App must set security headers to protect against clickjacking && App must verify the authenticity of the request from Shopify. about laravel-shopify HOT 10 CLOSED

Hey @DeveloperHashmi

Clickjacking has been fixed if you update to 17.2.0.

The other issue looks like the auth/token which runs before each request is being picked up on the OAUTH which is not allowed.

We may have to tweak this but I've not looked at the code for the token route, so @osiset will have more insight.

from laravel-shopify.

@DeveloperHashmi - the fix is moving to an SPA app really and then we push out a new PR that bypasses the blade token requirement.

Are you using react or vue to scaffold your frontend?

from laravel-shopify.

Just updating here, i've had an app pass the security review using v17.3.1 but importantly, it passed because it was using VueJs as the frontend and did not use the auth/token route.

cc @osiset

from laravel-shopify.

@osiset - looking into this a bit more - I think blade might have to be killed off...

Shopify are leaning towards SPAs - they do say Turbolinks can be used but I've never used it. The biggest problem at the moment is the /auth/token route can no longer happen after OAUTH.

So we might need to get that SPA PR out as it will help move the app package to be more user friendly with SPA and bypasses the need for the token request between each route anyway which would then solve the installation rejections.

from laravel-shopify.

Hi @Kyon147,
Thanks for the reply, May I know the expected timeline for this fixed.

I'm already using 17.2.0 (SS attached for your reference).

FYI : I already followed the instruction from #1070 and #1176 for security headers to protect against clickjacking.

from laravel-shopify.

I'm not using react or vue. I am using Laravel blade itself for view. @Kyon147

from laravel-shopify.

I'll see what @osiset thinks but we might have to get the session token after hitting them home route (to avoid the oauth redirect issue) but osiset has a deeper understanding of this package's auth and how possible this is.

With Shopify itself saying multi page apps are not supported unless you make it function like an SPA they are moving away from multipage apps.

from laravel-shopify.

Someone previously coded in support for Turbolinks, so I am not sure what we would need to do to resolve it.

Essentially (IMO), Shopify is cornering developers to use their toolsets and ecosystem recommendations. They want JWT used, they want (only) React used, they want (only) Polaris used. Anything outside of that, they are continually pushing away and making it difficult.

I think as a broader conversation, we have to take into consideration our disadvantage in being able to control the platform anymore. When Shopify apps first started, it was majorly basic... an iframe with an HMAC you had to verify, that was it. It has balloned into something way more complex and more and more controlled by Shopify.

So... do we keep fighting uphill and trying to support everything everyone wants to do (with workarounds), or conform...

from laravel-shopify.

@osiset - I personally don't use the Blade templates with this package. I use VueJS and have my own Polaris component library that I maintain.

So it might be worth leaning towards that has a requirement, more so with the "frontend_engine" feature we just implemented.

My latest app with the new version, is going into review soon - so if it passes review and ends on the store we have a real world example to base it on.

I'm currently updating working on a "vue-app-bridge" package too which works the same as their react one.

from laravel-shopify.

Going to close this for now as it looks like blade templates don't fit at the moment with the apps overall.

from laravel-shopify.