Please tell me what I'm doing wrong with app_proxy.
React:
[...]
$.ajax({
url: '/get-foo',
type: 'POST',
data: {},
success: function (data, xhr) {
console.log("success")
}.bind(this),
error: function (data, xhr) {
console.log("Error!")
}
});
[...]
Controller:
# controllers/app_proxy/foo_controller.rb
class AppProxy::FooController < ApplicationController
include ShopifyApp::AppProxyVerification
def bar
end
end
Shopify Partner:
Sub path prefix: apps
URL: get-foo
Proxy URL: https://<my-fwd-url>/app_proxy
When the ajax is called, I get as in title and my log shows:
Filter chain halted as :verify_proxy_request rendered or redirected
Edit:
If I place this in the controller, it works:
skip_before_action :verify_authenticity_token, raise: false
Im using Rails 5, my ruby knowledge in not that advanced as yet so I find it difficult to understand this.
whats the response when you try:
$.ajax({
url: '/apps/get-foo',
type: 'POST',
[...]
@ashmaroli I got
Object {readyState: 4, responseText: "", status: 401, statusText: "Unauthorized"}
In logs:
Filter chain halted as :verify_proxy_request rendered or redirected
Completed 401 Unauthorized in 8ms (ActiveRecord: 5.6ms)
I'll give you a generic answer regarding the usage of app-proxy.
Based on the example provided in the README, and the following settings at Shopify Partner Dash,:
sub path prefix : apps
url : foobar
Proxy URL : https://appname.herokuapp.com/app_proxy
then, navigating to https://myshop.com/apps/foobar will GET content at https://appname.herokuapp.com/app_proxy.
To GET reviews resources at https://appname.herokuapp.com/app_proxy/reviews, you simply have to navigate to https://myshop.com/apps/foobar/reviews
Unauthorised response is issued when your app is sent a request, either from a non-Shopify header or from a Shopify Store that has not installed your app.
@ashmaroli So what would the routes.rb looks like for that?
# config/routes.rb
namespace :app_proxy do
root action: 'index'
# simple routes without a specified controller will go to AppProxyController#index
# more complex routes will go to controllers in the AppProxy namespace
resources :reviews
# GET /app_proxy/reviews will now be routed to
# AppProxy::ReviewsController#index, for example
end
Cool. I'll try this in few minutes. Thanks
ShopifyApp 7.1.0+ comes with an app_proxy_controller generator. It automatically adds the required routes to routes.rb
@ashmaroli Oh! I'm not requesting a page, I need to access a controller method, that's why I post.
This is definitely a bug. I ran the generator and got:
# config/routes.rb
namespace :app_proxy do
root action: 'index', as: 'test' # I added this
# simple routes without a specified controller will go to AppProxyController#index
# more complex routes will go to controllers in the AppProxy namespace
resources :reviews
# GET /app_proxy/reviews will now be routed to
# AppProxy::ReviewsController#index, for example
end
Then in views:
<%= link_to 'test', main_app.app_proxy_test_path %>
On clicking that button, I still get 401 (Unauthorized)
Processing by AppProxyController#index as HTML
Filter chain halted as :verify_proxy_request rendered or redirected
Completed 401 Unauthorized in 0ms (ActiveRecord: 0.0ms)
Ah.. from my understanding, Shopify Application Proxies are a one-way street.
You can pull a page from your app and display it on your store. But, you cant push data from your shop to your app via the storefront (i.e. only via the shopify admin dashboard)
/cc @kevinhughes27
Ah! My controller now looks like this and it works. What dangers are there by just having it like this:
class AppProxy::FooBarController < ShopifyApp::AuthenticatedController
#include ShopifyApp::AppProxyVerification
skip_before_action :verify_authenticity_token, raise: false
[...]
end
Kevin Hughes will get back to you on that and more..
I am not super familiar with app proxies but @ashmaroli is right they only work for GET requests from what I can see.
If you need to make a POST you'll have to implement this yourself and it won't be an app proxy. I'd recommend just posting to another endpoint on your application that uses a regular controller. You might need to add some code to say what shop it is for and verify that you made the request depending on what you are doing security-wise.
@kevinhughes27 Super! All I did was to add skip_before_action :verify_authenticity_token, raise: false and all is well ;)
You've also got the AppProxyVerification concern commented out. This isn't really an app proxy anymore this is an API for your application. I'd recommend a new controller.
Most helpful comment
Ah.. from my understanding, Shopify Application Proxies are a one-way street.
You can pull a page from your app and display it on your store. But, you cant push data from your shop to your app via the storefront (i.e. only via the shopify admin dashboard)
/cc @kevinhughes27