koa-shopify-auth icon indicating copy to clipboard operation
koa-shopify-auth copied to clipboard

Published 20 hours ago verified publisher icon Shopify

@koa-shopify-auth sets cookies without specifying the "Same Site" option

Open esteban-filardi opened this issue 5 years ago • 9 comments

Overview

@koa-shopify-auth sets two cookies without the Same Site option set, which triggers a warning in Chrome, and I think will be blocked on February 4th. The cookies are named shopifyNonce and shopifyTestCookie.

Capture

Scope

@koa-shopify-auth:3.1.54

esteban-filardi avatar Jan 29 '20 14:01 esteban-filardi

shopifyNonce https://github.com/Shopify/quilt/blob/master/packages/koa-shopify-auth/src/auth/oauth-query-string.ts#L19

shopifyTestCookie https://github.com/Shopify/quilt/blob/master/packages/koa-shopify-auth/src/auth/create-enable-cookies-redirect.ts#L15 https://github.com/Shopify/quilt/blob/master/packages/koa-shopify-auth/src/verify-request/verify-token.ts#L41

ltakens avatar Jan 30 '20 22:01 ltakens

We were urged to upgrade everything via Email and blog posts, but it's not even working right now. If I make my own cookies follow the new rules, any new login to my app is greeted with an error that the request origin could not be verified. And this because the nonce is being set without Secure and Samesite=None.

tolgap avatar Feb 03 '20 13:02 tolgap

@tolgap I am also experiencing Request origin could not be verified on Chrome version 82.0.4047.0 (Official Build) canary (64-bit) - the developer console is displaying warnings.

I have also enabled the sameSite experimental flags in Chrome at chrome://flags/#samesite

Using @shopify/koa-shopify-auth version 3.1.55

image

UPDATE: I was originally testing locally using ngrok. I deployed to Heroku and I did not encounter this error.

I do have app.proxy = true; set in koa

SeanoNET avatar Feb 04 '20 01:02 SeanoNET

Also the shopify.cookies_persist=True is being set in koa-shopify-auth package without SameSite none and Secure true.

Screen Shot 2020-02-04 at 3 05 47 PM

sinejoe avatar Feb 04 '20 20:02 sinejoe

Supposedly this was fixed with https://github.com/Shopify/quilt/pull/1251, but I'm still getting the same problem even after updating shopify-koa-auth to 3.1.56 (which is after this PR). @katiedavis any thoughts?

TomGranot avatar Mar 08 '20 16:03 TomGranot

Still having this issue as well. Any idea on how to resolve this?

mlevkovsky avatar Jun 07 '20 19:06 mlevkovsky

Are you setting up your projects as explained in the docs? https://github.com/Shopify/quilt/tree/master/packages/koa-shopify-auth#example-app

the package is not responsible for SameSite, you need to do this yourself.

tanema avatar Jun 08 '20 16:06 tanema

hey @tanema yup so I set it up exactly like this. I found a workaround though. The way I used to install the app is I would go to: https://xxx.ngrok.io/auth?shop=xxx.myshopify.com and this would not set the cookies. However, when I go thru the shopify app admin and do "install on store" this seems to work fine. Not sure why though :/

mlevkovsky avatar Jun 08 '20 17:06 mlevkovsky

The latest code now uses sameSite:none and secure:true explicitly for Chrome

https://github.com/Shopify/koa-shopify-auth/blob/master/src/auth/cookie-options.ts

ardeearam avatar Mar 11 '21 02:03 ardeearam

Note that this repo is no longer maintained and this issue will not be reviewed. Prefer the official JavaScript API library. If you still want to use Koa, see simple-koa-shopify-auth for a potential community solution.

github-actions[bot] avatar Jan 30 '23 20:01 github-actions[bot]