Questions and discussions about using the Shopify CLI and Shopify-built libraries.
Have any facing the same issue as mine ? Is not using verifyRequest will still guarantee security best practice ?
Currently using "@Shopify/koa-shopify-auth": "^4.1.5".
This is the boilerplate code I got when using shopify-cli
router.get("(/_next/static/.*)", handleRequest); // Static content is clear
router.get("/_next/webpack-hmr", handleRequest); // Webpack content is clear
router.get("(.*)", async (ctx) => {
const shop = ctx.query.shop;
// This shop hasn't been seen yet, go through OAuth to create a session
if (ACTIVE_SHOPIFY_SHOPS[shop] === undefined) {
ctx.redirect(`/auth?shop=${shop}`);
} else {
await handleRequest(ctx);
}
});
When I check @Shopify/koa-shopify-auth documentation. I see that we should verifyRequest middleware.
Documentation link: https://github.com/Shopify/koa-shopify-auth#example-app
// Everything else must have sessions
router.get('(.*)', verifyRequest(), async (ctx) => {
// Your application code goes here
});
But when I insert verifyRequest() in my code, the app keep re authenticate until I got this message in Shopify Admin
router.get("(/_next/static/.*)", handleRequest); // Static content is clear
router.get("/_next/webpack-hmr", handleRequest); // Webpack content is clear
router.get("(.*)", verifyRequest(), async (ctx) => {
const shop = ctx.query.shop;
// This shop hasn't been seen yet, go through OAuth to create a session
if (ACTIVE_SHOPIFY_SHOPS[shop] === undefined) {
ctx.redirect(`/auth?shop=${shop}`);
} else {
await handleRequest(ctx);
}
});
Error message from Shopify