`session-token` auth finalization view doesn't log users in

[kienankb]

Hello! I'm updating an app that uses this package to use session token auth instead of cookies, and after investigating a redirect loop, I think I've discovered that the "finalize" view used for session token auth doesn't log a user in the way the cookie-based auth views do.

shopify_auth.views.finalize() has the lines:

user = auth.authenticate(request=request, myshopify_domain=shopify_session.url, token=shopify_session.token)
if user:
    auth.login(request, user)

but shopify_auth.session_tokens.views.FinalizeAuthView.get() doesn't have this code. Adding those lines into the view seems to log in the user and make the app behave as intended.

Is this a valid issue and a potential fix or am I using the auth views in an unintended manner? Thanks in advance so much for the help.

[stlk]

Hi kienan,

shopify_auth.session_tokens.views.FinalizeAuthView.get() is now supposed to only do post installation steps, like save API token and kickoff any after install work. You can't really authenticate since cookie might not get stored.

Instead of usual Django login session session_tokens use "shopify_auth.session_tokens.middleware.SessionTokensAuthMiddleware" to authenticate requests when header is present.

Hope this helps. If not please tell me more about your app. Is it SPA or are you using something like Turbolinks?

[kienankb]

Thanks for responding! My app isn't an SPA or using something like Turbolinks, and SessionTokensAuthMiddleware is already in my settings file; the views have been using the login_required decorator from shopify_auth.decorators, could that be causing the problem here?

[kienankb]

Update: tried reworking the views to use a custom mixin as in the demo app, and it's still not logging my user in. Should my app be explicitly calling the auth.authenticate(... lines somewhere in a view?

[stlk]

Thanks for responding! My app isn't an SPA or using something like Turbolinks, and SessionTokensAuthMiddleware is already in my settings file; the views have been using the login_required decorator from shopify_auth.decorators, could that be causing the problem here?

That's most likely the problem. I recommend you to read https://shopify.dev/apps/auth/oauth/session-tokens. They do much better job explaining than I could do :) But in short you need to use authentication header instead of cookies to authenticate and that can only be done with some amount of javascript involved. With Turbolinks being the least invasive approach.

I also updated the demo app to work with the latest version of django-shopify-auth, cleaned it up a bit and added billing.

[kienankb]

Been a while since following up on this, but I wanted to thank you again for the advice--did a lot more research and reworking, and ended up implementing Turbolinks as suggested. Your feedback and responses helped me gain a much better and deeper understanding of the underlying data flow and the demo app was an invaluable reference!