Skip to content
This repository has been archived by the owner on Oct 1, 2024. It is now read-only.

verifyRequest middleware in koa-shopify-auth package doesn't work in 2 specific scenarios #814

Closed
amardeepsingh20 opened this issue Jul 25, 2019 · 8 comments
Closed

verifyRequest middleware in koa-shopify-auth package doesn't work in 2 specific scenarios #814

amardeepsingh20 opened this issue Jul 25, 2019 · 8 comments
Assignees
@marutypes
Labels
Area: Security 🔑 Effort: medium Package: koa-shopify-auth

Comments

@amardeepsingh20
Copy link

Overview

koa-shopify-auth middleware does not seem to work well specifically in 2 scenarios:

  • When a merchant has 2 shops and he installs the same app on both the shops (in the same browser), verifyRequest middleware just lets the second shop in without taking it to auth(). This is very insecure!

Checking the code reveals that verifyRequest is just checking if the session and accessToken are available.. It is not confirming if they belong to the shop which is making the new request.
koa-shopify-auth/src/verify-request/verify-request.ts

...
if (session && session.accessToken) {
  ctx.cookies.set(TOP_LEVEL_OAUTH_COOKIE_NAME);
  await next();
  return;
}
...
  • Merchant is unable to reinstall the app if he deletes it once. The cookies are still persisting after deletion and that seems to be the reason for the issue.
    ...

I have seen some workarounds for the second scenario #727 but no elegant solution.
No workarounds for the first one yet.
@Popesites
Copy link

I was going to get to building a workaround soon, I'll share what I build once I've got it.

@aurelienbobenrieth
Copy link

This is also the case when you access two store with the same app installed.
The problem is not only the cookie, it is also about the ctx.session (as I could see in my logs). As far as I could see in the logs both stores were using the same sessions var which made one store displaying the app from the other one in its admin. Very problematic.

@Werbelow
Copy link

I am also running into this issue. I have tried a handful of solutions, with no luck so far. If I install the same app on two stores and switch from one store to the second store, all the cookies, session, access token, etc. are from the first store, which then shows the first store information in the second store's app.

@Popesites
Copy link

@katiedavis Bringing more attention to this issue as it's one of the biggest problems I'm having with this package

@marutypes marutypes self-assigned this Aug 30, 2019
@katiedavis
Copy link
Contributor

Closed by #940

@marutypes
Copy link
Contributor

marutypes commented Aug 30, 2019
edited
Loading

Sorry for the delay, this should be fixed in version 3.1.36 of the the package

@furnaceX
Copy link

furnaceX commented Jun 8, 2020
edited
Loading

I have version 3.1.63 installed and I still see this issue.

I tried to roll back to version 3.1.36 but got a secure cookie error.

@andreistock
Copy link

andreistock commented Aug 19, 2020
edited
Loading

I'm seeing the issue as well, especially getting a 404 on /auth/callback?= ... when reinstalling. I've had 3.1.63 and updated to 3.1.66 and still seeing the issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@marutypes marutypes

Labels
Area: Security 🔑 Effort: medium Package: koa-shopify-auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@marutypes @Werbelow @furnaceX @andreistock @katiedavis @Popesites @aurelienbobenrieth @amardeepsingh20