search

Shopify / koa-shopify-auth

DEPRECATED Middleware to authenticate a Koa application with Shopify
MIT License
80 stars 63 forks source link

Invalid OAuth callback. #155

Closed blackmo18 closed 1 year ago

blackmo18 commented 2 years ago

Issue summary

I got an Oauth callback invalid error.

Expected behavior

Should able to authenticate and redirect

What do you think should happen?

Actual behavior

What actually happens? {host_url}/auth/callback?code=91a269e6b25ddca14f72129a73dfa7d5&hmac=83acb40b030437652bc9eac09b3aea3144f4958476f7895bf7105febd64c5dda&host=dGVzdC1zdG9yZS1sb2NhbC0yMDIyLTAzLTA3LTA0Lm15c2hvcGlmeS5jb20vYWRtaW4&shop=test-store-local-2022-03-07-04.myshopify.com&state=921950700434720&timestamp=1646719791

after I clicked install app and would go to top URL. the error happens

Steps to reproduce the problem

use the following code snippets

Shopify.Context.initialize({
  API_KEY: SHOPIFY_API_KEY,
  API_SECRET_KEY: SHOPIFY_API_SECRET_KEY,
  SCOPES: shopifyRequestScopes,
  HOST_NAME: HOST.replace('https://', ''),
  API_VERSION: ApiVersion.January22,
  IS_EMBEDDED_APP: false,
  // More information at https://github.com/Shopify/shopify-node-api/blob/main/docs/issues.md#notes-on-session-handling
  SESSION_STORAGE: new Shopify.Session.MemorySessionStorage(),
})

server.use(
  shopifyAuth({
    accessMode: 'offline',
    async afterAuth(ctx) {
      const authState: ShopifyAuthState = ctx.state.shopify

      ctx.cookies.set('shopOrigin', authState.shop, {
        httpOnly: false,
        secure: true,
        sameSite: 'none'
      })
     //redirect login
    }
)
nacmonad commented 2 years ago

Trying to generate offline token with code similar to above, just with the prefix '/install'.
Was able to repeatedly generate the token (after clearing from cache) yesterday. Possibly related (so am lurking this thread eagerly...). However, I rotated the API_SECRET, and since using a new secret, have been receiving this error when attempting to generate offline session.

I am using redis cache for storing so am able to log the Session at least to a point before 'afterAuth' runs. When redis caches this session, the storecallback attempts to run when the new session is created -- however there is no accessToken (the token would typically be here)

Session { id: 'offline_MYSHOP.myshopify.com', shop: 'MY_SHOP.myshopify.com', state: '666666666666666', isOnline: false }

Session with no accessToken is stored, then redirect to "Invalid OAuth callback" screen occurs and the async afterAuth(ctx) doesn't run.

timotanhong commented 2 years ago

observe the same as @nacmonad , two sessions are generated in my redis, but one them don't have accessToken :

get aea32abc-264a-4a32-9be2-b810dbcea464 "{\"id\":\"aea32abc-264a-4a32-9be2-b810dbcea464\",\"shop\":\"xxxx.myshopify.com\",\"state\":\"207198961349482\",\"isOnline\":true}"

pnyennhi commented 2 years ago

Any solutions? I'm having the same issue

muhammadkaleem57 commented 2 years ago

i'm having same issue

daviareias commented 2 years ago

I was adding the prefix to the HOST variable in the .env file and the shopifyAuth function.

This was causing the shopifyAuth function to return a callback with doubled prefix like this:

/prefix/prefix?shop=myshop.myshopify.com&host=hmackey

github-actions[bot] commented 1 year ago

Note that this repo is no longer maintained and this issue will not be reviewed. Prefer the official JavaScript API library. If you still want to use Koa, see simple-koa-shopify-auth for a potential community solution.