Simplify the auth flow by removing the full page redirect. #1075
Conversation
…into feature/simplify-the-auth-flow
|
This makes a dramatic positive difference to the auth flow. |
|
Hey @osiset - as you are very busy, do you want me to merge this into master and create a new release. This should help a lot of users who are currently getting rejected from Shopify because of the "auth/token" redirect creates in between OAUTH which is against their guidelines. Let me know and i can get this out today and set up a patch release. |
|
Sure!
…On Wed., Apr. 27, 2022, 07:06 Luke Walsh, ***@***.***> wrote:
Hey @osiset <https://github.com/osiset> - as you are very busy, do you
want me to merge this into master and create a new release. This should
help a lot of users who are currently getting rejected from Shopify because
of the "auth/token" redirect creates in between OAUTH which is against
their guidelines.
Let me know and i can get this out today and set up a patch release.
—
Reply to this email directly, view it on GitHub
<#1075 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AASO4OUVVHV4BCXZ7BS5L5TVHEDBFANCNFSM5NSCZ35Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@Kyon147 i think i've discovered an issue here. If
The redirect fails with the old classic
... as we know, and as is referenced here: https://community.shopify.com/c/shopify-apis-and-sdks/changing-scope-x-frame-options/td-p/1193972 Obviously, because if you are in an iframe, one cannot simply: Any ideas? |
|
Yeah I noticed the same issue, we need to move back to the full page redirect in this instance much like when you change the api scopes the same issue happens. There's another auth PR which needs to be merged #1097 as this fixes the other issue bust sorts out the iframe redirect one too by moving it back as before. I'd move back to v17.1.0 for now. I'll create a hotfix for the current release to remove my PR but keep the other fixes. |
|
This works, but is there a particular reason it shouldn't be done this way?
`` |
|
@Kyon147 apologies, but this seemed to miss your attention. Do you have any thoughts on if the above would be acceptable? |
|
Hey @stevesweets It's sort of the same result as #1097 but this PR uses the AppBridge functions which is probably a little more inline with Shopify if they ever come back on a App Review. Your way would work in the same essence as the fullpage_redirect view does effectively the same thing. |
Ok nice, thanks for the response :) |
|
I've been reading through this. So does this mean if I upgrade to 17.2.0 my app should automatically send merchants to reauthenticate if I change the scopes? I ask because I am adding a new scope and when I add it my test store does not automatically reauth. I am currently on 17.1, I am wondering if upgrading to 17.2 will fix my issue. It sounds like it will. |
|
Hey @talktohenryj - yeah upgrading to 17.2 should fix that issue for you. |
|
hmmm, i did the update but still have the issue. Do I need to be on a specific PHP version? I am currently running 7.4 on dev and production. |
it may be relevant, it may not - but, it will only reauth when the current session ends. |
This PR looks to reduce the complexity around the Auth flow but keep the same functionality.
it looks to hopefully solve the issue here around #1073 that because of the "auth/token" coming first before the oAuth it fails the Shopify public app requirements.
By just redirecting to the pure URL which is built it removes the need to use the
full pageredirect.