Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`session-token` auth finalization view doesn't log users in

See original GitHub issue

Hello! I’m updating an app that uses this package to use session token auth instead of cookies, and after investigating a redirect loop, I think I’ve discovered that the “finalize” view used for session token auth doesn’t log a user in the way the cookie-based auth views do.

shopify_auth.views.finalize() has the lines:

user = auth.authenticate(request=request, myshopify_domain=shopify_session.url, token=shopify_session.token)
if user:
    auth.login(request, user)

but shopify_auth.session_tokens.views.FinalizeAuthView.get() doesn’t have this code. Adding those lines into the view seems to log in the user and make the app behave as intended.

Is this a valid issue and a potential fix or am I using the auth views in an unintended manner? Thanks in advance so much for the help.

Issue Analytics

State:
Created a year ago
Comments:5

Top GitHub Comments

1reaction

kienankbcommented, Aug 3, 2022

Been a while since following up on this, but I wanted to thank you again for the advice–did a lot more research and reworking, and ended up implementing Turbolinks as suggested. Your feedback and responses helped me gain a much better and deeper understanding of the underlying data flow and the demo app was an invaluable reference!

0reactions

stlkcommented, Jun 30, 2022

Thanks for responding! My app isn’t an SPA or using something like Turbolinks, and SessionTokensAuthMiddleware is already in my settings file; the views have been using the login_required decorator from shopify_auth.decorators, could that be causing the problem here?

That’s most likely the problem. I recommend you to read https://shopify.dev/apps/auth/oauth/session-tokens. They do much better job explaining than I could do 😃 But in short you need to use authentication header instead of cookies to authenticate and that can only be done with some amount of javascript involved. With Turbolinks being the least invasive approach.

I also updated the demo app to work with the latest version of django-shopify-auth, cleaned it up a bit and added billing.

Top Results From Across the Web

Check for user session status in browser cookies and ... - Ory

To check if the user is signed in and has an active session, use the /sessions/whoami endpoint. If the user doesn't have an...

Actions Triggers: post-login - API Object - Auth0

The API object for the post-login Actions trigger includes: api.access. Modify the user's login access, such as rejecting the login attempt.

Authentication API - Okta Developer

The Okta Authentication API provides operations to authenticate users, ... Check out the Okta Sign-In Widget which is built on the Authentication API....

Session Management - OWASP Cheat Sheet Series

The session ID or token binds the user authentication credentials (in the form of a user session) to the user HTTP traffic and...

Configure authentication session management - Microsoft Entra

Customize Azure AD authentication session configuration including user sign-in frequency and browser session persistence.