shopify-app-template-node
shopify-app-template-node copied to clipboard
Shopify
Remove ACTIVE_SHOPIFY_SHOPS and all checks for active shops from the node scaffold
Issue summary
As per @paulomarg's comments in https://github.com/Shopify/shopify-app-node/issues/575 and https://github.com/Shopify/koa-shopify-auth/issues/71, this check is not necessary since it only makes sense for offline tokens.
It's not ideal from a performance standpoint to store active shops in a database (as some Shopify developers suggest) and make a roundtrip to the database with every request to the server.
In addition, if this check is only necessary for offline tokens, it wouldn't make sense for the scaffolded app to have online tokens + this check / redirect.
Expected behavior
- Have a section in the Wiki with this piece of code for app developers that require offline tokens.
- Check if there is a
sessioninverifyRequestand redirect to:
res.redirect(`/auth?${new URLSearchParams(req.query as unknown as string).toString()}`);
... if there's not
Actual behavior
https://github.com/Shopify/shopify-app-node/blob/5ba5d7e1decfdb4f40d5aa1deafbf801823a11f1/server/index.js#L98-L108
Hi @ivorpad thanks for the issue -- do you think you could take a crack at a PR for this?
The current approach being used by this repo is all a bit wonky: By default it is using online session tokens. So I'm pretty sure if two users from the same shop attempt to auth into the app then the 2nd user will not be directed through the auth flow because the shop is already known to the app. Ouch.
In my experience the proposed expected behaviour of checking for an active session has been tricky to achieve because when verifying if a session exists in the app.use("/*" middleware using a call to Shopify.Utils.loadCurrentSession it just returns undefined, it is unable to resolve the session. So after /auth/callback redirects to the root URL / we end up being being put back through the auth flow again creating an infinite redirect loop.
Instead what I'm doing is to remove the app.use("/*" middleware entirely. That way when the webapp first loads and attempts to make its first REST call with userLoggedInFetch it will receive the X-Shopify-API-Request-Failure-Reauthorize header and trigger the redirect that way.
@daveagill Ouch indeed 🤦♂️
Hi @JaKXz, digging around the issues of various associated repos, it feels like session management is pretty undercooked in this template (I'm presuming this template is the one that's used by @shopify/app; if not at least a lot of the bugs look similar?).
Are there any plans to create a production grade template; perhaps one with a harder distinction between offline and online tokens as their respective constraints / requirements seem to be quite different.
I've logged some of my concerns here: https://github.com/Shopify/shopify-api-node/issues/428 https://github.com/Shopify/shopify-api-node/issues/427
This issue is stale because it has been open for 60 days with no activity. It will be closed if no further action occurs in 14 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
We are closing this issue because it has been inactive for a few months. This probably means that it is not reproducible or it has been fixed in a newer version. If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.
If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines
Thank you!