Shopify_app: 401 (Unauthorized)

Created on 28 Aug 2016  路  14Comments  路  Source: Shopify/shopify_app

Please tell me what I'm doing wrong with app_proxy.

React:

[...]

$.ajax({
      url: '/get-foo',
      type: 'POST',
      data: {},
      success: function (data, xhr) {
        console.log("success")

      }.bind(this),
      error: function (data, xhr) {
          console.log("Error!")
      }
    });

[...]

Controller:

# controllers/app_proxy/foo_controller.rb

class AppProxy::FooController < ApplicationController
  include ShopifyApp::AppProxyVerification
  def bar
  end
end

Shopify Partner:

Sub path prefix: apps
URL: get-foo
Proxy URL: https://<my-fwd-url>/app_proxy

When the ajax is called, I get as in title and my log shows:

Filter chain halted as :verify_proxy_request rendered or redirected

Edit:

If I place this in the controller, it works:

skip_before_action :verify_authenticity_token, raise: false

Im using Rails 5, my ruby knowledge in not that advanced as yet so I find it difficult to understand this.

Most helpful comment

Ah.. from my understanding, Shopify Application Proxies are a one-way street.
You can pull a page from your app and display it on your store. But, you cant push data from your shop to your app via the storefront (i.e. only via the shopify admin dashboard)

/cc @kevinhughes27

All 14 comments

whats the response when you try:

$.ajax({
      url: '/apps/get-foo',
      type: 'POST',
[...]

@ashmaroli I got

Object {readyState: 4, responseText: "", status: 401, statusText: "Unauthorized"}

In logs:

Filter chain halted as :verify_proxy_request rendered or redirected
Completed 401 Unauthorized in 8ms (ActiveRecord: 5.6ms)

I'll give you a generic answer regarding the usage of app-proxy.

Based on the example provided in the README, and the following settings at Shopify Partner Dash,:

sub path prefix : apps
url             : foobar
Proxy URL       : https://appname.herokuapp.com/app_proxy

then, navigating to https://myshop.com/apps/foobar will GET content at https://appname.herokuapp.com/app_proxy.

To GET reviews resources at https://appname.herokuapp.com/app_proxy/reviews, you simply have to navigate to https://myshop.com/apps/foobar/reviews

Unauthorised response is issued when your app is sent a request, either from a non-Shopify header or from a Shopify Store that has not installed your app.

@ashmaroli So what would the routes.rb looks like for that?

  # config/routes.rb

  namespace :app_proxy do
    root action: 'index'
    # simple routes without a specified controller will go to AppProxyController#index

    # more complex routes will go to controllers in the AppProxy namespace
    resources :reviews
    # GET /app_proxy/reviews will now be routed to
    # AppProxy::ReviewsController#index, for example
  end

Cool. I'll try this in few minutes. Thanks

ShopifyApp 7.1.0+ comes with an app_proxy_controller generator. It automatically adds the required routes to routes.rb

@ashmaroli Oh! I'm not requesting a page, I need to access a controller method, that's why I post.

This is definitely a bug. I ran the generator and got:

  # config/routes.rb

  namespace :app_proxy do
    root action: 'index', as: 'test' # I added this
    # simple routes without a specified controller will go to AppProxyController#index

    # more complex routes will go to controllers in the AppProxy namespace
    resources :reviews
    # GET /app_proxy/reviews will now be routed to
    # AppProxy::ReviewsController#index, for example
  end

Then in views:

<%= link_to 'test', main_app.app_proxy_test_path %>

On clicking that button, I still get 401 (Unauthorized)

Processing by AppProxyController#index as HTML
Filter chain halted as :verify_proxy_request rendered or redirected
Completed 401 Unauthorized in 0ms (ActiveRecord: 0.0ms)

Ah.. from my understanding, Shopify Application Proxies are a one-way street.
You can pull a page from your app and display it on your store. But, you cant push data from your shop to your app via the storefront (i.e. only via the shopify admin dashboard)

/cc @kevinhughes27

Ah! My controller now looks like this and it works. What dangers are there by just having it like this:

class AppProxy::FooBarController < ShopifyApp::AuthenticatedController
  #include ShopifyApp::AppProxyVerification
  skip_before_action :verify_authenticity_token, raise: false

  [...]

end

Kevin Hughes will get back to you on that and more..

I am not super familiar with app proxies but @ashmaroli is right they only work for GET requests from what I can see.

If you need to make a POST you'll have to implement this yourself and it won't be an app proxy. I'd recommend just posting to another endpoint on your application that uses a regular controller. You might need to add some code to say what shop it is for and verify that you made the request depending on what you are doing security-wise.

@kevinhughes27 Super! All I did was to add skip_before_action :verify_authenticity_token, raise: false and all is well ;)

You've also got the AppProxyVerification concern commented out. This isn't really an app proxy anymore this is an API for your application. I'd recommend a new controller.

Was this page helpful?
0 / 5 - 0 ratings