Users aren't signed into a new shop when clicking app link and already signed in
shkm opened this issue · 0 comments
shkm commented
Background
We just upgraded to the latest version of Shopify app from 7.2.0 to 9.0.1 (omniauth-shopify_oauth2 1.5.0 -> 2.1.0) and we're seeing an issue involving users clicking app links from their shop. We're not using an embedded app.
Scenario
- User is signed into app as shop1.myshopify.com
- User clicks app link from shop2.myshopify.com
- User redirects to app and remains signed in as shop1.myshopify.com
Problem
This seems to me because of the following code:
option :setup, proc { |env|
strategy = env['omniauth.strategy']
shopify_auth_params = strategy.session['shopify.omniauth_params'] && strategy.session['shopify.omniauth_params'].with_indifferent_access
shop = if shopify_auth_params && shopify_auth_params['shop']
"https://#{shopify_auth_params['shop']}"
else
''
end
strategy.options[:client_options][:site] = shop
}
i.e. we're not checking the params for the request params for the shop domain.
Fix
Changing the code to the following seems to resolve the issue:
strategy = env["omniauth.strategy"]
request = Rack::Request.new(env)
shop = request.params.fetch("shop", strategy.session["shopify.omniauth_params"]&.[](:shop))
strategy.options[:client_options][:site] = shop ? "https://#{shop}" : ""
i.e. use the shop in params if it exists, or fall back to usual behaviour.
Is there anything wrong with this approach? Am I missing something as to why this isn't the normal behaviour?