Implement JWT callback endpoint

[ragalie]

Goals

When we receive an OAuth callback with a JWT in the headers, we want to do two things:

1. Validate that the omniauth data matches the JWT data.
2. Persist the token information to the session store.

Implementation

1. It's a bit of a pain to have two separate callback paths in omniauth. There is a callback_path option, and it does take a block, but I'm a little unclear about how it knows how to start the normal OAuth flow if you use a block for this option. I elected to incorporate the JWT flow into the existing callback path in a backwards-compatible fashion.
2. Omniauth tries to check the state param as part of the callback action and throws an error if the param doesn't exist or doesn't match the param in the session. We won't have a param in the session in this context. So we need to conditionally disable the state check, based on whether we have a valid JWT. This is safe, I believe, because the goal of the state check is to avoid CSRF, and we can trust the JWT as evidence that the user is doing this from the Shopify context.

• To make this work, I moved the JWT logic into a Rack middleware. This has two benefits: (1) it means that other Rack middleware (such as omniauth) can make decisions based on the JWT data, and (2) it allows any Rack application to decode our JWT, even if they're not using Rails or the shopify_app controller stuff.

[theundeadmonk]

Is there a reason we prefer not to override the old callback endpoint to handle both cases based on whether enable_jwt_auth is set in the config?

Would that be easier since we then wouldn't have to keep track of both urls.

[ragalie]

I don't think we can do that because the existing callback endpoint has to run for the initial install (to get the shop token), even if allow_jwt_authentication is true.

[theundeadmonk]

Should we use head(:no_content) instead?

[ragalie]

I'd rather stick with OK because I think we're likely to add some content later, and I don't want apps to break when the status code switches from 204 => 200.

[rezaansyed]

Since this is only for user tokens, should we call this user_callback?

[ragalie]

I think it's more tightly coupled to the jwt aspect than the user aspect, since the other callback endpoint can also handle user tokens.

[ragalie]

Ok, so there are some issues with the current approach :) Here's what I've discovered:

1. It's a bit of a pain to have two separate callback paths in omniauth. There is a callback_path option, and it does take a block, but I'm a little unclear about how it knows how to start the normal OAuth flow if you use a block for this option. I'll probably switch to using /callback for both (as Adi originally suggested) since I'll be fighting less with omniauth.
2. Omniauth tries to check the state param as part of the callback action and throws an error if the param doesn't exist or doesn't match the param in the session. We won't have a param in the session in this context. So we need to conditionally disable the state check, based on whether we have a valid JWT. This is safe, I believe, because the goal of the state check is to avoid CSRF, and we can trust the JWT as evidence that the user is doing this from the Shopify context. cc @leleabhinav
3. We'll need to update the logic in the omniauth gem to support three settings for what kind of tokens are expected: only shop, only user, shop or user. Right now it supports either shop or user, and we use a hacky session thing to work around this, and that isn't viable for our use case. Since it's quite common to use both shop and user tokens, we should just natively support this.

I'll work on this later today and we can see how it looks and if we like it.

[theundeadmonk]

LGTM.
I was wondering if we could perhaps reject the request in the middleware itself if the JWT is invalid. Not sure if we have the Shop or the User info there, but we could check for things like expiry, etc. Just a thought.

[ragalie]

I'm reluctant to do that because some apps might use other bearer tokens in parts of their app. I think rejecting the request is more of a controller concern.

[greatestape]

Should this be if/elsif/else blocks rather than having the early return?

[greatestape]

Should this block of code be extracted out for single-level-of-abstraction reasons? It looks like we're doing that with jwt_callback above, and it seems nice.

[ragalie]

I tried cleaning this up for clarity, take a look and see what you think!

[rezaansyed]

Tophatted it with Adi and works as expected 👍

[ragalie]

@leleabhinav are you OK with where this ended up?

[leleabhinav]

@leleabhinav are you OK with where this ended up?
👍 🚢

[ragalie]

@Shopify/platform-dev-tools-education I'm ready for a review on this when you have a chance :) Thanks!

[tanema]

This looks good and an interesting approach. I wonder if in the future, the middleware could be extracted so that we could support more than just rails.

[ragalie]

For sure, I'm thinking we could pretty easily make that move if/when we think it would be useful.