Introducing cookieless authentication beta with App Bridge

policenauts1
Trailblazer
173 13 33

I'm coming late to this thread, but only because my app was just rejected due to, ostensibly, a cookies issue (https://community.shopify.com/c/Shopify-APIs-SDKs/App-Rejected-shopify-app-gem-In-Shopify-POS-we-wer...).

I have another app live in the app store where I did the exact same thing as @Martin_Caum (before I knew about the existence of these canned Shopify Node and Rails apps). I just grab shopOrigin from the url parameter each time and then validate the hmac to confirm the request is from Shopify (and also do my REST API calls manually using fetch without a wrapper). No cookies involved and I have never had issues. I, like Martin, have also asked multiple times if there's an issue with doing it this way and haven't been told this is vulnerable in some way. And now that I'm facing some unknown cookies issue that I can't debug and is causing my app to not be approved, I'm kicking myself for having leaned on this library.

BGilbert
Shopify Expert
30 0 14

The problem is how are your REST API calls authenticated?

0 Likes
policenauts1
Trailblazer
173 13 33

Hi @BGilbert thanks for the quick response - not sure if this is answering your question specifically, but I do this:

  1. Request comes in through my app - validate hostname and hmac validity. If it passes, they can proceed to the actual app 
  2. At that point, during the app session the user can perform certain app actions which will trigger requests to my server side
  3. In each request payload to my server side, I include their shopOrigin and use this to look up their access token (which I store in a secure db) which I'll then use to make fetch requests to the Shopify Admin API
  4. And finally, I'll send back the API response (usually manipulated with server side business logic) 

 

 

0 Likes
BGilbert
Shopify Expert
30 0 14

Unfortunately with what explained, anyone can just call the REST API calls easily to manipulate other shops by just knowing the other shops .myshopify.com URL

 

-----------------------------------------

Unrelated to the above, I'm trying to use the ES5 AppBridge but my call to getSessionToken throws an error:

    <script src="https://unpkg.com/axios/dist/axios.min.js"></script>
    <script src="https://unpkg.com/@shopify/app-bridge"></script>
    <script src="https://unpkg.com/@shopify/app-bridge-utils"></script>

    <script>
        var AppBridge = window['app-bridge'];
        var createApp = AppBridge.createApp;
        var actions = AppBridge.actions;
        var Redirect = actions.Redirect;

        var appBridgeUtils = window['app-bridge-utils'];

        var app = createApp({
                         ...
        });

        appBridgeUtils.getSessionToken().then(function (result) {
            console.log(result);
        });

    </script>

Uncaught (in promise) TypeError: Cannot read property 'subscribe' of undefined
at app-bridge-utils:1 

Any ideas? @Michael_Ragalie @Liam 

0 Likes
policenauts1
Trailblazer
173 13 33

@BGilbert you're right, I just re-read what I wrote and realized I should put a second hmac validation check for each and every server side request (and probably validate the timestamp is current as well). I think should handle it though?

0 Likes
BGilbert
Shopify Expert
30 0 14

Unfortunately since the subsequent request come from your own website, they won't have any of the HMAC stuff.

0 Likes
policenauts1
Trailblazer
173 13 33

@BGilbert I'll message you privately so as not to clutter up this thread!

0 Likes
Michael_Ragalie
Shopify Staff
Shopify Staff
38 2 11

Hi! This looks like a mistake in our documentation.

The `getSessionToken` utility takes the `app` as its argument.

We'll update the docs, thanks for reporting!

dsingh
Shopify Partner
13 0 1

---- removed ----

0 Likes
KisukaKiza
Shopify Partner
33 0 28

@dsingh replying to your "Considering that now there is no need for use of cookies. Is there a way to retrieve the myshopify.com domain an embedded app is loaded in? That is probably the last part which is needed before embedded apps can be truly cookie-less." question:

The domain is passed as a query parameter in the url on every request.

0 Likes