Skip to content

v3.0.0

Latest
Latest
Compare
Choose a tag to compare
@TheSecurityDev TheSecurityDev released this 17 Feb 20:16
v3.0.0
cc4cf40
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's Changed

Use token exchange instead of redirecting for online session #20:

In the verifyRequest middleware, if the online session is invalid, it will use the token exchange API to get a new session if possible. If multiple requests come in at once, the token exchange request will be reused for all the requests for efficiency. If the token exchange fails, the old way of redirecting to get the session will be done. Installation will still be done the old way, but the token exchange will be used to prevent having to redirect to get a new online session every 24 hours. The new token exchange function has also been exported as exchangeSessionTokenForAccessTokenSession.

The old way of getting the session was to redirect the app to the auth route, get the session token, and then redirect back. For API requests, it returned a header to tell the client to redirect. We still do this, but it should rarely occur anymore. This means that the afterAuth callback won't be called as often after getting an online session. This could be a breaking change if you rely on that callback to be called if the app is opened again after 24 hours.

Other important changes:

  • BREAKING: The validateShop function has been removed. Use the Shopify.Utils.sanitizeShop function instead.
  • Invalid JWT errors (e.g. JWT expired) are now handled properly and return 401 instead of throwing a 500 server error. The header X-Shopify-API-Request-Failure-Invalid-Session-Token is set to 1 to alert the client of the reason for the error, so it can request a new session token and retry the request if desired.

Full Changelog: v2.1.17...v3.0.0

Assets 2
Loading