Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include session-token in app-proxy & webhook headers #1621

Open
jonathanstanley opened this issue Oct 9, 2024 · 1 comment
Open

Include session-token in app-proxy & webhook headers #1621

jonathanstanley opened this issue Oct 9, 2024 · 1 comment

Comments

@jonathanstanley
Copy link

jonathanstanley commented Oct 9, 2024
edited
Loading

Overview/summary

Currently shopify sends session-token as part of the authorization header, or in the query search parameters:

shopify-app-js/packages/apps/shopify-api/docs/reference/auth/tokenExchange.md

Lines 28 to 39 in 037e5d8

function getSessionTokenHeader(request) {
// Get session token from header `authorization`
// Header Format is: "{"Authorization", "Bearer this-is-the-session-token"}
// Return "this-is-the-session-token" from request header
}
function getSessionTokenFromUrlParam(request) {
// Get session token from the request URL param
// The param is "id_token"
// Example: "${app_url}/?shop=${shop}&id_token=this-is-the-session-token"
// Return "this-is-the-session-token" from URL param
}

Those are used to obtain a valid session (ex: to perform shopify gql queries) via token-exchange. However, app proxy and webhooks do not provide a session-token to perform any Shopify queries. Instead, the keys are stored on outside databases:

shopify-app-js/packages/apps/shopify-app-remix/src/server/authenticate/public/appProxy/authenticate.ts

Line 35 in 0c5501b

const session = await config.sessionStorage!.loadSession(sessionId);

Also, app proxies have a contrived validation scheme (which itself caused other issues). It introduces a number of additional complications.

  • An additional attack surface via breach of access tokens / security weakened
  • An entirely different authorization model (instead of token exchange as done elsewhere)
  • Requires a database (and setup, and maintenance, and costs)
  • Shopify maintaining a number of extra db wrappers

Enhancement

This would be much easier if app-proxy and webhooks included a session-token that could be exchanged for an access-token. Or even better would be JWT / JWE. which would avoid the extra network calls altogether.

Additionally:
Pick a header name that can be used consistently (ex: request.headers.shopify-session-token). This would be better than sometimes the authorization header, sometimes a query parameter, and sometimes a separate header.
@byrichardpowell
Copy link
Contributor

Hey Jonathan 👋

Thanks so much for your detailed issue. I really appreciate that you highlighted not a fix, but also the 2nd order effects and opportunities.

I agree there is an opportunity here. We are going to add this to our backlog and I'll be pushing for a change.

@jonathanstanley jonathanstanley changed the title Include session-token in app-proxy headers Include session-token in app-proxy & webhook headers Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@byrichardpowell @jonathanstanley