Shopify App Node.js React ACTIVE_SHOPIFY_SHOPS security issue ?

dreadmill
New Member
3 0 0

Hi,

I was checking the tutorial given at https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react
At some point they introduce the concept of ACTIVE_SHOPIFY_SHOPS to circumvent the need to authenticating multiple times.
Let's imagine all active stores are persisted on the app server (db, file,..). 
However, I wonder: couldnt then anyone just call the URL of my app with an already authenticated shopname and gain access to the app form?
Since koa's verifyRequest() to check for sessions is not called in that route?

For example, I know that mycompetitorshop.myshopify.com is authenticated, so I call https://myapp.com?shop=mycompetitorshop.myshopify.com . The app will then render out the app backend UI, which could be critical if there is data stored somewhere in the app. 


 

router.get("/", async (ctx) => {
    const shop = ctx.query.shop;

    if (ACTIVE_SHOPIFY_SHOPS[shop] === undefined) {
      ctx.redirect(`/auth?shop=${shop}`);
    } else {
      await handleRequest(ctx);
    }
  })

 

 
I actually tried it and it worked. So I am a bit puzzled if I might missunderstand something there...

0 Likes

You can use something like this

 

    router.get("/", async (ctx) => {
         //validate hmac
        //https://shopify.dev/tutorials/authenticate-with-oauth
        if (Shopify.Utils.validateHmac(ctx.query)) { 
            const shop = ctx.query.shop;

            if (ACTIVE_SHOPIFY_SHOPS[shop] === undefined) {
                ctx.redirect(`/auth?shop=${shop}`);
            } else {
                await handleRequest(ctx);
            }
        } else {
            //logger.error(ctx.query, 'hmac validation error');
        }
    })
Increase Sales with Announcement Bar
SBD_
Shopify Staff
Shopify Staff
1090 147 199

Hey @ZaeBest 

Thanks for reporting this. Here's a response from the developers: 

That endpoint is unauthenticated by design - all it loads is the page skeleton, so it shouldn’t use any sensitive data. We need that request to be unauthenticated so that we get a chance to load App Bridge (which will send the user to the appropriate admin page) before validation kicks in.

You can verify this behaviour by:

  1. Running the app and opening it in your shop
  2. Try opening it up to your shop in an incognito window where you are not logged in

What will happen is:

  1. The app skeleton page will load (without any actual data)
  2. You will be redirected to log into your shop's admin, at which point you'll need to provide credentials.

 

0 Likes