Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure post authenticate jobs run after for jwt based callback requests #1079

Merged
merged 1 commit into from
Sep 23, 2020
Merged

Ensure post authenticate jobs run after for jwt based callback requests #1079

merged 1 commit into from
Sep 23, 2020

Conversation

rezaansyed
Copy link
Contributor

What does this PR solve?

There is an issue noticed where the OAuth flow for getting an online (user) token fails to redirect back into the callback endpoint. The online token is eventually retrieved on failed requests to the Shopify API and we exchange an auth code for the online token via App Bridge Auth. However, when making the callback request to with session tokens (as JWTs) in the Authorization header, the post authenticate background jobs are not run, which is undesirable.

This PR ensures that the post authenticated background jobs are triggered after the callback request is made with session tokens in the request.

Before submitting the PR, please consider if any of the following are needed:

  • Update CHANGELOG.md if the changes would impact users
  • Update README.md, if appropriate.
  • Update any relevant pages in docs/, if necessary
  • For security fixes, the Disclosure Policy must be followed.

@rezaansyed rezaansyed requested a review from a team as a code owner September 22, 2020 22:10
@ragalie
Copy link
Contributor

ragalie commented Sep 23, 2020

No test for the install_script_tags action?

ragalie
ragalie approved these changes Sep 23, 2020
View reviewed changes
Copy link
Contributor

@ragalie ragalie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

This is easier to read than the previous implementation, which is good! Curious why you decided to refactor in this direction where every sub-method contains a conditional on JWT vs. splitting into two callback methods for JWT vs. normal browser? There's very little overlap other than persisting the token and running these callbacks.

lstp
lstp reviewed Sep 23, 2020
View reviewed changes
app/controllers/shopify_app/callback_controller.rb
if jwt_request?
Rails.logger.debug("[ShopifyApp::CallbackController] JWT request detected. Setting shopify session...")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we intentionally not replacing the debug logs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just added the logs back

paulomarg
paulomarg approved these changes Sep 23, 2020
View reviewed changes
Copy link
Contributor

@paulomarg paulomarg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

app/controllers/shopify_app/callback_controller.rb Outdated
install_scripttags
perform_after_authenticate_job
def store_access_token_and_build_session
prevent_session_fixation if native_browser_request?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to check native_browser_request? here, if it's also checked in prevent_session_fixation?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right! Just refactored it.

@rezaansyed
Copy link
Contributor Author

LGTM.

This is easier to read than the previous implementation, which is good! Curious why you decided to refactor in this direction where every sub-method contains a conditional on JWT vs. splitting into two callback methods for JWT vs. normal browser? There's very little overlap other than persisting the token and running these callbacks.

We had thought of splitting it into two but there seems to be a general pattern of processing the callback where we are doing the following:

respond_with_error if invalid_request?
store_access_token
perform_post_authenticate_jobs
respond_successfully

The only difference is that the other flow returns early when needing to get an online (user) token. So we had to leave the extra conditional. Also the reason why we have conditional splits between JWT and non-JWT is so that there is symmetry in where they diverge and that it's easier to see the boundaries for further refactoring in the future.

@rezaansyed rezaansyed force-pushed the fix-inconsistent-callback-flow branch from 91485f5 to ebcdf65 Compare September 23, 2020 13:31
@rezaansyed
Copy link
Contributor Author

No test for the install_script_tags action?

Nice catch! Just added :)

@rezaansyed rezaansyed merged commit d76175c into master Sep 23, 2020
@rezaansyed rezaansyed temporarily deployed to rubygems September 23, 2020 15:14 Inactive
@paulomarg paulomarg mentioned this pull request Sep 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lstp lstp lstp left review comments

@paulomarg paulomarg paulomarg approved these changes

@ragalie ragalie ragalie approved these changes

@alexaitken alexaitken Awaiting requested review from alexaitken

@greatestape greatestape Awaiting requested review from greatestape

@minichate minichate Awaiting requested review from minichate

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rezaansyed @ragalie @lstp @paulomarg