Introducing cookieless authentication beta with App Bridge

Highlighted
Trailblazer
173 13 28

@Michael_Ragalie thanks for the response, makes sense. In my case, both of my apps are POS embedded apps and so the "session" is always quite short and moment in time for the merchant. Please keep us updated when JWT becomes available for POS embedded apps. 

0 Likes
Highlighted
Shopify Staff
Shopify Staff
35 2 10

I don't know if we have any apps using it on POS, but I think it _should_ work. Was there a problem you were running into with it?

0 Likes
Highlighted
Trailblazer
173 13 28

@Michael_Ragalie I actually haven't tried it yet, I thought I saw on page 1 or 2 of this thread that someone else asked about it for POS and was told it wasn't ready. But based on reading the documentation, I also don't see a reason it shouldn't work. Thanks for following up. 

0 Likes
Highlighted
New Member
1 0 1

I'm finding the documentation lacking, i've tried trawling through the app-bridge code but that wasn't much help either.

Ideally it would be great if i could embed my app admin functionality but its not a shopify specific application so i don't really want to pollute it with shopify specific libs and code. I appreciate I might have to but I would like to have as little impact as possible. From the Documentation it is my understanding that the minimal shopify code I need is `Provider` (is that true can i get the jwt token without app-bridge?) but how do I actually get the JWT? The docs say i can get it manually but with no examples, am i supposed to use react component? Is it in the session storage? is it on a header? 

I'm already using JWT for non shopify based users so it would be great if I could get it working.

Highlighted
Shopify Staff
Shopify Staff
35 2 10
I think you'll need to use App Bridge to get a token. The "manual" approach
is still using App Bridge, just lower level aspects of it.
0 Likes
Highlighted
Tourist
5 0 1

Are apps that don't use this method getting rejected? We've had an application rejected because (we believe) the tester was using incognito mode.

0 Likes
Highlighted
Shopify Partner
66 5 26

If you're redirecting users to a subscription URL from your app, the redirect will cause an IFRAME issue in the browser.

You need to perform the redirection from outside your app IFRAME. Either using the AppBridge redirection, or using window.top.location.href.

0 Likes
Highlighted
Tourist
5 0 1

This isn't the issue. I've been sent a screencast by the tester show he/she had been testing in Incognito mode. They failed the submission (again), naming 'SameSite' as the issue (I guarantee this is done correctly).

You can validate by visiting https://samesite-sandbox.glitch.me/ in a normal chrome window, and an incognito window.

As far as I'm concerned, if testers are expecting your application to work in incognito mode, then you MUST implement cookie-less authentication. Is this mentioned anywhere int he documentation?

0 Likes
Highlighted
Trailblazer
173 13 28

@optizio are you using the shopify_app gem? I had built an app using the shopify_app gem and it also failed naming the samesite issue with an infinite redirect issue (though I simply could not reproduce). I ended up migrating away from shopify_app gem and using my own auth and got it to pass. 

 

0 Likes
Highlighted
Trailblazer
173 13 28

@Michael_Ragalie I've finally gotten around to playing around with this and I have a question. I found the npm library which seems to work well (thank you Leigh Barnes).

However, there's part of my app's server that will be hosted on Google Apps Script and I have to manually decode and verify the JWT there. When I do:

var byteSignature = Utilities.computeHmacSha256Signature(<header>.<payload>, 'sshhh');
var signed = Utilities.base64EncodeWebSafe(byteSignature);

signed equals the <signature> from the JWT, except signed has an extra = padding character(s) at the end. It seems all the Apps Script methods for Base64Encode will pad it. Is it safe to just drop any padding = characters for the purposes of the boolean comparison? Or is there a different / better way?  

0 Likes