ShopStrategy#update_access_scopes? should only be true when user needs to approve new scopes #1820
Comments
|
Hey, thanks for raising this. I think this makes sense, we'll look into it and make sure the suggested fix doesn't carry any risks - I think we might have to replace the token if you remove scopes from an app via the config value, which might not play well with the fix. One potential workaround for this would be to disable scope checks completely with the If not, you can use |
paulomarg
added
the
Waiting for Response
|
Hey @paulomarg thanks a lot for the quick response
I'm not quite sure I get this. In our case, However, when a certain user needs an additional scope he is prompted to the confirmation screen (/login?...) with the missing scopes. This works great, (it'd be cool if this flow was documented) callback_url = ShopifyApp.configuration.login_callback_url.gsub(%r{^/}, '')
cookie, auth_route = ShopifyAPI::Auth::Oauth.begin_auth(
shop: current_shop.shopify_domain,
redirect_path: "/#{callback_url}",
is_online: false,
scope_override: <our scopes>
).values_at(:cookie, :auth_route)
cookies.encrypted[cookie.name] = {
expires: cookie.expires,
secure: true,
http_only: true,
value: cookie.value
}
redirect_to auth_routeHowever, after a re-login (with also we now need to re-request an online token for the user. Are we doing this right?:) |
github-actions
bot
removed
the
Waiting for Response
I was mostly talking about other scenarios, where the app uses config.scopes but removes one of those - I think we might run into trouble in that scenario, but it doesn't apply here. In any case, I think I understand your problem better now - basically, your override is working for the first auth, but it doesn't get re-applied because we default to I'm assuming you're already overriding the sessions controller in order to set your overrides? If not, that might be an alternative. I also noticed that there is currently no way to override the shop scope strategy in the config, other than monkeypatching. One way to solve this would be to override the scope strategy (i.e. write your own version of WDYT? |
paulomarg
added
the
Waiting for Response
nope, we haven't considered that. we have a separate controller that redirects user to the
Yep, that'd be great! Currently, we have to resort to monkey-patching. We've also noticed another issue: Sometimes, the In addition to that, a webhook job can be slow to process. Have you considered using |
github-actions
bot
removed
the
Waiting for Response
That's fair - I think for this to work properly with the current code, the right fix would be to replace the sessions controller with one that extends the default, and replace the For the future, I feel like we're lacking the ability to customize this flow - maybe a For the sake of transparency, assuming that overriding the sessions controller works, there are other things that might take precedence over this, but I'll add it to our tracking.
Yes, webhooks can take a little while to be sent. The big downside of getting the scopes from the API is that we basically run this check on every request, which would mean an added round trip to Shopify. That might slow apps down too much, so I'm not sure that's something we want to do. |
Thanks, I'll look into it.
That'd be perfect!
Would it work if that check was only done in Oh, and one more thing. When we request additional scopes, we request an offline shop token. def ensure_has_associated_user
return if current_shopify_session&.associated_user.present?
url = ShopifyApp.configuration.login_url
query_params = {
top_level: true,
shop: current_shopify_session.shop,
return_to: RedirectSafely.make_safe(session[:return_to] || params[:return_to], nil)
}
url = "#{url}?#{query_params.to_query}"
redirect_to(url)
endand this snippet to our shop.update!(
access_scopes: '',
shopify_token: ""
) |
I don't think that would be possible, because we'll usually check the scopes on every request (within the concerns we export) - if we checked only in the sessions controller we'd end up missing checks, so it would behave inconsistently, I believe.
Yes, when using online tokens, you'll need to regenerate them both when the scopes change, so you'll need to go through OAuth twice in that case. In the default callback we'll start the online flow right after the offline one completes, and it will also check the scopes to see if that needs to happen. This would probably also be affected by the new setting I proposed - when checking the scopes, we'd call the callback here too, so it should still work as expected. In your case now, it'll probably always return true because the scopes will mismatch, so it shouldn't break things. Hope this helps! |
and others
Issue summary
Before opening this issue, I have:
shopify_appversion:log_level: :debugin my configuration, if applicableWe are dynamically requesting access scopes based on what features our clients want. This means that
config.scope = ''.When a store requests a certain feature, we prompt him to go through the OAuth flow with the additional scopes. This works fine. However...
Expected behavior
When a user logs out & signs in again, the shop access scopes should not change.
Actual behavior
When a user logs out & signs in again, the shop access scopes are reset to
config.scope. The reason for that is this method:It should only return
trueif the shop is missing some scopes, not when it has more that are set inconfig.scope. I believeUserStrategyis already following this logic - it only asks a user to confirm the new scopes when it's a superset of the existing ones.A potential fix
The text was updated successfully, but these errors were encountered: