-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store session expiry and check it to trigger a re-auth #1757
Conversation
d4c371d
to
000ab74
Compare
b6a5948
to
8c56b41
Compare
Thanks for your contribution here! This idea makes a lot of sense to me! I've got this on my list to review and triage, but it might take a day or two. I appreciate your patience! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👋 Thanks so much for this contribution! I ❤️ the direction for sure, just have a few thoughts to chat through before we merge this in:
Introducing a new controller concern
One of the more frustrating aspects of maintaining this gem is managing what concern does what. I'm nervous to add another concern into the mix for us to maintain 😬
Since I love this as a default option, I wonder if we can add this functionality to our existing UserSessionStorageWithScopes
concern (and arguably UserSessionStorage
) and find another way to opt in to this feature without introducing another concern into the mix. Maybe we could look to see if the user's session model has the new column name you introduced or we could look at adding a flag that we add to the config for this gem and if it is enabled we add this new functionality.
What happens when Shopify revokes a user(online) token?
One of the more frustrating use cases for user tokens is handling the use case of Shopify revoking a user access token and handling that messaging in a graceful manner. I'm curious if you have thought through that use case here at all. The bad stuff for that use case isn't terrible, since that user was likely deleted or had other security concerns and we'd just need to handle that use case from the time of Shopify's revoke and the end of the 24 hour window the user's token is valid for.
Ruby App Template v Generators
From what we can gather, generators aren't used as frequent as our app template is (arguably we should delete the generators because it is very confusion to have two means to achieving the same goal). I see how adding this as a generator for existing apps makes a lot of sense.
We'll need to include this column in our app template as well. What's super gross is we don't actually have a migration for the users table and I believe we are trusting that devs run rails db:setup
to load the schema as the starting point 🤦 Obviously we have room for improvement there so don't feel like you need to solve all the problems at once here, but when we merge this in we'll need that column at a minimum in the schema file of our template.
72f42dc
to
a2424ed
Compare
Thanks for the review @nelsonwittwer ❤️ My answers:
Agree! I changed to add the functionality to
Unless I am missing something, I don't think that's really a concern (or at least not more than it is today). If the token is revoked, the expiry date check will pass, but then Shopify will reject with a 401, which will trigger the auth flow as today, and the user will get a new token (or not, depending on why it was revoked I guess). Ideally yes, the app should know that it was revoked and trigger a reauth early, but it seems a bigger change than this one.
The app template is not using user tokens ( |
0032530
to
f87a1e6
Compare
f87a1e6
to
672f15c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! Thanks for thinking through the details on this and improving the gem 😎
672f15c
to
1474407
Compare
What this PR does
Embedded apps using user tokens currently have to wait for a 401 from Shopify to know that the user token is not valid anymore. By storing the token expiry date, we are able to detect an expired session without a round trip to Shopify and to trigger the Oauth flow to get a fresh token.
Goals of this PR are:
shopify_app
withshopify-app-js
which already stores the expiry date in the data model (Prisma one for example) and checks it here.For that, the PR:
expires_at
attribute. A DB migration is created with a prompt when runningrails generate shopify_app:user_model
UserSessionStorageWithScopesAndExpiry
concern that will store/retrieve the session expiry date (which is already set during Oauth here). This will be included in theUser
model for new apps and be an opt-in for existing apps.Reviewer's guide to testing
UserSessionStorageWithScopes
(or use an existing one)gem "shopify_app", git: 'https://github.com/Shopify/shopify_app.git', branch: 'store-session-expiry'
Backward compatibility (config flag off and no expiry date column)
backward-compatibility.mp4
Config flag on and no expiry date column
check_session_expiry_date
to true inshopify_app.rb
rails restart
)model-with-no-expiry-date.mp4
Config flag on and expiry date column
rails generate shopify_app:user_model --skip
-> answer Y to the prompt to include theexpiry_date
migration-> check that a DB migration was created to add the
expires_at
column to theusers
tablerails db:migrate
@expires
attribute should not benil
when retrieving the sessionmodel-with-expiry.mp4
Expiry date check
User
model andcheck_session_expiry_date
set to true, check that the user session expiry date is stored in theusers
table (you need to restart the app after updating)Things to focus on
Checklist
Before submitting the PR, please consider if any of the following are needed:
CHANGELOG.md
if the changes would impact usersUpdateREADME.md
, if appropriate./docs
, if necessaryFor security fixes, the Disclosure Policy must be followed.