽‍♂️

vaultmicroSeongwoo reacted with thumbs up emoji

@jagthedrummer
Copy link

What will it take to get this merged?

vaultmicroSeongwoo reacted with thumbs up emoji

@byrichardpowell
Copy link
Contributor

Thanks very much the PR@cmelendez ! Really appreciate you taking the time to open this.

I'm going to get this reviewed by app sec and back to you.

cmelendez and agrohs reacted with heart emoji

Copy link
Contributor

@paulomargpaulomarg left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Hey folks, thanks for waiting while we got this reviewed.

I think we can take this PR, but there are a couple of things I think we need to tweak!

awaitcookies.setAndSign(STATE_COOKIE_NAME,state,{
expires:newDate(Date.now()+60000),
sameSite:'lax',
sameSite:'none',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Is this required for the domain to work? OAuth should only rely on top-level redirects, and as perthe MDN docs:

Lax
Means that the cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link).

I believe it should still work if we uselax. I ask because usingnone carries some risk for CSRF. If it is strictly necessary, I think we should only set it tonone ifcookieDomain is set to help mitigate that risk.

secure:true,
path:callbackPath,
path:'/',
domain:config.cookieDomain,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think we need to fully skipdomain if the setting isn't present, otherwise we'll end up with thisSet-Cookie string:

Set-Cookie:shopify_app_state=<state>;sameSite=lax; secure=true; path=/auth/callback; domain=undefined;

ryanray added a commit to JoinCollabMarket/shopify-api-js that referenced this pull requestJan 28, 2024
…ameSite=lax.See this PR for other people who have ran into this issueShopify#905
Copy link

@Cody-traded-clothesCody-traded-clothes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

cool

Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

2 more reviewers

@paulomargpaulomargpaulomarg left review comments

@Cody-traded-clothesCody-traded-clothesCody-traded-clothes left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@cmelendez@arabovs@rodrigogsqquid@gusbueno@jagthedrummer@byrichardpowell@paulomarg@Cody-traded-clothes
[8]ページ先頭
©2009-2025 Movatter.jp