Releases: TheSecurityDev/simple-koa-shopify-auth
v3.0.0
What's Changed
Use token exchange instead of redirecting for online session #20:
In the verifyRequest
middleware, if the online session is invalid, it will use the token exchange API to get a new session if possible. If multiple requests come in at once, the token exchange request will be reused for all the requests for efficiency. If the token exchange fails, the old way of redirecting to get the session will be done. Installation will still be done the old way, but the token exchange will be used to prevent having to redirect to get a new online session every 24 hours. The new token exchange function has also been exported as exchangeSessionTokenForAccessTokenSession
.
The old way of getting the session was to redirect the app to the auth route, get the session token, and then redirect back. For API requests, it returned a header to tell the client to redirect. We still do this, but it should rarely occur anymore. This means that the afterAuth
callback won't be called as often after getting an online session. This could be a breaking change if you rely on that callback to be called if the app is opened again after 24 hours.
Other important changes:
- BREAKING: The
validateShop
function has been removed. Use theShopify.Utils.sanitizeShop
function instead. - Invalid JWT errors (e.g. JWT expired) are now handled properly and return 401 instead of throwing a 500 server error. The header
X-Shopify-API-Request-Failure-Invalid-Session-Token
is set to1
to alert the client of the reason for the error, so it can request a new session token and retry the request if desired.
Full Changelog: v2.1.17...v3.0.0
v2.1.17
v2.1.15
Greatly improved request handling time.
This patch update caches the result of the access token validation API call, which dramatically decreases the time for handling requests.
After careful consideration, I realized that the API call to validate the access token for each request isn't strictly necessary, since the JWT token is signed by Shopify, and therefore cannot be spoofed. Also, the JWT token has to be rotated every minute, so if the access token gets revoked that will be enough to stop you from accessing it. Therefore the only reason to continue making the API call is to ensure that if the access token gets corrupted or invalidated in the database, then we will be able to get a new one.
Versions 2.1.11 - 2.1.14 are broken and should not be used. (Giga-chads test in production 😉)
v2.1.10
Small fix to try to prevent double redirects in some cases
v2.1.9
v2.1.7
Implement hack to work-around issue where Shopify (presumably) incorrectly provides the old host parameter when using the new admin.shopify.com
domain.
v2.1.6
Changed how AppBridge instance is created to use host parameter.
v2.1.4
- Preserve query parameters when doing redirects (so host param will be kept)
- Generate and return host parameter in re-auth URL header
- Update App Bridge script to v3.2.6
- Add typescript as devDependency
Versions 2.1.0 - 2.1.3 are broken and should not be used.
v2.0.1
Handle Shopify InvalidJwtError with 401 status code instead of 500.
v2.0.0
Update Shopify API peer dependency requirement to v5