Merge pull request #72 from Shopify/fix_oauth_cookie_duration

Match OAuth cookie expiration to session
Shopify · Jan 13, 2021 · 0793e20 · 0793e20
2 parents 4b48aa1 + bb58dc7
commit 0793e20
Showing 1 changed file with 18 additions and 12 deletions.
diff --git a/src/auth/oauth/oauth.ts b/src/auth/oauth/oauth.ts
@@ -135,25 +135,31 @@ const ShopifyOAuth = {
       currentSession.scope = responseBody.scope;
     }
 
-    // If app is embedded or this is an offline session, we're no longer intereseted in the cookie
-    cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, currentSession.id, {
-      signed: true,
-      expires: Context.IS_EMBEDDED_APP || !currentSession.isOnline ? new Date() : currentSession.expires,
-      sameSite: 'none',
-      secure: true,
-    });
+    // If this is an offline session, we're no longer interested in the cookie. If it is online in an embedded app, we
+    // want the cookie session to expire a few seconds from now to give the app time to load itself to set up a JWT.
+    // Otherwise, we want to leave the cookie session alone until the actual expiration.
+    let oauthSessionExpiration = currentSession.expires;
+    if (!currentSession.isOnline) {
+      oauthSessionExpiration = new Date();
+    }
+    else if (Context.IS_EMBEDDED_APP) {
+      oauthSessionExpiration = new Date(Date.now() + 30000);
+      currentSession.expires = oauthSessionExpiration;
 
-    // If this is an online session for an embedded app, we assume it will be loaded from a JWT from here on out. The
-    // cookie session is preserved for 30s so that the app skeleton page can still be loaded using it
-    if (Context.IS_EMBEDDED_APP && currentSession.isOnline) {
+      // If this is an online session for an embedded app, prepare a JWT session to be used from here on out
       const onlineInfo = currentSession.onlineAccesInfo as OnlineAccessInfo;
       const jwtSessionId = this.getJwtSessionId(currentSession.shop, '' + onlineInfo.associated_user.id);
       const jwtSession = Session.cloneSession(currentSession, jwtSessionId);
       await Context.storeSession(jwtSession);
-
-      currentSession.expires = new Date(Date.now() + 30000);
     }
 
+    cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, currentSession.id, {
+      signed: true,
+      expires: oauthSessionExpiration,
+      sameSite: 'none',
+      secure: true,
+    });
+
     await Context.storeSession(currentSession);
   },