koa-shopify-auth

koa-shopify-auth copied to clipboard

I only want my frontend application to have an online token, but I need an offline token for handling my server tasks. How can I get both tokens? Is is safe to give offline tokens to the end user?

Is is safe to give offline tokens to the end user?

No it is not, often offline tokens never expire so once a user (or malicious actor) has this token, they can continue to use this token beyond the user session until the app is uninstalled.

How can I get both tokens?

This library currently only supports one access_mode at a time, this is because to request both, you need to make 2 requests, one for each access_mode. This can be done but is a very manual process.

If it's not safe, then why does the README show the example as accessMode: 'offline'?

How can I use the library to request twice?

If it's not safe, then why does the README show the example as accessMode: 'offline'?

I said it is not safe to give the offline token to the end user, not that these tokens are just generally unsafe.

How can I use the library to request twice?

As I said before, this library is currently only setup to do a single mode. The only thing I can suggest is taking a look at the internals to learn how to implement this yourself.

Referring to this line of code: https://github.com/Shopify/koa-shopify-auth/blob/4e79d5eb97fb66ecd683496a28f42f77deede8d3/src/auth/create-oauth-callback.ts#L64

The auth token is copied into the session which is sent to the browser. So based on that, the code provided here is sending the token, so the only acceptable safe value is "online" tokens. If this package by default sends the access token to the browser, then shouldn't it only allow online tokens?

I said it is not safe to give the offline token to the end user As I said before, this library is currently only setup to do a single mode.

But accessMode is a config parameter, which the README examples has it set as offline.

Yes most web applications start with a cookie store as default because it is useful and easy for development however cookie store is usually not a good idea on any application with any scale because of a cookie overflow and encryption. You should normally setup an external store. However if you do keep this token in your cookie, it is not ideal but should be fine as long as your app is only accessed through https as then the only people who should be able to misuse your token are the users that already have access to the shop

@tanema Thank you! That makes a lot of sense now.

@mozeryansky hey, I have similar goals to yours. Were you able to set up a pipeline for two modes simultaneously? If yes, how? Or where can I read about this? Coz it all looks very abstract to me rn.

Would it be something like using 2 app middlewares with createShopifyAuth: (I) with offline access mode, (II) with online? But how to use custom session storage for two session modes?

CC: @tanema help would be greatly appreciated.

I have the same question. How are both flows setup? @romatalinn/@mozeryansky were you able to figure it out? An example would be appreciated!!

I haven't come back to this in a while, but no, I opted to only request the offline token and use my own api endpoints to act upon the token. Even this example sends the token to the client and I could not confirm if the online or offline token has any protection against users taking it and calling the billing API themselves. Most likely very rare that a user will be malicious, but it's just easier to have an offline token and stored server side, like a normal OAuth flow.

I have the same question. How are both flows setup?

The thing ended up being a lot simpler than it looks at first.

First of all, you need to realize that you don't need to do anything with the way Shopify stores these tokens. The DB is already capable of storing a mix of tokens of different types in one table. I guess it might be obvious for some people, but I for some reason thought that I'd need to store offline tokens in a different table. 🤷‍♂️

Secondly, the answer you are looking for is basically HERE.

The main idea is to request one token first and then immediately redirect the user to another page where the server retrieves the second type of token. Note that although the permissions are in a sense requested twice, the user will need to accept just one set of permissions (so he won't be seeing permission dialog twice).

And in the business logic, you just use a provided utility methods to build either online or offline access for the user.

@romatallinn Thanks for sharing that link!!! I had been stuck for a few days, and that unblocked me in about 10 minutes 😄

you're absolutely right about the simplicity of the flow (still, I'll digress and say it's a rather complex flow to formulate in your head as I couldn't quite put two and two together in my head). The whole OAuth flow, plus the various libraries we need to interact with, the session manager, understanding and differentiating between access tokens and sessions and jwts really puts a strain on actually focusing on the application one is trying to build.

I think i'm finally getting around to understanding this 3 weeks into development.

Regardless, thanks for replying.

Note that this repo is no longer maintained and this issue will not be reviewed. Prefer the official JavaScript API library. If you still want to use Koa, see simple-koa-shopify-auth for a potential community solution.