Skip to content

Instantly share code, notes, and snippets.

@drovani
Last active January 30, 2024 19:52
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save drovani/8199b1e0ffa1976c00af6781fcb98fbf to your computer and use it in GitHub Desktop.
Save drovani/8199b1e0ffa1976c00af6781fcb98fbf to your computer and use it in GitHub Desktop.
Auth0 Rule to Generate a Multipass token and redirect the user back to the Shopify store
function (user, context, callback) {
if (context.clientMetadata && context.clientMetadata.shopify_domain && context.clientMetadata.shopify_multipass_secret)
{
const RULE_NAME = 'shopify-multipasstoken';
const CLIENTNAME = context.clientName;
console.log(`${RULE_NAME} started by ${CLIENTNAME}`);
const now = (new Date()).toISOString();
let shopifyToken = {
email: user.email,
created_at: now,
identifier: user.user_id,
remote_ip: context.request.ip
};
if (context.request && context.request.query && context.request.query.return_to){
shopifyToken.return_to = context.request.query.return_to;
}
if (context.user_metadata)
{
shopifyToken.first_name = user.user_metadata.given_name;
shopifyToken.last_name= user.user_metadata.family_name;
}
const hash = crypto.createHash("sha256").update(context.clientMetadata.shopify_multipass_secret).digest();
const encryptionKey = hash.slice(0, 16);
const signingKey = hash.slice(16, 32);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-128-cbc', encryptionKey, iv);
const cipherText = Buffer.concat([iv, cipher.update(JSON.stringify(shopifyToken), 'utf8'), cipher.final()]);
const signed = crypto.createHmac("SHA256", signingKey).update(cipherText).digest();
const token = Buffer.concat([cipherText, signed]).toString('base64');
const urlToken = token.replace(/\+/g, '-').replace(/\//g, '_');
context.redirect = {
url: `https://${context.clientMetadata.shopify_domain}/account/login/multipass/${urlToken}`
};
}
return callback(null, user, context);
}
@souxin
Copy link

souxin commented Nov 14, 2022

Having said that, I believe that these rules run after Auth0 has authenticated the user.

Actually not.

This redirect is breaking the auth flow. And the token wasn't issued. Hence no auth is recording. BTW in Auth0 community I found confirmation about that.

But thank you for your answer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment