[koa-shopify-auth] Fixes ITP 2.3 and Safari 13.1 enable cookies loop

[ayronshopify]

Description

Package: koa-shopify-auth
Fixes #1387

Intelligent Tracking Prevention (ITP) prevents websites from tracking users and with Safari 13.1 blocking all third-party cookies by default, we're finding that users are experiencing an endless loop of seeing the Enable Cookies screen, clicking the button, and being redirected back to the Enable Cookies screen again. This is due to the fact that we are not currently using the Storage Access API by calling document.requestStorageAccess() which is the way to ensure these cookies can now be saved/accessed.

Type of change

We are using some of the code implemented by shopify_app as this is already working and thoroughly tested there.

We're keeping the Enable Cookies page which is surfaced at the top-level:

Once the user clicks the button they will be redirected to a new page in an iframe which will make the document.requestStorageAccess() call needed to save the cookies.

Older browsers/Chrome will probably not see either of these screens, depending on the version checking done in the StorageAccessHelper. Newer Firefox users will see the Enable Cookies screen. Newer Safari users will see both the Enable Cookies screen and the Browser screen. Once the flow has been completed Older/Chrome/Firefox users shouldn't see any other screens when accessing their apps. However, newer Safari users will always see the Browser screen before they can access the app.

New Safari Flow:

• Patch: Bug/ Documentation fix (non-breaking change which fixes an issue or adds documentation)
• Minor: New feature (non-breaking change which adds functionality)
• Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• I have added a changelog entry, prefixed by the type of change noted above

[ismail-syed]

Can you please add a changelog update for this package.

[ismail-syed]

This needs to be a 3.1.61 since the last released version was 3.1.60. The changelogs don't keep a good track of peer dep bumps via lerna 😢

[marutypes]

Looks good overall, glad to hear it was already tophatted by some folks. Left a few comments mostly as documentation for stuff we might want to make nicer in the future.

[marutypes]

It's probably fine to leave this as is (especially because it is copied from somewhere), but if we felt like making it a bit more readable we could actually have this as TypeScript with it's own tsconfig that compiles it for direct script tag use if we wanted. Maybe a good future improvement.

[marutypes]

Eventually we might want to introduce tagged template literals or something so we can make all of these a bit nicer, but this is fine for now.

[hannachen]

🎩 👍 with a sample app from the CLI tool using Safari 13.0.5

Before

After

The server error toast comes from me forcing the install/update permissions screen by messing around with permission scopes requested

[eugene-kim]

Hi @ayronshopify @ismail-syed @TheMallen

I'm a Shopify partner who's trying to understand this authorization process and I'm confused about this line and was hoping to get some clarification.

Why do we redirect the user to this.redirectData.appTargetUrl (which was initialized as /?shop=${shop}) rather than /auth, which is the oAuthStartPath in the createShopifyAuth function?

The logic that checks the shopify.granted_storage_access cookie is associated with the /auth path and so it seems to me that we should be redirecting the user to /auth

Thank you!

[ragalie]

Hi! Good question. I think the reason is that we may have already completed OAuth. If we've already completed OAuth, and now we also have storage access, then the app is ready to load, so it doesn't make sense to do OAuth again.

If we haven't completed OAuth yet, then when we hit the app target URL we'll realize we need to do OAuth, and then redirect to OAuth anyway, so that case is also covered.

Does that make sense?

[kavika-1]

The redirect always goes to "/auth/..." without the original prefix. We set the prefix property, and the redirect causes a 404. By prefix, we mean we use the "prefix" in the example provided for koa-shopify-auth...

app.use(
  shopifyAuth({
    // if specified, mounts the routes off of the given path
    // eg. /shopify/auth, /shopify/auth/callback
    // defaults to ''
    prefix: '/shopify',

So in the example above, on safari, it redirects to "/auth/enable_cookies..." instead of "/shopify/auth/enable_cookies...", and thus shopifyAuth doesn't serve that non-prefixed route.

It would appear these are hard-coded client-side. For instance, in client/request-storage-access.ts:

var targetInfo = {
          myshopifyUrl: "https://${shop}",
          hasStorageAccessUrl: "/auth/inline?shop=${shop}",
          doesNotHaveStorageAccessUrl: "/auth/enable_cookies?shop=${shop}",

In the past we could use the referer (sic) to retrieve the original path, but now that this redirect happens client side (client/request-storage-access.ts), we no longer receive/have access the referer in order to patch this up. Any way to preserve or send along the prefix?