sameSite: Lax is failing to set the cookie

[IonicaBizau]

Issue summary

Because sameSite: lax, the cookies are not being set by the oauth being call.

Expected behavior

It should set the cookies and authenticate the embedded app.

We manually changed these lines in oauth.js into sameSite: "none" and it works, but being a change done in node_modules it will not work long term.

Is there any way to set the sameSite policy or another way to solve this issue?

[manassra]

Confirming that I have the same problem.

[manassra]

Providing an update here: it turns out that the cookie was not being forwarded because I was starting the auth process via my localhost endpoint, but then using an ngrok link for the authorization callback. Once I initiate the flow via the ngrok endpoint, everything works as expected (since now all interactions are happening on the same domain, as enforced by SameSite: Lax).

[IonicaBizau]

@manassra In our case the app is already in production (deployed on a cloud server and connected to a subdomain — api.example.com where example.com is the main domain of the shop). Do you have any idea why it would fail in our case? Thank you!

[cmelendez]

@IonicaBizau we follow the same pattern and this might help you: when the library sets the session cookie a) it doesn't specify a domain, so the browser uses the domain that's setting it (api.example.com in your case), and b) it sets a specific path where the cookie is valid which is the same path used in callbackPath when calling shopify.auth.begin(). It's very likely that the path used by your API in api.example.com is not same as the one used by app in example.com and maybe that's why are not able to read the session cookie in your callback URL.

Our solution was to fork the library (we'll push a PR) and set both a domain (.example.com to make it work domain-wide) and a valid path (/ to make it work app-wide) in oauth.ts.

My guess is that the library is expecting to work under the same domain and path, just like Shopify's template app.

[zds97]

@cmelendez If that was the case, wouldn't we expect this to consistently happen? For us to it seems to happen for maybe 1/20 installs.

[cmelendez]

@zds97 in your case yes, it seems you have a different issue or maybe a combination of things. You could try increasing the expiration time and the domain/path of the cookie in oauth.ts.

[abharvey]

@cmelendez Thanks for helping out. Please feel free to tag me on your PR if you're able to make one. Any additional context to your app structure would be greatly helpful.

[cmelendez]

I've created a PR that solves this specific oauth flow.

There's a new param when calling shopifyApi called cookieDomain. Use a valid string, ie .example.com (notice the . at the beggining) to be able to read the cookie under the entire example.com domain.

[rodrigogsqquid]

We're also experiencing this issue. It would be great if an admin could merge @cmelendez PR and release the code.

[dylan-authentic]

+1 for this issue.

[github-actions]

This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days.

[IonicaBizau]

I think this is still an issue.Sent from my iPhoneOn 27 Sep 2023, at 03:46, github-actions[bot] ***@***.***> wrote: This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>