shopify-api-js
shopify-api-js copied to clipboard
Shopify
Shopify calls storeCallback Thrice with two unique session ids
Issue summary
I understand storeCallback is called multiple times and is supposed to both create and update sessions. However I am seeing two unique sessions on every oauth call.
┃ storeCallback Session {
┃ id: '178606f1-f1b9-4039-93c0-2a02bf286d34', <------------------------ unique id#1
┃ shop: '***.myshopify.com',
┃ state: '858385128205489',
┃ isOnline: true
┃ }
storeCallback Session {
┃ id: '***.myshopify.com_77157728427', <--------------------------- unique id#2
┃ shop: '***.myshopify.com',
┃ state: '858385128205489',
┃ scope: 'write_products,write_customers,write_draft_orders',
┃ expires: 2021-11-03T14:36:14.581Z,
┃ isOnline: true,
┃ accessToken: 'shpat_b9c25***52ae8d7ea',
┃ onlineAccessInfo: {
┃ expires_in: 86399,
┃ associated_user_scope: 'write_products,write_customers,write_draft_orders',
┃ session: 'bb2739a2dfd2b***4cc0e25ba23ee4b91',
┃ account_number: 0,
┃ associated_user: {
┃ id: 77157***427,
┃ first_name: '***',
┃ last_name: '***i',
┃ email: 'ra****il.com',
┃ account_owner: true,
┃ locale: 'en',
┃ collaborator: false,
┃ email_verified: true
┃ }
┃ }
┃ }
storeCallback session {
┃ id: '178606f1-f1b9-4039-93c0-2a02bf286d34', <------------------ unique id#1
┃ shop: '***.myshopify.com',
┃ state: '858385128205489',
┃ isOnline: true,
┃ accessToken: 'shpat_b9c25***da52ae8d7ea',
┃ expires: 2021-11-02T14:36:45.585Z,
┃ scope: 'write_products,write_customers,write_draft_orders',
┃ onlineAccessInfo: {
┃ expires_in: 86399,
┃ associated_user_scope: 'write_products,write_customers,write_draft_orders',
┃ session: 'bb2739a2dfd2b897d0c62b31e6bab7f37555bdf205d87024cc0e25ba23ee4b91',
┃ account_number: 0,
┃ associated_user: {
┃ id: 77157728427,
┃ first_name: '***',
┃ last_name: '***',
┃ email: 'ra***l.com',
┃ account_owner: true,
┃ locale: 'en',
┃ collaborator: false,
┃ email_verified: true
┃ }
┃ }
┃ }
Expected behavior
I expect only one unique session to passed to storeCallback.
Actual behavior
Now for every oauth call I am storing two sessions in my db. Why do we get two different sessions? Should there be a delete callback triggered for one of the sessions?
Steps to reproduce the problem
Use the exact custom session Redis example code exact node app boiler plate provided by Shopify, navigate to app and open app.
Adding onto this: it happens with offline sessions as well, but due to the offline session ID being a simple 'offline_${shopName}', it's not actually an issue so much as a peculiarity?
First session has no accessToken/scopes and is generated upon clicking the install button for an app and navigating to the oAuth page, BEFORE the app has been installed.
Second session is generated post-install, hence the added accessToken and scopes.
What is a little problematic is that the suggested example for default-route navigation (not currently in the docs, see the PR here: https://github.com/Shopify/shopify-node-api/pull/199) is using Shopify.util.loadCurrentSession to check for login state, but a session is generated upon the REQUEST to install the app, not upon successful oAuth--which means that if the user abandons the installation process, you still have a session, just an unauthorized one--you still need to send the user through oAuth. Meaning that example should really be confirming that, at the very least, session.accessToken exists.
(That doesn't mean the token is VALID; so far as I can tell, the only way to validate tokens is to actually attempt to make a request with them and try-catch the resultant 401 failure?)
(And as yet another addendum, using Shopify.utils.loadCurrentSession for oAuth flow checks is actively broken if you're using offline sessions, due to this bug: https://github.com/Shopify/shopify-node-api/pull/272; need to use Shopify.Utils.loadOfflineSession, but you still run into the above issue of un-auth'd sessions)
Seems like the first, un-auth'd Session is generated from beginAuth, here:
https://github.com/Shopify/shopify-node-api/blob/770c9a837c4be025fee39615122f78017393f733/src/auth/oauth/oauth.ts#L64
How should app devs handle this? Discard it / have CustomSessionStorage.storeCallback reject it due to lack of accessToken? Save it, and handle login management based on whether or not a Session has an accessToken?
validateAuthCallback errors without a Session, so presumably it's correct to save the initial un-auth'd session; that leaves the takeaway to be "manage the login route by checking for session.accessToken," I believe?
Noticed the same here. Simply discarding the save of the session lead to an error. I'm now checking the session for an accessToken before actually continuing with requests to the GraphQL API.
Some similar discussion here https://github.com/Shopify/shopify-api-node/issues/224?
Hi @govindrai @bishpls @ConcurrentHashMap Did any of you figure out what that uuid session is all about? I'm so confused as to what a "session" really is in this library / how you're expected to manage offline tokens https://github.com/Shopify/shopify-api-node/issues/428
This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
We are closing this issue because it has been inactive for a few months. This probably means that it is not reproducible or it has been fixed in a newer version. If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.
If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines
Thank you!