laravel-shopify icon indicating copy to clipboard operation
laravel-shopify copied to clipboard

Published 20 hours ago verified publisher icon gnikyt

App must set security headers to protect against clickjacking

Open manasirfan opened this issue 2 years ago • 8 comments

For bug reporting only! If you're posting a feature request or discussion, please ignore.

Expected Behavior

when am review our app from shopify that show this issue before submitting

There was an error installing your app. The app must be installed to perform the security check. We expected OAuth to be initiated at https://app-security.myshopify.com/admin/oauth/authorize but were redirected to https://mysite.com/login. Your app must request installation immediately after clicking "add app." Apps must request shop access during installation, or reinstallation if the app was previously uninstalled from the shop.

Current Behavior

this is my website first user login in our site image

after login then user go this page and put store url and fetching the products against the store

image

But am not find what's the shopify app are required for approve the app

Failure Information

Please help provide information about the failure if this is a bug.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

  1. Step 1
  2. Step 2
  3. ...

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.

*Package Version: v17.1 *Laravel Version: v8.75 *PHP Version: v8.1.5

Failure Logs

Please include any relevant log snippets or files here.

manasirfan avatar Jul 27 '22 08:07 manasirfan

Anyone can help me for solving this issue?. Thanks in advance.

manasirfan avatar Jul 28 '22 12:07 manasirfan

You can take an implementation from here https://github.com/osiset/laravel-shopify/pull/1178

but it has nothing to do with the package and can be exposed by the application.

enmaboya avatar Jul 28 '22 18:07 enmaboya

Hi, thanks for reply. Am follow your steps but we changing in the vendor file, therefore changing not add on live please guide me more, Thanks in advance !

manasirfan avatar Aug 02 '22 05:08 manasirfan

@enmaboya sir kindly help me !

manasirfan avatar Aug 03 '22 07:08 manasirfan

@manasirfan You can check this: https://github.com/osiset/laravel-shopify/issues/1070#issuecomment-1039959161

I created the same and it fixed the issue.

I hope that this will help you :)

tanseercena avatar Aug 05 '22 09:08 tanseercena

hi @tanseercena am using the same middleware but again rejected, middleware used globally ,kindly solving this issue

protected const HEADER_FORMAT = 'frame-ancestors %s %s'; protected const ADMIN_SHOPIFY_URL = 'https://admin.shopify.com'; public function handle(Request $request, Closure $next) { $response = $next($request); if ($response instanceof Response && !$request->ajax()) { if ($request->has('shop')) { $shopDomain = ShopDomain::fromNative($request->get('shop')); }elseif ($request->user() instanceof User) { $shopDomain = $request->user()->getDomain();

        }else{
            $shopDomain = ShopDomain::fromRequest($request);

        }

        if ($shopDomain instanceof ShopDomain) {
            $response->header('Content-Security-Policy', sprintf(self::HEADER_FORMAT,'https://'. $shopDomain->toNative(), self::ADMIN_SHOPIFY_URL));
        }

    }
    return $response;
}

manasirfan avatar Aug 05 '22 14:08 manasirfan

@manasirfan Did you add it in web middlewares in Kernal.php?

tanseercena avatar Aug 05 '22 14:08 tanseercena

@tanseercena oops am added another middleware not group,please check now its fine ?

 protected $middlewareGroups = [
        'web' => [ 
            \App\Http\Middleware\ContentSecurityPolicy::class,

        ]
];

manasirfan avatar Aug 05 '22 15:08 manasirfan

We wll try and get https://github.com/osiset/laravel-shopify/pull/1178 into the next release which should help.

Kyon147 avatar Aug 26 '22 08:08 Kyon147