App must set security headers to protect against clickjacking && App must verify the authenticity of the request from Shopify.

[DeveloperHashmi]

Expected Behavior

App must be accepted by Shopify App Store. Please guide us that our app can submitted earliest. @osiset and @Kyon147

Current Behavior

Getting error mail from Shopify App Store.

There was an error installing your app. The app must be installed to perform the security check. We expected OAuth to be initiated at https://app-security.myshopify.com/admin/oauth/authorize but were redirected to https://app-security.myshopify.com/admin/apps/6845cd34467e62fc1570f47c8265a2a0/authenticate/token?shop=app-security.myshopify.com&target=%2F%3Fhost%3DYXBwLXNlY3VyaXR5Lm15c2hvcGlmeS5jb20vYWRtaW4. Your app must request installation immediately after clicking "add app." Apps must request shop access during installation, or reinstallation if the app was previously uninstalled from the shop. Learn more about authentication in our developer documentation

Steps to Reproduce

Several times I submitted the App to the Shopify Store and got rejection from there.

Context

• Package Version: v ^17.1
• Laravel Version: v ^8.65
• PHP Version: v ^8.0

[Kyon147]

Hey @DeveloperHashmi

Clickjacking has been fixed if you update to 17.2.0.

The other issue looks like the auth/token which runs before each request is being picked up on the OAUTH which is not allowed.

We may have to tweak this but I've not looked at the code for the token route, so @osiset will have more insight.

[Kyon147]

@osiset - looking into this a bit more - I think blade might have to be killed off...

Shopify are leaning towards SPAs - they do say Turbolinks can be used but I've never used it. The biggest problem at the moment is the /auth/token route can no longer happen after OAUTH.

So we might need to get that SPA PR out as it will help move the app package to be more user friendly with SPA and bypasses the need for the token request between each route anyway which would then solve the installation rejections.

[DeveloperHashmi]

Hi @Kyon147,
Thanks for the reply, May I know the expected timeline for this fixed.

I'm already using 17.2.0 (SS attached for your reference).

FYI : I already followed the instruction from #1070 and #1176 for security headers to protect against clickjacking.

[Kyon147]

@DeveloperHashmi - the fix is moving to an SPA app really and then we push out a new PR that bypasses the blade token requirement.

Are you using react or vue to scaffold your frontend?

[DeveloperHashmi]

I'm not using react or vue. I am using Laravel blade itself for view. @Kyon147

[Kyon147]

I'll see what @osiset thinks but we might have to get the session token after hitting them home route (to avoid the oauth redirect issue) but osiset has a deeper understanding of this package's auth and how possible this is.

With Shopify itself saying multi page apps are not supported unless you make it function like an SPA they are moving away from multipage apps.

[gnikyt]

Someone previously coded in support for Turbolinks, so I am not sure what we would need to do to resolve it.

Essentially (IMO), Shopify is cornering developers to use their toolsets and ecosystem recommendations. They want JWT used, they want (only) React used, they want (only) Polaris used. Anything outside of that, they are continually pushing away and making it difficult.

I think as a broader conversation, we have to take into consideration our disadvantage in being able to control the platform anymore. When Shopify apps first started, it was majorly basic... an iframe with an HMAC you had to verify, that was it. It has balloned into something way more complex and more and more controlled by Shopify.

So... do we keep fighting uphill and trying to support everything everyone wants to do (with workarounds), or conform...

[Kyon147]

@osiset - I personally don't use the Blade templates with this package. I use VueJS and have my own Polaris component library that I maintain.

So it might be worth leaning towards that has a requirement, more so with the "frontend_engine" feature we just implemented.

My latest app with the new version, is going into review soon - so if it passes review and ends on the store we have a real world example to base it on.

I'm currently updating working on a "vue-app-bridge" package too which works the same as their react one.

[Kyon147]

Going to close this for now as it looks like blade templates don't fit at the moment with the apps overall.

[Kyon147]

Just updating here, i've had an app pass the security review using v17.3.1 but importantly, it passed because it was using VueJs as the frontend and did not use the auth/token route.

cc @osiset