-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid CSRF Token in incognito mode #1219
Comments
@dianedouglas-thrive, how often are you fetching the JWT when making the POST request? JWTs expire after 1 minute and you should be retrieving a session token prior to each request. You can use the The |
Do you attach a fresh session token to your I think that your controller should inherit from
Update us on your findings! |
Hi guys, thanks for your time.
Happily on my app server logs I am not seeing any
Apologies if I am missing something basic here, I'm pretty new to dealing with jwt - looked at my network activity and I do see a whole bunch of requests hitting app-bridge and index.js but I'm not really sure what I'm looking for. I don't see where I am supposed to copy and paste the token into jwt.io.
I have left the generated code pretty untouched here as far as anything app bridge or jwt related. So I have not specifically added anything for attaching a fresh session token to my Post request, or retrieving a session token prior to each request. Here is what I do have: In my
And in
I also saw that this was needed in my initial application home page to make installation work, but I tried adding this to the /new view on my other controller as well as the embedded_app view and it had not effect on the behavior.
Am I missing the code where I should be retrieving or refreshing a session token? Is that why anything in a controller inheriting from AuthenticatedController is redirecting? |
I guess one further piece of information is that I've been manually passing around the shop domain as a parameter under shop on all my requests in order to authenticate with the api. This seems to work, but is headache inducing and I am starting to suspect it's the wrong way to go about this?
This allows me to initialize a session with the API using the shop:
|
Is your app a single-page app or is it a server-side rendered Rails app (using erbs for example)? If it's the latter, this tutorial might help you with refreshing your session tokens: https://shopify.dev/tutorials/authenticate-server-side-rendered-embedded-apps-using-rails-and-turbolinks Passing a This requirement is just needed so that your |
It is a server-side rendered Rails app. I've been looking at that tutorial and it's a little complicated because I was not intending to use a splash page. Is the splash page needed? Also I thought all this stuff was included in the default generator. I guess there must be some stuff I still need to add. |
Oh ok, well that's fine then. If that's what's intended no problem there. |
Unfortunately the default generator does not configure Turbolinks to refresh and cache session tokens for you - this is a decision left to the app developer. The path with the least headaches right now is to build a single-page application that uses App Bridge fetch methods (these always make sure your outbound requests have fresh session tokens), but it's understandable that not all developers would want to do this. This is partially why there exists a Turbolinks solution Edit: here's a sample app you can refer to that has Turbolinks configured and multiple pages that pass around the shop parameter: https://github.com/Shopify/turbolinks-jwt-sample-app |
It is too late for me to go back and change to a single page app I think, I'll have to go with the turbolinks solution. I'll try to follow the tutorial/app you have linked more closely. Two things
|
Yes, the splash page is to allow you to load a skeleton page with the initial JS to render App Bridge and get your session token. If you're navigating to a |
Thanks @rezaansyed, sorry for the delay in my response. Is the intention to have the splash page load between every controller? Or just once at the beginning to get the session token, and then any subsequent controller views also need to repeat this process to get a new session token? |
There are two concerning tickets in that demo app. Do all requests have to be XHR? Does it work reliably? Can it be right that there is no way to have a non-embedded regular rails app as a shopify_app? |
This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days. |
We are closing this issue because it has been inactive for a few months. If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md file for guidelines Thank you! |
Description
When submitting a form in incognito mode in an embedded, multi-page app using jwt authentication I get an Invalid CSRF Token error in incognito mode.
Steps to Reproduce
ShopifyApp::EmbeddedApp
.rails g scaffold Thing shop:references path:string
Expected behavior:
The app should just confirm the jwt/session token and then skip CSRF token validation since (as far as I understand it) incognito blocks 3rd party cookies.
Actual behavior:
I understand this behavior should be coming from using
include ShopifyApp::Authenticated
. But if I do that then my app redirects a bunch of times and I land back on the admin/apps page with an error:Additional information regarding the redirect error caused by
ShopifyApp:Authenticated
:request.env['jwt.shopify_domain']
is always nil.shopify_app
generator and when I generated the app I was on 17.0.2.Possible solution
I made some progress with this and found that using this on my controller bypasses the incognito CSRF error.
But I am unsure if this is the correct way to go about it.
Reproduces how often:
Every time.
Browsers
Chrome, incognito.
Gem versions
Shopify_app version 17.0.5 and rails version 6.0.3.4
Additional Information
The app uses session tokens, it is an embedded app, created with default generator on version 17.0.2.
The text was updated successfully, but these errors were encountered: