Should sharedSecret be the secret key from Shopify or something I make up myself?

Hello. I've got a use-case where I require both an offline and online access token. An offline access token for performing background tasks that interact with the Shopify store, and an online access token so I can get details of the logged in user to display within a timeline of events for my Shopify app.

Using your library, what would be the best way of achieving this?

Would you suggest performing 2 Oauth flows, first for the offline access token (save it), then immediately after another for the online access token (save and check expiry on each page load)? Do you have an example of how this would work or is there some other way I have to tackle this requirement?

Thanks.

encodeValue looks like this (https://github.com/lpinca/shopify-token/blob/master/index.js#L7-L29)

function encodeValue(input) {
  return input.replace(/&/g, '%26').replace(/%/g, '%25');
}

If input was '&', it would return '%2526' – the % from the first replace is replaced again in the 2nd one.

Is there a reason not to use use encodeURIComponent?
Or perhaps,

input.replace(/[&%]/g, function(c) { return encodeURIComponent(c); })

?

Thanks

If I only need to verifyHmac, why is redirectUri required?

I am not sure if this works as intended after the application is already installed, since it automatically injects myshopify.com

return url.format({
      pathname: '/admin/oauth/authorize',
      hostname: `${shop}.myshopify.com`,
      protocol: 'https:',
      query
    });

My first round was fine, but after the app is installed and the link is present in the user's dashboard, I think it keeps adding myshopify.com resulting in some wonky urls like:

made2measure-example.myshopify.com.myshopify.com

It actually took me a couple of hours to finally address this, which I did with:

if (uri.match(/.myshopify.com/gi).length > 0) {
      uri.replace('.myshopify.com', '')
    }

Hello,

Is there a reason why the verification would fail if there are arrays in the request. For example if you would want to verify the Action Drop Down (that contains multiple ids of products etc)?

Kasimir

Currently this only supports offline access mode (https://help.shopify.com/en/api/getting-started/authentication/oauth/api-access-modes). We should make it configurable so that an app could specify online or offline access mode with a default of offline (current).

Looks like we explicitly need to pass &grant_options[]={access_mode} as it "defaults to offline access mode if left blank or omitted. Set to per-user for online access mode."

I'll see if I can take a stab as I need this for an app I'm developing. Need to add it to the query: https://github.com/lpinca/shopify-token/blob/master/index.js#L84. In addition, extra data is returned:

{
  "access_token": "f85632530bf277ec9ac6f649fc327f17",
  "scope": "write_orders,read_customers",
  "expires_in": 86399,
  "associated_user_scope": "write_orders",
  "associated_user": {
    "id": 902541635,
    "first_name": "John",
    "last_name": "Smith",
    "email": "[email protected]",
    "account_owner": true,
    "locale": "en",
    "collaborator": false
  }
}

Not sure about the best way in returning this additional information without a breaking change since we currently only return the access_token: https://github.com/lpinca/shopify-token/blob/master/index.js#L183. I'd prefer just returning an object of all data, maybe an extra parameter defaulted to false. getAccessToken(shop, code, allData = false) {

Based on the spec from https://help.shopify.com/en/api/getting-started/authentication/oauth#update-oauth-scopes, the auth url should be "the users myshopify domain".

However, the generateAuthUrl function appends ".myshopify.com". So during the authentication flow that Shopify describes they will send the myshopify domain. Then I have to remove the ".myshopify.com" from that parameter to be able to pass it to generateAuthUrl to work properly.

Can this be fixed? How do you use generateAuthUrl?

Could this string comparison be open to a Node.js timing attack?

Is it better to compare using a constant-time comparison algorithm?

This package would be ideal:
https://github.com/Bruce17/safe-compare

I can create a PR if it's useful?

So we use wildcard domains: junaid.myapp.com. Every user gets a specific domain and can add multiple Shopify shops to their account. The issue is each redirect URL will be different. Can we send the subdomain as a metafield during oAuth and get Shopify to send it back during the callback? That way, we can have one redirect URL where we get the shop, accessToken, and the subdomain we sent during the initial call.

I also tried adding wildcard domains on the app settings page: *.myapp.com but seems like wildcards do not work.

Could verifyHmac be extended to support the body of the webhook request after body parser had taken effect?

Current solution

    const hmac = request.headers['x-shopify-hmac-sha256']

    const bodyMessage = JSON.stringify(request.body)
    .replace('/', '\\/')
    .replace('&', '\\u0026')

    var calculatedSignature = crypto.createHmac('sha256', shopifyApp.secret)
    .update(bodyMessage.toString('utf8'))
    .digest('base64')

    const ok = hmac === calculatedSignature

It would be good for the getAccessToken method to allow a timeout via an options.timeout in the client constructor.

I've tried to do this on a branch of our fork and run into some trouble. (I'll post that momentarily.) Basically the low-level https.request interface that the module uses makes timeouts tricky to implement – there is a request.setTimeout method but I'm not sure how to fully implement it.

I wonder if this module should switch to using a request abstraction layer. shopify-api-node, for example, is using the got module; another obvious one is request. It would expand the size of this module but also open up a lot of possibilities for request options (such as timeout) without having to reinvent the wheel.

Could you please explain me the step to run this

Hello,

Thank you for creating this helpful library! I've been tinkering with it in a few tests apps to great success. Alas, I decided to come back to this library and build a new app, but I had unexpected behaviour:

Fetch API cannot load https://fabrics-2017.myshopify.com/admin/oauth/access_token. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 404. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

My application code looks closer to this:...

    const query = queryString.parse(this.props.location.search);
    const checkPassed = shopifyToken.verifyHmac(query);
    console.log(query);
    if (checkPassed) {
      this.setState({
        securityChecksPassed: checkPassed,
      }, () => {
        shopifyToken.getAccessToken(query.shop, query.code)
          .then((token) => {
            console.log('got token', token);
          })
          .catch((err) => {
            console.log('err', err);
          })

Is this is an issue on my side? What am I missing?

This is to support verifying requests from app proxy extension.

I'm trying to verify the hmac being returned from shopify after oauth but the verifyHmac method is always returning false. I'm testing this locally and trying to do this all on the front-end in react. When a user clicks "Add" button, the auth flow kicks off and should grab the permanent token to store on the backend. Not sure if theres something I'm missing here?

package.json
"shopify-token": "^4.0.4"

broken up query params after success oauth redirect (no signature provided in url):

url = "http://localhost:3000/integrations?code=41b132e6a83baa6d813353959e6d0aed&hmac=eef3f5e02951e6d46335524993a53611cb4062b016b5b4c2cbcb00f2df1e9db7&host=Z3JlYXN5LWhhbmRtYWRlLWNvLWRldi5teXNob3BpZnkuY29tL2FkbWlu&shop=dev-shop.myshopify.com&state=7dcaee1e8970ce0c3f291a591595925c&timestamp=1647547764"

query = {
    code: "41b132e6a83baa6d813353959e6d0aed"
    hmac: "eef3f5e02951e6d46335524993a53611cb4062b016b5b4c2cbcb00f2df1e9db7"
    shop: "dev-shop.myshopify.com"
    signature: undefined
    state: "7dcaee1e8970ce0c3f291a591595925c"
    timestamp: "1647547764"
}

Call verifyHmac() with query

const isLegit = shopifyToken.verifyHmac(query)
// isLegit = False