shopify-api-js icon indicating copy to clipboard operation
shopify-api-js copied to clipboard

Published 20 hours ago verified publisher icon Shopify

Allows setting a domain-wide cookie in the oauth flow

Open cmelendez opened this issue 1 year ago • 6 comments

WHY are these changes introduced?

Some OAuth flows require a domain-wide cookie instead of the usual behavior that only works within the starting domain. For example, if you start the OAuth flow in api.example.com and then redirect the user to app.example.com to finish it, you'll get a CookieNotFound error (check out issue #686).

WHAT is this pull request doing?

Allows to set an optional cookieDomain param when calling shopifyApi.

Type of change

  • [X] Patch: Bug (non-breaking change which fixes an issue)

Checklist

  • [X] I have used yarn changeset to create a draft changelog entry (do NOT update the CHANGELOG.md file manually)
  • [X] I have added/updated tests for this change
  • [X] I have documented new APIs/updated the documentation for modified APIs (for public APIs)

cmelendez avatar Jun 06 '23 13:06 cmelendez

Forgot to add that this PR also changes the default path when setting the auth cookie.

Currently the auth cookie is valid only on exactly the same domain and the same path that started the OAuth flow, which works great when creating an app using Shopify's CLI but fails on other cases.

An example where the current config fails:

  1. OAuth flow starts in https://api.example.com/auth/start. The SDK sets the cookie on the api.example.com domain and /auth/start path.
  2. OAuth flow ends in https://dashboard.example.com/login/oauth with an error (CookieNotFound) because it won't be able to find the auth cookie since the domain and path doesn't match.

The PR changes the default behavior by making the auth cookie available on the root path but at the same time it allows setting a specific domain where to make the cookie readable, but if not domain is set then the current behavior of using the initial domain is kept.

cmelendez avatar Jun 06 '23 22:06 cmelendez

Nice work!

arabovs avatar Jun 11 '23 22:06 arabovs

Awesome work. I hope an admin merges this soon.

rodrigogsqquid avatar Jun 20 '23 19:06 rodrigogsqquid

Yes please let's merge it 🙇🏽‍♂️

gusbueno avatar Jun 22 '23 12:06 gusbueno

What will it take to get this merged?

jagthedrummer avatar Aug 29 '23 16:08 jagthedrummer

Thanks very much the PR @cmelendez ! Really appreciate you taking the time to open this.

I'm going to get this reviewed by app sec and back to you.

byrichardpowell avatar Aug 31 '23 18:08 byrichardpowell