search

Shopify / koa-shopify-auth

DEPRECATED Middleware to authenticate a Koa application with Shopify
MIT License
80 stars 64 forks source link

ACTIVE_SHOPIFY_SHOPS documentation and example #71

Closed jt274 closed 1 year ago

jt274 commented 3 years ago

Overview/summary

There is little documentation in regard to the ACTIVE_SHOPIFY_SHOPS hash. Documentation mentions it is important, but does not give much detail.

Motivation

Current documentation in the tutorial (https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react/embed-your-app-in-shopify) reads:

Create the ACTIVE_SHOPIFY_SHOPS hash and track shops that complete OAuth. Your app needs this to decide whether a new shop needs to perform OAuth to install it:
Storing the active shops in memory will force merchants to go through OAuth again every time your server is restarted. We recommend you persist the shops to minimize the number of logins merchants need to perform.

The documentation does not make the following clear:

  1. Should this variable store active shops that only the current authorized user has installed this app on?
  2. Should this variable store a list of ALL shops across Shopify that have installed this app, regardless of the user?
  3. At what point should the current active shops be loaded? I would assume before auth is complete.
  4. How exactly is the ACTIVE_SHOPIFY_SHOPS related to the storing/recall of the user session?
  5. Is there any difference for online or offline session modes?
paulomarg commented 3 years ago

Hey @jt274, thanks for this. It was pointed out (https://github.com/Shopify/shopify-app-node/issues/575#issuecomment-801952798) that this approach is only actually suited for offline tokens, we'll update the examples and tutorials accordingly.

To answer your questions:

  1. Yes, the idea is to keep track of which shops have already gone through OAuth so we don't need to again. Since offline sessions never expire, apps can save OAuth trips by checking that before doing anything else.
  2. As I mentioned in my comment above, this only makes sense for offline tokens. For online tokens, the / endpoint should simply load the app skeleton and check whether there is a session via verifyRequest to trigger OAuth only when it becomes necessary.
  3. Since this is mostly helpful to prevent unnecessary OAuth trips, it should be done right before we would otherwise trigger an OAuth flow.
  4. It's not really related to sessions, it is only there to make app loading more efficient, so we don't trigger OAuth on every page refresh.
  5. As above!

Hope this helps! We'll also keep these questions in mind when we update the examples.

avocadoslab commented 3 years ago

Hey @paulomarg , curious if you got opportunity to update documentation & example around this.

github-actions[bot] commented 1 year ago

Note that this repo is no longer maintained and this issue will not be reviewed. Prefer the official JavaScript API library. If you still want to use Koa, see simple-koa-shopify-auth for a potential community solution.