Re: Will cookie-based authentication stop working?

Solved

Will cookie-based authentication stop working?

ykyuen
Shopify Partner
18 1 7

Hi all,

 

I am running two self-built private apps on a production shopify. The 2 apps are embedded app with react frontend and koa.js backend and the authentication are using the deprecated koa-shopify-auth (https://github.com/Shopify/koa-shopify-auth). Here shopify node package versions of the 2 apps.

 

  1. KoaJS backend
    "@shopify/koa-shopify-auth": "^3.1.70",
    "@shopify/koa-shopify-webhooks": "^2.5.0"

  2. React frontend
    "@shopify/app-bridge-react": "^1.27.2",
    "@shopify/polaris": "^5.2.1",
    "@shopify/polaris-icons": "^3.12.0",
    "@shopify/react-router": "0.0.34"

The koa-shopify-auth is deprecated and it suggested the user to migrate the cookie-based authentication to session tokens. On the other hand, i am not using the @Shopify/shopify-api for verifying the http request from the reactjs frontend. And the backend koajs calls the shopify api thru axios client.

 

So my question is if i keep the following setup, will it stop working in the upcoming shopify update like the winter 2023

 

Thanks.

 

Regards,

Kit

Accepted Solution (1)
ykyuen
Shopify Partner
18 1 7

This is an accepted solution.

Got the reply from shopify support, they said according to their documentation
https://shopify.dev/docs/apps/auth/oauth/session-tokens

All embedded apps need to use session tokens because third-party cookies won't work with browsers that restrict cross-domain data access. If your embedded app still uses cookies and could pose a risk to users, then as part of our app audit process you might be contacted and requested to migrate your app to use session tokens. This request will require immediate action.

So i guess there is no a deadline when the cookie authentication will stop working. But if your app is a public app, they user may not able to use it if their browser blocked the 3rd party cookies.

 

View solution in original post

Replies 4 (4)

ScalaApps
Shopify Partner
50 2 9

Last time I checked Shopify-Koa uses JWT authentication

Scala Apps



- If you find my reply helpful, please hit Like and Mark as Solution

- Se você achar minha resposta útil, por favor clique em Curtir e Marcar como Solução

Parcelamento/Installments | Hide sold variants | Apps | Blog

Pravin-Bhapkar
Shopify Partner
13 2 3

I am facing same problem for my public app ? 
Did you get any solution or migration is the only option? 

Thanks,
Pravin

ykyuen
Shopify Partner
18 1 7

No update yet.

ykyuen
Shopify Partner
18 1 7

This is an accepted solution.

Got the reply from shopify support, they said according to their documentation
https://shopify.dev/docs/apps/auth/oauth/session-tokens

All embedded apps need to use session tokens because third-party cookies won't work with browsers that restrict cross-domain data access. If your embedded app still uses cookies and could pose a risk to users, then as part of our app audit process you might be contacted and requested to migrate your app to use session tokens. This request will require immediate action.

So i guess there is no a deadline when the cookie authentication will stop working. But if your app is a public app, they user may not able to use it if their browser blocked the 3rd party cookies.