Create concern to authenticate deep links using Turbolinks #1118
Conversation
| # frozen_string_literal: true | ||
|
|
||
| module ShopifyApp | ||
| module TurbolinksAuthenticated |
There was a problem hiding this comment.
I'm not entirely sure what to call this concern yet, I'm open to suggestions!
|
Hey @NabeelAhsen, this looks awesome, but it looks like there are 2 small linter errors at the moment. |
Oh yeah I've been trying to run Do you have any recommendations around this? Edit: Oh it seems that this will most likely be fixed by https://github.com/Shopify/shopify_app/tree/melaniew/fix_rubocop_error |
|
Sorry that's on me 😅, PR's' up! |
|
I just noticed the same. It looks like that rubocop error exists on As for why |
Approved ✅ |
|
@NabeelAhsen You should be good to rebase |
|
I opened #1120 which should help to avoid some types of RuboCop version mismatch. |
NabeelAhsen
force-pushed
the
add-deep-linking-auth-support
branch
from
f2e9e5a to
a50f7df
Compare
NabeelAhsen
force-pushed
the
add-deep-linking-auth-support
branch
from
a50f7df to
9336b4a
Compare
NabeelAhsen
force-pushed
the
add-deep-linking-auth-support
branch
from
9336b4a to
cab35c4
Compare
NabeelAhsen
requested review from
theundeadmonk,
paulomarg,
ragalie and
mSitkovets
|
I've added a section in |
README.md
Outdated
|
|
||
| The `ShopifyApp::EnsureAuthenticatedLinks` concern helps authenticate users that access protected pages of your app directly. | ||
|
|
||
| Include this concern in your app's `AuthenticatedController` if your app uses session tokens with [Turbolinks](https://shopify.dev/tutorials/authenticate-server-side-rendered-apps-with-session-tokens-app-bridge-turbolinks). It adds a `before_action` filter that detects whether a session token is present or not. If a session is not found, the app is redirected to your app's splash page path (`root_path`) along with `return_to` and `shop` parameters. |
There was a problem hiding this comment.
"the app is redirected" - should that say "the user is redirected" ?
README.md
Outdated
| Example `AuthenticatedController`: | ||
|
|
||
| ```rb | ||
| # frozen_string_literal: true |
There was a problem hiding this comment.
I don't think we need to include the frozen_string_literal line in the example.
NabeelAhsen
force-pushed
the
add-deep-linking-auth-support
branch
from
b0698c3 to
a6c11fc
Compare
|
Hi @NabeelAhsen, I noticed that the order of the concerns matter. This doesn't work. If you go to a deep link in an incognito browser window (or any browser window not logged into Shopify), you get an However, if I change it to this, it works. It'll ask for myshopify URL first and then login in + redirect. Can you confirm? |
@netwire88 Thank you for bringing this to our attention! This is definitely an oversight, and is being fixed with this PR: #1158 The PR i linked here will allow the order of |
|
Thanks @NabeelAhsen ! |
This is related to supporting session tokens using Turbolinks. This PR introduces an optional controller concern that helps authenticate multi-page apps when accessing a link directly.
Currently, with third party cookies disabled, a user is unable to access protected endpoints like
/productsor/widgets. When using Turbolinks, the recommended way of issuing a valid session token via App Bridge is by creating a splash page as therootresource of the app.More info: https://shopify.dev/tutorials/authenticate-server-side-rendered-apps-with-session-tokens-app-bridge-turbolinks
This concern redirects an app to the
rootcontroller along with areturn_toandshopparameter if it detects that an action is unauthenticated (i.e it fails to detect a valid session token session). Once a session token has been issued by App Bridge, Turbolinks can use this to redirect the app back to thereturn_toparameter inshopify_app.js:To use this concern, add it to the sample
AuthenticatedControllerthat gets generated by the Shopify App gem:CHANGELOG.mdif the changes would impact usersREADME.md, if appropriate.docs/, if necessary