Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal oauth refactor #501

Merged
merged 5 commits into from
Nov 27, 2023
Merged

Proposal oauth refactor #501

merged 5 commits into from
Nov 27, 2023

Conversation

byrichardpowell
Copy link
Contributor

WHAT is this pull request doing?

  1. Move some leaf functionality that will be shared between Auth code flow and token exchange into utilities. Call those utilities from auth code flow. This allows each stratagey to call those utilities in a way that makes sense for the strategy. This mirrors the approach that is taken throughout the codebase, where if different authentication methods rely on the same logic, that logic is extracted into a utility.
  2. Some minor changes to the auth code flow strategy. Paulo and I thought these changes had a slight improvement on readability, but they are fairly inconsequential.
  3. Change the authenticate base class to a factory function. Since we weren't using inheritance to extend the shared authenticate functionality, we saw no good reason to keep it as a class. Removing the class saves some ceremony (less passing of type generics, don't have to deal with this) and it is more consistent with the rest of the codebase, which uses factory functions extensively.

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)
  • Minor: New feature (non-breaking change which adds functionality)
  • Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have used yarn changeset to create a draft changelog entry (do NOT update the CHANGELOG.md files manually)
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs)

paulomarg and others added 4 commits November 23, 2023 12:35
@byrichardpowell byrichardpowell requested a review from a team as a code owner November 24, 2023 15:30
ragalie
ragalie reviewed Nov 24, 2023
View reviewed changes
packages/shopify-app-remix/src/server/authenticate/admin/strategies/auth-code-flow.ts Outdated
if (isAuthCallbackRequest) {
throw await this.handleAuthCallbackRequest(request, shop);
await this.ensureInstalledOnShop(request);
await ensureAppIsEmbeddedIfRequired(params, request);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see why either this nor ensureSessionTokenSearchParamIfRequired should be in the token acquisition strategy. These are things that need to happen as part of request validation, regardless of how we get the token.

It's also imo confusing for these to live in the respondToOauthRequests function. These have nothing to do with OAuth.

These functions should live in with the rest of the request validation logic (which is currently housed in authenticate.ts.

ragalie
ragalie reviewed Nov 24, 2023
View reviewed changes
packages/shopify-app-remix/src/server/authenticate/admin/strategies/auth-code-flow.ts Outdated
const {api, config, logger} = this;

if (config.isEmbeddedApp) {
const payload = await validateSessionToken(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step is request validation and shouldn't live in the token acquisition strategy. If the session token is bunk, we should reject the request regardless of the strategy. Otherwise we're creating a security footgun in the future when someone forgets to incorporate this logic into a new strategy they create.

ragalie
ragalie reviewed Nov 24, 2023
View reviewed changes
packages/shopify-app-remix/src/server/authenticate/admin/strategies/auth-code-flow.ts Outdated
@@ -125,15 +147,76 @@ export class AuthCodeFlowStrategy<
}
}

private validateUrlParams(request: Request) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same concern here: this should apply regardless of the token acquisition strategy. I don't see why this should live here.

RyanDJLee
RyanDJLee approved these changes Nov 27, 2023
View reviewed changes
Copy link
Contributor

@RyanDJLee RyanDJLee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@rezaansyed rezaansyed merged commit fa92983 into refactor-oauth-strategy Nov 27, 2023
10 checks passed
@rezaansyed rezaansyed deleted the proposal-oauth-refactor branch November 27, 2023 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ragalie ragalie ragalie left review comments

@RyanDJLee RyanDJLee RyanDJLee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@byrichardpowell @ragalie @RyanDJLee @rezaansyed @paulomarg @rachel-carvalho