Skip to content

Validates Shopify JWT, designed for Shopify App Bridge

License

Notifications You must be signed in to change notification settings

byjpr/plug_shopify_jwt

Repository files navigation

PlugShopifyJwt

Elixir CI Coverage Status Libraries.io for releases

This plug validates Shopify JWT - also known as session token authentication. Session tokens/JWT are a replacement for cookie based authentication in embedded apps.

PlugShopifyJwt is architected to support Session tokens whilst allowing you to verify with URL parameters (validation of URL parameters is not included in this plug) should you decide.

Setup

Usage

Grab you app secret, and crack open your router.ex file, insert plug PlugShopifyEmbeddedJWTAuth, [secret: "your-secret"]. A basic setup looks something similar to this:

  pipeline :embedded do
    plug PlugShopifyEmbeddedJWTAuth, [secret: "224e5146-4f1e-4a1d-a64a-2732df659542"]
  end

  scope "/api", HelloPhoenixWeb do
    pipe_through :embedded

    get "/show", PageController, :show
  end

Installation

The package can be installed by adding plug_shopify_jwt to your list of dependencies in mix.exs:

def deps do
  [
    {:plug_shopify_jwt, "~> 0.1.1"}
  ]
end

Conn Private:

We set the following on the conn.private object:

  1. :ps_jwt_success - true indicates the plug ran, found the JWT, decoded it and placed it in :shopify_jwt_claims - false indicates that there was a failure in the pipeline.
  2. shopify_jwt_claims - returns the full decoded JWT.
  3. current_shop_name - returns the myshopify.com domain for the current store, e.g. example.shopify.com.

Plug config:

  1. :halt_on_error - true stop the conn and returns an error 401. False will set :ps_jwt_success to false on failure and allow you to deal with the error elsewhere. Default true.
  2. algorithm - one of "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "Ed25519", "Ed25519ph", "Ed448", "Ed448ph". Shopify uses "HS256", which the plug will set as a default, however, for future proofing, we have exposed this config from Joken. Default HS256.
  3. secret - the app secret you got when you created your Shopify App in the Shopify Partner portal. Required
  4. signer - used by the plug to store Joken.Signer.