Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve embedded requests detection with Sec-Fetch-Dest header #1873

Merged
merged 2 commits into from
Jul 11, 2024
Merged

Improve embedded requests detection with Sec-Fetch-Dest header #1873

merged 2 commits into from
Jul 11, 2024

Conversation

kirillplatonov
Copy link
Contributor

@kirillplatonov kirillplatonov commented Jul 4, 2024
edited
Loading

What this PR does

Token exchange concern uses embedded param to determine whether request should be redirected to embedded or bounce page should be displayed: https://github.com/Shopify/shopify_app/blob/main/lib/shopify_app/controller_concerns/token_exchange.rb#L67

It works well when the app just loaded and Shopify provided all necessary params with id_token. But subsequent requests in app won't have embedded param in the URL. Meaning, that in case of invalid token error, the app will try to redirect user to embedded within iframe and it will lead to browser error:
image

To solve this problem, I found an alternative way to detect embedded using Sec-Fetch-Dest browser header. It's a nice fallback to embedded param and should help us correctly detect embedded requests and redirect them properly.

References:

Checklist

Before submitting the PR, please consider if any of the following are needed:

  • Update CHANGELOG.md if the changes would impact users
  • Update README.md, if appropriate.
  • Update any relevant pages in /docs, if necessary
  • For security fixes, the Disclosure Policy must be followed.

@kirillplatonov kirillplatonov requested a review from a team as a code owner July 4, 2024 10:53
@kirillplatonov kirillplatonov changed the title Improve embedded requests detection with Sec-Fetch-Dest header Improve embedded requests detection with Sec-Fetch-Dest header Jul 4, 2024
@kirillplatonov kirillplatonov force-pushed the better-embedded-detection-with-token branch 2 times, most recently from c005f01 to 34ebfe6 Compare July 4, 2024 10:55
@kirillplatonov kirillplatonov force-pushed the better-embedded-detection-with-token branch from 34ebfe6 to 62f3f80 Compare July 4, 2024 10:55
@kirillplatonov
Copy link
Contributor Author

@matteodepalo @zzooeeyy another important fix for token exchange auth to handle invalid token errors properly.

@kirillplatonov
Copy link
Contributor Author

cc @lizkenyon

paulomarg
paulomarg approved these changes Jul 11, 2024
View reviewed changes
Copy link
Contributor

@paulomarg paulomarg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for this!

@paulomarg paulomarg merged commit 430c05f into Shopify:main Jul 11, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulomarg paulomarg paulomarg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kirillplatonov @paulomarg