path_prefix assignment breaks oAuth flow - Please fix this...
resistorsoftware opened this issue · 3 comments
Trying to auth for endpoint https://www.fizzbuzz.com/shopify instead of https://www.fizzbuzz.com
used to work (v 1.1.8) with a simple change to config in the rack config file:
use OmniAuth::Builder do
# allow us to connect this App via the /shopify route instead of just the root URL /
configure do |config|
config.path_prefix = '/shopify/auth'
end
provider :shopify, ENV['SHOPIFY_API_KEY'], ENV['SHOPIFY_API_SECRET'],
:scope => SCOPE,
:setup => lambda { |env| params = Rack::Utils.parse_query(env['QUERY_STRING'])
env['omniauth.strategy'].options[:client_options][:site] = "https://#{params['shop']}" }
end
Now that change breaks the oAuth flow and the request to authenticate a shop ends up dying without a redirect URI with the response from Shopify:
Using JS to bust out of the iframe with oAuth I do that standard thing... and die:
@redirect_url = "/shopify/auth/shopify?shop=#{shop_name}"
rendering a redirect now... /shopify/auth/shopify?shop=fixbuzz.myshopify.com
INFO -- omniauth: (shopify) Setup endpoint detected, running now.
Request Phase: #<Rack::Request:0x007f0cb28713e0 @env={"SERVER_SOFTWARE"=>"thin 1.6.3 codename Protein Powder", "SERVER_NAME"=>"celebrity-owned.herokuapp.com", "rack.input"=>#<StringIO:0x007f0cb28728d0>, "rack.version"=>[1, 0], "rack.errors"=>#<IO:<STDERR>>, "rack.multithread"=>false, "rack.multiprocess"=>false, "rack.run_once"=>false, "REQUEST_METHOD"=>"GET", "REQUEST_PATH"=>"/shopify/auth/shopify", "PATH_INFO"=>"/shopify/auth/shopify", "QUERY_STRING"=>"shop=fixbuzz.myshopify.com", "REQUEST_URI"=>"/shopify/auth/shopify?shop=fixbuzz.myshopify.com", "HTTP_VERSION"=>"HTTP/1.1", "HTTP_HOST"=>"celebrity-owned.herokuapp.com", "HTTP_CONNECTION"=>"close", "HTTP_ACCEPT"=>"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "HTTP_UPGRADE_INSECURE_REQUESTS"=>"1", "HTTP_USER_AGENT"=>"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36", "HTTP_REFERER"=>"http://celebrity-owned.herokuapp.com/shopify/login", "HTTP_ACCEPT_ENCODING"=>"gzip, deflate, sdch", "HTTP_ACCEPT_LANGUAGE"=>"en,en-US;q=0.8,fr;q=0.6", "HTTP_X_REQUEST_ID"=>"686bff7a-2acd-40cd-9997-cd421bb0e9b3", "HTTP_X_FORWARDED_FOR"=>"67.70.24.228", "HTTP_X_FORWARDED_PROTO"=>"http", "HTTP_X_FORWARDED_PORT"=>"80", "HTTP_VIA"=>"1.1 vegur", "HTTP_CONNECT_TIME"=>"2", "HTTP_X_REQUEST_START"=>"1441039792615", "HTTP_TOTAL_ROUTE_TIME"=>"0", "GATEWAY_INTERFACE"=>"CGI/1.2", "SERVER_PORT"=>"80", "SERVER_PROTOCOL"=>"HTTP/1.1", "rack.url_scheme"=>"http", "SCRIPT_NAME"=>"", "REMOTE_ADDR"=>"10.238.8.204", "async.callback"=>#<Method: Thin::Connection#post_process>, "async.close"=>#<EventMachine::DefaultDeferrable:0x007f0cb2871ea8>, "rack.session"=>{"session_id"=>"8f2451b624fa1b3eaadf37b986b43efaa1676282db51ea7e8110392902782211", "omniauth.params"=>{"shop"=>"fixbuzz.myshopify.com"}, "omniauth.origin"=>"http://celebrity-owned.herokuapp.com/shopify/login"}, "rack.session.options"=>{:path=>"/", :domain=>nil, :expire_after=>86400, :secure=>true, :httponly=>true, :defer=>false, :renew=>false, :sidbits=>128, :secure_random=>SecureRandom, :secret=>"6d0ea6158819b727fb40e4deaf67887f", :coder=>#<Rack::Session::Cookie::Base64::Marshal:0x007f0cb2408d80>}, "omniauth.strategy"=>#<OmniAuth::Strategies::Shopify>, "rack.request.query_string"=>"shop=fixbuzz.myshopify.com", "rack.request.query_hash"=>{"shop"=>"fixbuzz.myshopify.com"}, "rack.request.cookie_hash"=>{}, "rack.session.unpacked_cookie_data"=>{"session_id"=>"8f2451b624fa1b3eaadf37b986b43efaa1676282db51ea7e8110392902782211"}}, @params={"shop"=>"fixbuzz.myshopify.com"}>
valid site: domain: myshopify.com, site: https://fixbuzz.myshopify.com
"POST /shopify/login HTTP/1.1" 200 107 0.0833
INFO -- omniauth: (shopify) Request phase initiated.
at=info method=GET path="/shopify/auth/shopify?shop=fixbuzz.myshopify.com" host=celebrity-owned.herokuapp.com request_id=686bff7a-2acd-40cd-9997-cd421bb0e9b3 fwd="67.70.24.228" dyno=web.1 connect=2ms service=71ms status=302 bytes=768
instead of prompting the user with a permissions screen.
Note that a perfectly good redirect URI is setup in the partner screen for the App too... listed as https://someapp.com/shopify/auth/shopify/callback, a route that used to work fine where the first /shopify was sending the request to the route looking for /auth/:provider/callback where :provider was shopify...
I modified the example to use path_prefix:
diff --git a/example/config.ru b/example/config.ru
index c3b5556..3c4d579 100644
--- a/example/config.ru
+++ b/example/config.ru
@@ -18,7 +18,7 @@ class App < Sinatra::Base
<title>Shopify Oauth2</title>
</head>
<body>
- <form action="/auth/shopify" method="get">
+ <form action="/shopify/auth/shopify" method="get">
<label for="shop">Enter your store's URL:</label>
<input type="text" name="shop" placeholder="your-shop-url.myshopify.com">
<button type="submit">Log In</button>
@@ -28,7 +28,7 @@ class App < Sinatra::Base
HTML
end
- get '/auth/:provider/callback' do
+ get '/shopify/auth/:provider/callback' do
<<-HTML
<html>
<head>
@@ -43,7 +43,7 @@ class App < Sinatra::Base
HTML
end
- get '/auth/failure' do
+ get '/shopify/auth/failure' do
<<-HTML
<html>
<head>
@@ -61,6 +61,10 @@ end
use Rack::Session::Cookie, secret: SecureRandom.hex(64)
use OmniAuth::Builder do
+ configure do |config|
+ config.path_prefix = '/shopify/auth'
+ end
+
provider :shopify, SHOPIFY_API_KEY, SHOPIFY_SHARED_SECRET, :scope => SCOPE
end
With http://localhost:9292/shopify/auth/shopify/callback
as the Redirection URL for the app and was able to install the app and get logged in without a problem.
Ok.. So why does Shopify present me with the 400 no redirect URI error. Is that a bug in the partner App setup screen, whereby the provided redirect URI is ignored?
We communicated by email and found out that the problem was that the redirect_uri had a different scheme than the app's redirection URL the request to /shopify/auth/shopify redirects to shopify with a redirect_uri that uses the scheme and host from the request.
This can be prevented by making sure the right scheme is used to redirect to the /shopify/auth/shopify path, or by using the :callback_url
option to provider
to not use the scheme and host from the request. E.g. provider :shopify, ENV['SHOPIFY_API_KEY'], ENV['SHOPIFY_API_SECRET'], :scope => SCOPE, :callback_url => 'https://www.fizzbuzz.com/shopify/auth/shopify/callback'