Created
September 27, 2023 00:56
-
-
Save devondragon/e38e2b23e5d99fb344cc0fd2509914ba to your computer and use it in GitHub Desktop.
This is source provided by Xiaofan which avoids the CORS/CSP issues by handling the auth check and OAuth redirect on the server side
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@GetMapping({"/dash-embedded"}) | |
public String dashEmbedded( | |
Principal principal, | |
Model model, | |
HttpServletRequest request, | |
HttpServletResponse response) throws UnsupportedEncodingException { | |
log.error("embeddedAuthCheck() running"); | |
String shopName = getShopNameFromRequest(request); | |
response.setHeader("Content-Security-Policy", | |
"frame-ancestors https://" + shopName + " https://admin.shopify.com;"); | |
AuthorizedClient client = getClientFromRequest(request); | |
if (shopName != null) { | |
if (client == null) { | |
log.error(LocalDateTime.now() + "---- embedded-auth-check: client is null"); | |
byte[] textByte = shopName.getBytes("UTF-8"); | |
String params = Base64.getEncoder().encodeToString(textByte); | |
String redirectTo = String.format(OAUTH_URL_TEMPLATE, | |
shopName, | |
clientKey, | |
shopifyScopes, | |
hostAddress + "/oauth2/authorization/shopify", | |
shopifyScopes, | |
params); | |
return "redirect:" + redirectTo; | |
} else { | |
model.addAttribute("shopName", client.getPrincipalName()); | |
AuthCheckResponse responseObj = new AuthCheckResponse(); | |
responseObj.setScopes(shopifyScopes); | |
responseObj.setAuthenticated(true); | |
responseObj.setShopName(client.getPrincipalName()); | |
return "dash-embedded"; | |
} | |
} else { | |
log.error("No Authorization header found"); | |
} | |
return null; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment