Introducing cookieless authentication beta with App Bridge

Highlighted
Trailblazer
158 13 26

I'm coming late to this thread, but only because my app was just rejected due to, ostensibly, a cookies issue (https://community.shopify.com/c/Shopify-APIs-SDKs/App-Rejected-shopify-app-gem-In-Shopify-POS-we-wer...).

I have another app live in the app store where I did the exact same thing as @Martin_Caum (before I knew about the existence of these canned Shopify Node and Rails apps). I just grab shopOrigin from the url parameter each time and then validate the hmac to confirm the request is from Shopify (and also do my REST API calls manually using fetch without a wrapper). No cookies involved and I have never had issues. I, like Martin, have also asked multiple times if there's an issue with doing it this way and haven't been told this is vulnerable in some way. And now that I'm facing some unknown cookies issue that I can't debug and is causing my app to not be approved, I'm kicking myself for having leaned on this library.

1 Like
Highlighted
Shopify Expert
30 0 14

The problem is how are your REST API calls authenticated?

0 Likes
Highlighted
Trailblazer
158 13 26

Hi @BGilbert thanks for the quick response - not sure if this is answering your question specifically, but I do this:

  1. Request comes in through my app - validate hostname and hmac validity. If it passes, they can proceed to the actual app 
  2. At that point, during the app session the user can perform certain app actions which will trigger requests to my server side
  3. In each request payload to my server side, I include their shopOrigin and use this to look up their access token (which I store in a secure db) which I'll then use to make fetch requests to the Shopify Admin API
  4. And finally, I'll send back the API response (usually manipulated with server side business logic) 

 

 

0 Likes
Highlighted
Shopify Expert
30 0 14

Unfortunately with what explained, anyone can just call the REST API calls easily to manipulate other shops by just knowing the other shops .myshopify.com URL

 

-----------------------------------------

Unrelated to the above, I'm trying to use the ES5 AppBridge but my call to getSessionToken throws an error:

    <script src="https://unpkg.com/axios/dist/axios.min.js"></script>
    <script src="https://unpkg.com/@shopify/app-bridge"></script>
    <script src="https://unpkg.com/@shopify/app-bridge-utils"></script>

    <script>
        var AppBridge = window['app-bridge'];
        var createApp = AppBridge.createApp;
        var actions = AppBridge.actions;
        var Redirect = actions.Redirect;

        var appBridgeUtils = window['app-bridge-utils'];

        var app = createApp({
                         ...
        });

        appBridgeUtils.getSessionToken().then(function (result) {
            console.log(result);
        });

    </script>

Uncaught (in promise) TypeError: Cannot read property 'subscribe' of undefined
at app-bridge-utils:1 

Any ideas? @Michael_Ragalie @Liam 

0 Likes
Highlighted
Trailblazer
158 13 26

@BGilbert you're right, I just re-read what I wrote and realized I should put a second hmac validation check for each and every server side request (and probably validate the timestamp is current as well). I think should handle it though?

0 Likes
Highlighted
Shopify Expert
30 0 14

Unfortunately since the subsequent request come from your own website, they won't have any of the HMAC stuff.

0 Likes
Highlighted
Trailblazer
158 13 26

@BGilbert I'll message you privately so as not to clutter up this thread!

0 Likes
Highlighted
Shopify Staff
Shopify Staff
34 2 10

Hi! This looks like a mistake in our documentation.

The `getSessionToken` utility takes the `app` as its argument.

We'll update the docs, thanks for reporting!

1 Like
Highlighted
Shopify Partner
12 0 0

---- removed ----

0 Likes
Highlighted
Shopify Partner
30 0 18

@dsingh replying to your "Considering that now there is no need for use of cookies. Is there a way to retrieve the myshopify.com domain an embedded app is loaded in? That is probably the last part which is needed before embedded apps can be truly cookie-less." question:

The domain is passed as a query parameter in the url on every request.

0 Likes