Comments (10)
Hey @DeveloperHashmi
Clickjacking has been fixed if you update to 17.2.0
.
The other issue looks like the auth/token which runs before each request is being picked up on the OAUTH which is not allowed.
We may have to tweak this but I've not looked at the code for the token route, so @osiset will have more insight.
from laravel-shopify.
@DeveloperHashmi - the fix is moving to an SPA app really and then we push out a new PR that bypasses the blade token requirement.
Are you using react or vue to scaffold your frontend?
from laravel-shopify.
Just updating here, i've had an app pass the security review using v17.3.1 but importantly, it passed because it was using VueJs as the frontend and did not use the auth/token route.
cc @osiset
from laravel-shopify.
@osiset - looking into this a bit more - I think blade might have to be killed off...
Shopify are leaning towards SPAs - they do say Turbolinks can be used but I've never used it. The biggest problem at the moment is the /auth/token route can no longer happen after OAUTH.
So we might need to get that SPA PR out as it will help move the app package to be more user friendly with SPA and bypasses the need for the token request between each route anyway which would then solve the installation rejections.
from laravel-shopify.
Hi @Kyon147,
Thanks for the reply, May I know the expected timeline for this fixed.
I'm already using 17.2.0 (SS attached for your reference).
FYI : I already followed the instruction from #1070 and #1176 for security headers to protect against clickjacking.
from laravel-shopify.
I'm not using react or vue. I am using Laravel blade itself for view. @Kyon147
from laravel-shopify.
I'll see what @osiset thinks but we might have to get the session token after hitting them home route (to avoid the oauth redirect issue) but osiset has a deeper understanding of this package's auth and how possible this is.
With Shopify itself saying multi page apps are not supported unless you make it function like an SPA they are moving away from multipage apps.
from laravel-shopify.
Someone previously coded in support for Turbolinks, so I am not sure what we would need to do to resolve it.
Essentially (IMO), Shopify is cornering developers to use their toolsets and ecosystem recommendations. They want JWT used, they want (only) React used, they want (only) Polaris used. Anything outside of that, they are continually pushing away and making it difficult.
I think as a broader conversation, we have to take into consideration our disadvantage in being able to control the platform anymore. When Shopify apps first started, it was majorly basic... an iframe with an HMAC you had to verify, that was it. It has balloned into something way more complex and more and more controlled by Shopify.
So... do we keep fighting uphill and trying to support everything everyone wants to do (with workarounds), or conform...
from laravel-shopify.
@osiset - I personally don't use the Blade templates with this package. I use VueJS and have my own Polaris component library that I maintain.
So it might be worth leaning towards that has a requirement, more so with the "frontend_engine" feature we just implemented.
My latest app with the new version, is going into review soon - so if it passes review and ends on the store we have a real world example to base it on.
I'm currently updating working on a "vue-app-bridge" package too which works the same as their react one.
from laravel-shopify.
Going to close this for now as it looks like blade templates don't fit at the moment with the apps overall.
from laravel-shopify.
Related Issues (20)
- CSRF token mismatch error in POST call using Ajax HOT 1
- Osiset\ShopifyApp\Exceptions\MissingAuthUrlException HOT 4
- 17.2 In the package in which I am facing the problem 302 status, I send the request or delete the error value, this is a problem facing HOT 3
- rest api HOT 6
- There was an error opening your app in the Shopify admin. Your embedded app is loading an invalid URL (17.2) HOT 21
- shopify appuinstalljob problem HOT 2
- Scope Re-approval HOT 2
- Missing host parameter on getConfig(api_key) call HOT 1
- ORDER_TRANSACTIONS_CREATE Webhook not register on shopify HOT 3
- No authenticated user or shop domain error on command call HOT 1
- How to update webhook URL's for old stores? HOT 2
- Alpine.js/Livewire and Power-Grid Authentication redirect hangup HOT 1
- MissingAuthUrlException (Missing auth url) HOT 3
- The app not works on https://admin.shopify.com HOT 22
- Auth:user->name and utils Issues while Upgrading v12.x to v17.x HOT 2
- "Shopify App Outdated" but running latest app bridge, osiset, etc HOT 29
- Approving recurring billing throws SignatureVerificationException using BLADE frontend_engine config HOT 8
- upgrading and downgrading plan got issue first time.. HOT 1
- App Extension Set up Issue HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from laravel-shopify.