Shopify_app: Having issues with Cookies and Proxy

Created on 29 Jun 2020  路  6Comments  路  Source: Shopify/shopify_app

Is there a way to configure Rails cookies to work behind the proxy this gem creates?

I can set a Rails cookie that persists fine for the embedded app part (the pages in the admin). But as soon as I try to set a Rails cookie for my app proxy, it doesn't persist.

Here's my example code.

Cookies do persist here:

class HomeController < AuthenticatedController
  def index
    @products = ShopifyAPI::Product.find(:all, params: { limit: 10 })
    @webhooks = ShopifyAPI::Webhook.find(:all)
    cookies[:foo] = 'bar'
    logger.debug { cookies[:foo].inspect } 
  end

  def test
    logger.debug { cookies[:foo].inspect }   
  end
end

When I visit mystore.myshopify.com/admin/apps/myapp, I get bar in my logs. After that, I visit mystore.myshopify.com/admin/apps/myapp/test and the cookies persist, and I get bar in my logs.

Cookies do not persist here in the proxy:

class AppProxyController < ApplicationController
  include ShopifyApp::AppProxyVerification

  def index
    cookies[:foo] = 'bar'
    logger.debug { cookies[:foo].inspect } 
    render(layout: false, content_type: 'application/liquid')
  end

  def test
    logger.debug { cookies[:foo].inspect } 
    render(layout: false, content_type: 'application/liquid')
  end 

end

When I visit mystore.myshopify.com/apps/myapp, I get bar in my logs. After that, I visit mystore.myshopify.com/apps/myapp/test and I get nil in my logs.

EDIT

The same happens if I'm trying to set a session variable instead of a cookie.

EDIT 2

Also, Rails Flashes are not working in the App Proxy Controller, but are working in the Home Controller.

Most helpful comment

I think the best advice has always been and continues to be:

You get handed the shop name, and you can ensure the call to your proxy came from Shopify, for that shop. There is no persistence between the incoming call and what you maybe did before... the call itself however, can contain data you can use... so keep it simple. Do not try and overthink it, and do not try and use cookies... you will just experience grief.

All 6 comments

You are trying to set a cookie on a domain that is not your own. You need to look into samesite cookie policies https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite but even then, you cannot be certain that your cookie will persist depending on which browser the merchant is using. App proxies come with a shop domain which should be used to return the appropriate response. I do not recommend trying to set cookies because then you are also injecting cookies into your merchants storefront and that changes their privacy policies and cookie policies. This could be seen as a breach of privacy and you may not be approved through the app store.

IIRC, you can't set cookie in a proxy app.

IIRC, you can't set cookie in a proxy app.

@cdmwebs How about session variables? The same scenario happens if it's a session variable I'm trying to set.

Basically Cookies, Sessions and Flashes are not persisting across actions in the App Proxy Controller.

Sessions are generally tracked using cookies. You could get more complicated and have your code handle JWT tokens but that will be a lot harder.

I think the best advice has always been and continues to be:

You get handed the shop name, and you can ensure the call to your proxy came from Shopify, for that shop. There is no persistence between the incoming call and what you maybe did before... the call itself however, can contain data you can use... so keep it simple. Do not try and overthink it, and do not try and use cookies... you will just experience grief.

Was this page helpful?
0 / 5 - 0 ratings