search

Shopify / koa-shopify-auth

DEPRECATED Middleware to authenticate a Koa application with Shopify
MIT License
80 stars 64 forks source link

Facing 'Cannot complete OAuth process' when client time is not correct #88

Closed hparth closed 1 year ago

hparth commented 3 years ago

Issue summary

Facing 'Cannot complete OAuth process' while /auth call when client machine (browser) time is not correct. Like when it is out of sync.

Expected behavior

Auth should not be dependent on client's machine time.

Actual behavior

Facing 'Cannot complete OAuth process' while /auth call when client machine (browser) time is not correct. Like when it is out of sync.

Error as below -

Cannot complete OAuth process. Could not find an OAuth cookie for shop url: xxxxx.myshopify.com 0|shopify- | at Object.throw (/var/www/html/shopify-app/node_modules/koa/lib/context.js:97:11) 0|shopify- | at /var/www/html/shopify-app/node_modules/@shopify/koa-shopify-auth/dist/src/auth/index.js:100:42 0|shopify- | at step (/var/www/html/shopify-app/node_modules/tslib/tslib.js:141:27) 0|shopify- | at Object.throw (/var/www/html/shopify-app/node_modules/tslib/tslib.js:122:57) 0|shopify- | at rejected (/var/www/html/shopify-app/node_modules/tslib/tslib.js:113:69)

Version I am using - "@shopify/koa-shopify-auth": "^4.1.2",

paulomarg commented 3 years ago

Hey @hparth, I understand the issue, but I suspect we may not be able to work around this. The OAuth process uses cookies, and it sets them to expire within a minute of starting the process to reduce the risk of attacks.

If the client browser's date is in such a state that it interprets that cookie as expired, we can't really do much from the server side, as we rely on the cookie being sent back from the client to know which client is going through OAuth.

benfarhner commented 3 years ago

@paulomarg This is also an issue when the client machine's time is correct, but the end user waits 60s before continuing the OAuth process, just like #130 on @shopify/shopify-api. I commented on that issue but I'm actually using koa-shopify-auth and would prefer to see it fixed in this library if possible by allowing us to handle the error rather than forcing a 500 server error. We're facing app rejections by Shopify because of this.

tolgap commented 3 years ago

This is a kind of a big issue for me during development. I keep having to do full page reloads in order to get a valid token. I am receiving JSON Web Tokens from app bridge with an nbf value in the future: https://github.com/Shopify/shopify-app-bridge/issues/59

@contributors: please consider adding a clockTolerance https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback to the OAuth setup.

I am not doing anything crazy with my development machine time(zone). It is synchronised with time.apple.com. Yet in the example of the linked issue from me, you can see that my JWT nbf is in the future quite often.

david-wb commented 3 years ago

I too am seeing this error. If someone waits too long on the install confirm page before clicking the green button this error happens. How can we resolve this?

Screenshot from 2021-08-24 12-36-14

github-actions[bot] commented 1 year ago

Note that this repo is no longer maintained and this issue will not be reviewed. Prefer the official JavaScript API library. If you still want to use Koa, see simple-koa-shopify-auth for a potential community solution.