Cookie not returned in install callback request object

Ryan61
New Member
1 0 0

Hi, 

I just got started building a Shopify app, so I'm following the tutorial here: https://help.shopify.com/en/api/tutorials/building-node-app. I'm using Node for my endpoint. I've successfully done everything and can make api calls with a permanent access token...

The problem I'm having is that the request object attached to the `/shopify/callback` route that is redirected to when the person installs my app does not contain the cookie I sent with the response when I redirected to the shopify app install page. So I can't verify the origin of the request was from me.

I'll paste in the relevant code I am referring to:

app.get('/shopify', (req, res) => {
  // other code emitted for sake of brevity
  const state = nonce();
  const redirectUri = forwardingAddress + '/shopify/callback';
  const installUrl = 'https://' + shop +
      '/admin/oauth/authorize?client_id=' + apiKey +
      '&scope=' + scopes +
      '&state=' + state +
      '&redirect_uri=' + redirectUri;
  res.cookie('state', state); // <---- HERE IS WHERE I'M SETTING THE COOKIE TO CHECK THE ORIGIN
  res.redirect(installUrl);
}

app.get('/shopify/callback', (req, res) => {
  const { shop, hmac, code, state } = req.query;

  // HERE IS WHERE I GET THE COOKIE TO CHECK THE ORIGIN
  const stateCookie = cookie.parse(req.headers.cookie).state;

  if (state !== stateCookie) { <----- ALWAYS TRUE, SO REQUEST ORIGIN IS NOT VERIFIED
    return res.status(403).send('Request origin cannot be verified');
  }
}

I've checked the req/res objects for this cookie in the /shopify/callback route, but there's never a cookie...

I have noticed that sometimes when redirected to the shopify install page, a red alert appears and says something like "this page doesn't accept third party cookies", so I'm wondering if that has something to do with it...?

Any ideas why the cookie doesn't come back with the callback request object?

0 Likes
osamaeshtiaq
New Member
2 0 0

Did you get an answer for this???

0 Likes
manyar82
Shopify Partner
1 0 0

I had the same issue.

If you followed this tutorial https://help.shopify.com/en/api/tutorials/build-a-shopify-app-with-node-and-express you are using ngrok to expose your development environment to Shopify servers.

You're asking Shopify to redirect user to your callback url xxxxx.ngrok.io but you're starting your authorization flow from http://localhost:3000 so the cookie you are setting at the first step is available from localhost domain but invisible to the domain where user will be redirected to at the end of the authorization flow (xxxxx.ngrok.io).

 

Try start your authorization flow from http://xxxxx.ngrok.io/shopify?shop=... and it will work.

 

 

0 Likes
krishan_sharma
New Member
1 0 0

Hi,

 

I am making my authorization from ngrok. While authorizing, it works fine but when i click on app in my store in gives me an error. When i console req.headers.cookie, it is undefined. Can you please help me out ? The code is same as above.

0 Likes
iandme
Excursionist
13 1 1

If you have this issue only on chrome, have a look at this: https://shopify.dev/tutorials/migrate-your-app-to-support-samesite-cookies

 

0 Likes
bilalabbas437
New Member
1 0 0
prequisits:
const cookie = require("cookie");
const nonce = require("nonce")();


to access that store cookie
 const state = nonce();
 res.cookie("state", state, { httpOnly: falsesecure: truesameSite: "none" });

to access that store cookie
 const stateCookie = cookie.parse(req.headers.cookie).state;


happy coding
 
0 Likes