sameSite: Lax is failing to set the cookie

[IonicaBizau]

Issue summary

Because sameSite: lax, the cookies are not being set by the oauth being call.

Expected behavior

It should set the cookies and authenticate the embedded app.

We manually changed these lines in oauth.js into sameSite: "none" and it works, but being a change done in node_modules it will not work long term.

Is there any way to set the sameSite policy or another way to solve this issue?

[manassra]

Confirming that I have the same problem.

[manassra]

Providing an update here: it turns out that the cookie was not being forwarded because I was starting the auth process via my localhost endpoint, but then using an ngrok link for the authorization callback. Once I initiate the flow via the ngrok endpoint, everything works as expected (since now all interactions are happening on the same domain, as enforced by SameSite: Lax).

[IonicaBizau]

@manassra In our case the app is already in production (deployed on a cloud server and connected to a subdomain — api.example.com where example.com is the main domain of the shop). Do you have any idea why it would fail in our case? Thank you!

[cmelendez]

@IonicaBizau we follow the same pattern and this might help you: when the library sets the session cookie a) it doesn't specify a domain, so the browser uses the domain that's setting it (api.example.com in your case), and b) it sets a specific path where the cookie is valid which is the same path used in callbackPath when calling shopify.auth.begin(). It's very likely that the path used by your API in api.example.com is not same as the one used by app in example.com and maybe that's why are not able to read the session cookie in your callback URL.

Our solution was to fork the library (we'll push a PR) and set both a domain (.example.com to make it work domain-wide) and a valid path (/ to make it work app-wide) in oauth.ts.

My guess is that the library is expecting to work under the same domain and path, just like Shopify's template app.

[zds97]

@cmelendez If that was the case, wouldn't we expect this to consistently happen? For us to it seems to happen for maybe 1/20 installs.

[cmelendez]

@zds97 in your case yes, it seems you have a different issue or maybe a combination of things. You could try increasing the expiration time and the domain/path of the cookie in oauth.ts.

[abharvey]

@cmelendez Thanks for helping out. Please feel free to tag me on your PR if you're able to make one. Any additional context to your app structure would be greatly helpful.

[cmelendez]

I've created a PR that solves this specific oauth flow.

There's a new param when calling shopifyApi called cookieDomain. Use a valid string, ie .example.com (notice the . at the beggining) to be able to read the cookie under the entire example.com domain.

[rodrigogsqquid]

We're also experiencing this issue. It would be great if an admin could merge @cmelendez PR and release the code.

[dylan-authentic]

+1 for this issue.

[github-actions]

This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days.

[IonicaBizau]

I think this is still an issue.Sent from my iPhoneOn 27 Sep 2023, at 03:46, github-actions[bot] ***@***.***> wrote: This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[github-actions]

This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days.

[epetousis]

Not resolved.

[Andrew-Golchenko]

have the same issue :(((
Error during OAuth callback | {error: Cannot complete
OAuth process. Could not find an OAuth cookie for shop url: **-test.myshopify.com}

[github-actions]

We're labeling this issue as stale because there hasn't been any activity on it for 60 days. While the issue will stay open and we hope to resolve it, this helps us prioritize community requests.

You can add a comment to remove the label if it's still relevant, and we can re-evaluate it.

[zdunecki]

Hey,

If you develop an embedded app you can use Shopify example app available in this repo.

Best

[FranciscoBejaranoBluEdgeUsa]

This issue is still happening, it is happening in one of our custom apps and no matter what we try (even going into the npm package and editing it to "sameSite: 'none'") we can't solve it.

Any suggestions?

[github-actions]

We're labeling this issue as stale because there hasn't been any activity on it for 60 days. While the issue will stay open and we hope to resolve it, this helps us prioritize community requests.

You can add a comment to remove the label if it's still relevant, and we can re-evaluate it.

[daviareias]

I have my own version of auth and I've been reviewing the shopify auth library to see how can I improve it.

Is there any reason to not save the nonce inside a database such as redis instead of using cookies?

I use the command "HSETNX" which deletes the key after a set period of time anyway.

[github-actions]

We're labeling this issue as stale because there hasn't been any activity on it for 60 days. While the issue will stay open and we hope to resolve it, this helps us prioritize community requests.

You can add a comment to remove the label if it's still relevant, and we can re-evaluate it.

[Ydoug36]

Duplicate of #1460

[lizkenyon]

Hi folks 👋

It seems like there are several different problems reported here.

The original issue seems to be the requirement of a domain wide cookie for some OAuth flows when you redirect to a different domain to finish. This PR was started to resolve this issue but it was never completed.

Because Token Exchange is our new recommended approach for authorization, the Shopify team won't be taking on this feature request at the current time.

If this issue is still affecting your app, and you would like to port that PR to our new repo, the Shopify team would have capacity to review it. Thanks