Skip to content

Instantly share code, notes, and snippets.

@drovani
Last active September 25, 2024 00:24
Show Gist options
  • Save drovani/8199b1e0ffa1976c00af6781fcb98fbf to your computer and use it in GitHub Desktop.
Save drovani/8199b1e0ffa1976c00af6781fcb98fbf to your computer and use it in GitHub Desktop.
Auth0 Rule to Generate a Multipass token and redirect the user back to the Shopify store
function (user, context, callback) {
if (context.clientMetadata && context.clientMetadata.shopify_domain && context.clientMetadata.shopify_multipass_secret)
{
const RULE_NAME = 'shopify-multipasstoken';
const CLIENTNAME = context.clientName;
console.log(`${RULE_NAME} started by ${CLIENTNAME}`);
const now = (new Date()).toISOString();
let shopifyToken = {
email: user.email,
created_at: now,
identifier: user.user_id,
remote_ip: context.request.ip
};
if (context.request && context.request.query && context.request.query.return_to){
shopifyToken.return_to = context.request.query.return_to;
}
if (context.user_metadata)
{
shopifyToken.first_name = user.user_metadata.given_name;
shopifyToken.last_name= user.user_metadata.family_name;
}
const hash = crypto.createHash("sha256").update(context.clientMetadata.shopify_multipass_secret).digest();
const encryptionKey = hash.slice(0, 16);
const signingKey = hash.slice(16, 32);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-128-cbc', encryptionKey, iv);
const cipherText = Buffer.concat([iv, cipher.update(JSON.stringify(shopifyToken), 'utf8'), cipher.final()]);
const signed = crypto.createHmac("SHA256", signingKey).update(cipherText).digest();
const token = Buffer.concat([cipherText, signed]).toString('base64');
const urlToken = token.replace(/\+/g, '-').replace(/\//g, '_');
context.redirect = {
url: `https://${context.clientMetadata.shopify_domain}/account/login/multipass/${urlToken}`
};
}
return callback(null, user, context);
}
@drovani
Copy link
Author

drovani commented Jan 25, 2021

Thank you for the correction! I have updated the code.

and I'd add a note about IPV6, for whatever reason if it's being used then Shopify will reject the multipass token.

I have a blog post ranting about that in my queue as it's something that I recently discovered, too.

@afalahi
Copy link

afalahi commented Jan 25, 2021

Yeah, and there is a Shopify thread as well, and they haven't acknowledge it and claimed it's a mismateched IP, which it wasn't in my case since I checked.

@chrismarkpd
Copy link

thanks for the gist! works great! modified a few things to my needs. the ipv6 is annoying. i checked the auth0 docs and added some conditions using the ipaddr.js library whether or not to pass them through with the remote_ip param.

https://auth0.com/docs/troubleshoot/verify-rules
https://www.npmjs.com/package/ipaddr.js/v/1.9.0

@afalahi
Copy link

afalahi commented Apr 12, 2022

@drovani Hey David, I recently had to implent this again and I was wondering, how would you dynamically configure the return_to URL? On the Shopify side of things? Or in Auth0?

@drovani
Copy link
Author

drovani commented Apr 14, 2022

The link that is sending to Auth0 needs to have the return_to embedded in the call to Auth0.
That means in your Shopify liquid, you'll have something like <a href="http://example.auth0.com/login?return_to=/collection/{{collection.id}}">Login</a>. When Auth0 passed the user back to Shopify, Shopify will authenticate the request and automatically send the user to the return_to URL in the payload coming from Auth0.

@afalahi
Copy link

afalahi commented Apr 21, 2022

Thanks for the reply, but for example if someone was on the cart page, and click on login and got redirected, is there a way to capture that and dynamically update the return_to? I couldn't find a good answer online besides the page.url liquid

@chrismarkpd
Copy link

chrismarkpd commented Apr 21, 2022

@afalahi you can just use request.path or use javascript to dynamically inject the path?

@afalahi
Copy link

afalahi commented Apr 21, 2022

@chrismarkpd ah, I can use plain JS in liquid? I'm a complete noob to Shopify! I'll give that a shot

@chrismarkpd
Copy link

yeah just put the <script> tags and you should be good to go. liquid loads first since it's server side rendered, but js should be able to do what you are looking for. we do something similar

@afalahi
Copy link

afalahi commented Apr 21, 2022

@chrismarkpd yeah, document.referrer solved my issue! Thanks for the assist

@facundofarias
Copy link

Hey @drovani, we are still facing the IPv6 issue. Have you found any workaround for it?
Thanks

@drovani
Copy link
Author

drovani commented Nov 7, 2022

Hey @drovani, we are still facing the IPv6 issue. Have you found any workaround for it? Thanks

Unfortunately, Shopify still doesn't have support for IPv6 ip restriction. It'll still cause an error (without no feedback on the problem) if you pass a non-IPv4 address. The only solution is to just no include that parameter in your payload coming from Auth0.

@souxin
Copy link

souxin commented Nov 14, 2022

Hi David. Do you have any idea how to allow information to be stored to Monitoring/Log/Login success information. Using callback redirect on line 39 actually breacking the authorization flow and although user is authenticated in Shopify is still not authenticated in Auth0.

So basically how to make the redirect AFTER Auth0 flow is completed.

p.s. If you think the Auth0 actions more suitable for this I already converted this rule to action.

@drovani
Copy link
Author

drovani commented Nov 14, 2022

@souxin It's been a while since I was in Auth0, so I may not have the most recent information for you. Having said that, I believe that these rules run after Auth0 has authenticated the user.

I haven't looked into Actions yet, so I don't know if that is what is causing your issue.

@souxin
Copy link

souxin commented Nov 14, 2022

Having said that, I believe that these rules run after Auth0 has authenticated the user.

Actually not.

This redirect is breaking the auth flow. And the token wasn't issued. Hence no auth is recording. BTW in Auth0 community I found confirmation about that.

But thank you for your answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment