Merge pull request #345 from Shopify/use_state_as_oauth_cookie

Stop storing session when beginning OAuth

Author: paulomarg

CHANGELOG.md

@@ -7,6 +7,8 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
 
+- [#345](https://github.com/Shopify/shopify-api-php/pull/345) [Patch] Stop storing a session in the database when beginning OAuth, only when completing it
+
 ## v5.5.0 - 2024-04-18
 
 - [#332](https://github.com/Shopify/shopify-api-php/pull/332) [Patch] Avoid writing to system temporary directory when an API deprecation is encountered

src/Auth/OAuth.php

@@ -28,12 +28,14 @@
  */
 class OAuth
 {
+    public const STATE_COOKIE_NAME = 'shopify_app_state';
+    public const STATE_SIG_COOKIE_NAME = 'shopify_app_state_sig';
     public const SESSION_ID_COOKIE_NAME = 'shopify_session_id';
     public const SESSION_ID_SIG_COOKIE_NAME = 'shopify_session_id_sig';
     public const ACCESS_TOKEN_POST_PATH = '/admin/oauth/access_token';
 
     /**
-     * Initializes a session and cookie for the OAuth process, and returns the authorization url
+     * Begins the OAuth process by setting the appropriate cookies, and returns the authorization url
      *
      * @param string        $shop              A Shopify domain name or hostname
      * @param string        $redirectPath      Redirect path for callback
@@ -64,37 +66,26 @@ public static function begin(
         $redirectPath = trim(strtolower($redirectPath));
         $redirectPath = ($redirectPath[0] == '/') ? $redirectPath : '/' . $redirectPath;
 
-        $mySessionId = $isOnline ? Uuid::uuid4()->toString() : self::getOfflineSessionId($sanitizedShop);
+        $state = Uuid::uuid4()->toString();
 
-        $cookieSet = self::setCookieSessionId($setCookieFunction, $mySessionId, strtotime('+1 minute'));
+        $cookieSet = self::setStateCookie($setCookieFunction, $state, strtotime('+1 minute'));
         if (!$cookieSet) {
             throw new CookieSetException(
                 'OAuth Cookie could not be saved.'
             );
         }
 
-        $session = new Session($mySessionId, $sanitizedShop, $isOnline, Uuid::uuid4()->toString());
-
         if ($isOnline) {
-            $session->setExpires(strtotime('+1 minute'));
             $grantOptions = 'per-user';
         } else {
             $grantOptions = '';
         }
 
-        $sessionStored = Context::$SESSION_STORAGE->storeSession($session);
-
-        if (!$sessionStored) {
-            throw new SessionStorageException(
-                'OAuth Session could not be saved. Please check your session storage functionality.'
-            );
-        }
-
         $query = [
             'client_id' => Context::$API_KEY,
             'scope' => Context::$SCOPES->toString(),
             'redirect_uri' => Context::$HOST_SCHEME . '://' . Context::$HOST_NAME . $redirectPath,
-            'state' => $session->getState(),
+            'state' => $state,
             'grant_options[]' => $grantOptions,
         ];
 
@@ -125,19 +116,18 @@ public static function callback(array $cookies, array $query, ?callable $setCook
         Context::throwIfUninitialized();
         Context::throwIfPrivateApp('OAuth is not allowed for private apps');
 
-        $cookieSessionId = self::getCookieSessionId($cookies);
-        $session = Context::$SESSION_STORAGE->loadSession($cookieSessionId);
-        if (!$session) {
-            throw new OAuthSessionNotFoundException(
-                'You may have taken more than 60 seconds to complete the OAuth process and the session cannot be found'
-            );
-        }
-
-        if (!self::isCallbackQueryValid($query, $session)) {
+        $cookieState = self::getStateCookie($cookies);
+        if (!self::isCallbackQueryValid($query, $cookieState)) {
             throw new InvalidOAuthException('Invalid OAuth callback.');
         }
 
-        $response = self::fetchAccessToken($query, $session);
+        $sanitizedShop = Utils::sanitizeShopDomain($query['shop'] ?? '');
+        $response = self::fetchAccessToken($query, $sanitizedShop);
+
+        $isOnline = $response instanceof AccessTokenOnlineResponse;
+
+        $sessionId = $isOnline ? Uuid::uuid4()->toString() : self::getOfflineSessionId($sanitizedShop);
+        $session = new Session($sessionId, $sanitizedShop, $isOnline, '');
 
         $session->setAccessToken($response->getAccessToken());
         $session->setScope($response->getScope());
@@ -151,15 +141,7 @@ public static function callback(array $cookies, array $query, ?callable $setCook
             // JWT.
             if (Context::$IS_EMBEDDED_APP) {
                 $jwtSessionId = self::getJwtSessionId($session->getShop(), $session->getOnlineAccessInfo()->getId());
-                $jwtSession = $session->clone($jwtSessionId);
-
-                $sessionDeleted = Context::$SESSION_STORAGE->deleteSession($session->getId());
-                if (!$sessionDeleted) {
-                    throw new SessionStorageException(
-                        'OAuth Session could not be deleted. Please check your session storage functionality.',
-                    );
-                }
-                $session = $jwtSession;
+                $session = $session->clone($jwtSessionId);
             }
         }
 
@@ -171,15 +153,15 @@ public static function callback(array $cookies, array $query, ?callable $setCook
         }
 
         $sessionExpiration = ($session->getExpires() ? (int)$session->getExpires()->format('U') : null);
-        $cookieSet = self::setCookieSessionId(
+        $cookieSet = self::setSessionIdCookie(
             $setCookieFunction,
-            $cookieSessionId,
+            $session->getId(),
             Context::$IS_EMBEDDED_APP ? time() : $sessionExpiration
         );
+        $cookieSet = $cookieSet && self::setStateCookie($setCookieFunction, $cookieState, time());
+
         if (!$cookieSet) {
-            throw new CookieSetException(
-                'OAuth Cookie could not be saved.'
-            );
+            throw new CookieSetException('OAuth Cookie could not be saved.');
         }
 
         return $session;
@@ -249,34 +231,61 @@ public static function getCurrentSessionId(array $rawHeaders, array $cookies, bo
             if (!$cookies) {
                 throw new CookieNotFoundException('Could not find the current session id in the cookies');
             }
-            $currentSessionId = self::getCookieSessionId($cookies);
+            $currentSessionId = self::getSessionIdCookie($cookies);
         }
 
         return $currentSessionId;
     }
 
     /**
-     * Fetches the current session ID from the given cookies.
+     * Fetches the current state from the given cookies.
      *
      * @param array $cookies The $cookies param from `callback`
      *
-     * @return string The ID of the current session
+     * @return string The state for the current OAuth process
      * @throws CookieNotFoundException
      */
-    private static function getCookieSessionId(array $cookies): string
+    private static function getStateCookie(array $cookies): string
     {
-        $signature = $cookies[self::SESSION_ID_SIG_COOKIE_NAME] ?? null;
-        $cookieId = $cookies[self::SESSION_ID_COOKIE_NAME] ?? null;
+        $value = self::getCookie($cookies, self::STATE_COOKIE_NAME, self::STATE_SIG_COOKIE_NAME);
+        if (!$value) {
+            throw new CookieNotFoundException(
+                'You may have taken more than 60 seconds to complete the OAuth process and need to start over'
+            );
+        }
 
-        $sessionId = null;
-        if ($signature && $cookieId) {
-            $expectedSignature = hash_hmac('sha256', (string) $cookieId, Context::$API_SECRET_KEY);
+        return (string)$value;
+    }
 
-            if ($signature === $expectedSignature) {
-                $sessionId = $cookieId;
-            }
-        }
+    /**
+     * Sets the state for OAuth in the right cookie.
+     *
+     * @param null|callable $setCookieFunction An optional override for setting cookie in response
+     * @param string        $state             The ID of the session to save
+     * @param int           $expiration        Epoch timestamp (in s) when the cookie expires
+     *
+     * @return bool Whether the cookie was successfully set
+     */
+    private static function setStateCookie(?callable $setCookieFunction, $state, $expiration): bool
+    {
+        $signature = hash_hmac('sha256', $state, Context::$API_SECRET_KEY);
+        $signatureCookie = new OAuthCookie($signature, self::STATE_SIG_COOKIE_NAME, $expiration, true, true);
+        $cookie = new OAuthCookie($state, self::STATE_COOKIE_NAME, $expiration, true, true);
 
+        return self::setCookie($setCookieFunction, $cookie, $signatureCookie);
+    }
+
+    /**
+     * Fetches the current session ID from the given cookies.
+     *
+     * @param array $cookies The $cookies param from `callback`
+     *
+     * @return string The ID of the current session
+     * @throws CookieNotFoundException
+     */
+    private static function getSessionIdCookie(array $cookies): string
+    {
+        $sessionId = self::getCookie($cookies, self::SESSION_ID_COOKIE_NAME, self::SESSION_ID_SIG_COOKIE_NAME);
         if (!$sessionId) {
             throw new CookieNotFoundException("Could not find the current session id in the cookies");
         }
@@ -293,12 +302,46 @@ private static function getCookieSessionId(array $cookies): string
      *
      * @return bool Whether the cookie was successfully set
      */
-    private static function setCookieSessionId(?callable $setCookieFunction, $sessionId, $expiration): bool
+    private static function setSessionIdCookie(?callable $setCookieFunction, $sessionId, $expiration): bool
     {
         $signature = hash_hmac('sha256', $sessionId, Context::$API_SECRET_KEY);
         $signatureCookie = new OAuthCookie($signature, self::SESSION_ID_SIG_COOKIE_NAME, $expiration, true, true);
         $cookie = new OAuthCookie($sessionId, self::SESSION_ID_COOKIE_NAME, $expiration, true, true);
 
+        return self::setCookie($setCookieFunction, $cookie, $signatureCookie);
+    }
+
+    /**
+     * Fetches the value of a cookie.
+     *
+     * @param array  $cookies        The cookies array
+     * @param string $name           The name of the cookie
+     * @param string $signatureName  The name of the signature cookie
+     *
+     * @return string|null The value of the cookie, or null if it's invalid or missing
+     */
+    private static function getCookie(array $cookies, string $name, string $signatureName): string | null
+    {
+        $signature = $cookies[$signatureName] ?? null;
+        $cookieId = $cookies[$name] ?? null;
+
+        $value = null;
+        if ($signature && $cookieId) {
+            $expectedSignature = hash_hmac('sha256', (string) $cookieId, Context::$API_SECRET_KEY);
+
+            if ($signature === $expectedSignature) {
+                $value = $cookieId;
+            }
+        }
+
+        return $value;
+    }
+
+    private static function setCookie(
+        ?callable $setCookieFunction,
+        OAuthCookie $cookie,
+        OAuthCookie $signatureCookie
+    ): bool {
         if ($setCookieFunction) {
             $cookieSet = $setCookieFunction($signatureCookie);
             $cookieSet = $cookieSet && $setCookieFunction($cookie);
@@ -333,55 +376,54 @@ private static function setCookieSessionId(?callable $setCookieFunction, $sessio
     /**
      * Checks whether the given query parameters are from a valid callback request.
      *
-     * @param array   $query   The URL query parameters
-     * @param Session $session The current session
+     * @param array       $query       The URL query parameters
+     * @param string|null $stateCookie The value of the cookie containing the OAuth state
      *
      * @return bool
      * @throws UninitializedContextException
      */
-    private static function isCallbackQueryValid(array $query, Session $session): bool
+    private static function isCallbackQueryValid(array $query, string | null $stateCookie): bool
     {
         $sanitizedShop = Utils::sanitizeShopDomain($query['shop'] ?? '');
         $state = $query['state'] ?? '';
         $code = $query['code'] ?? '';
 
         return (
             ($code) &&
-            ($sanitizedShop && strcmp($session->getShop(), $sanitizedShop) === 0) &&
-            ($state && strcmp($session->getState(), (string) $state) === 0) &&
+            ($sanitizedShop) &&
+            ($state && $stateCookie && strcmp($stateCookie, (string) $state) === 0) &&
             Utils::validateHmac($query, Context::$API_SECRET_KEY)
         );
     }
 
     /**
      * Fetches the access token for the given OAuth session, using the query parameters returned by Shopify
      *
-     * @param array   $query   The URL query params from the OAuth callback
-     * @param Session $session The OAuth session
+     * @param array  $query The URL query params from the OAuth callback
+     * @param string $shop  The request shop
      *
      * @return AccessTokenResponse|AccessTokenOnlineResponse The access token exchanged for the OAuth code
      * @throws HttpRequestException
      */
-    private static function fetchAccessToken(
-        array $query,
-        Session $session
-    ) {
+    private static function fetchAccessToken(array $query, string $shop)
+    {
         $post = [
             'client_id' => Context::$API_KEY,
             'client_secret' => Context::$API_SECRET_KEY,
             'code' => $query['code'],
         ];
 
-        $client = new Http($session->getShop());
+        $client = new Http($shop);
         $response = self::requestAccessToken($client, $post);
         if ($response->getStatusCode() !== 200) {
             throw new HttpRequestException("Failed to get access token: {$response->getDecodedBody()}");
         }
 
-        if ($session->isOnline()) {
-            return self::buildAccessTokenOnlineResponse($response->getDecodedBody());
+        $body = $response->getDecodedBody();
+        if (array_key_exists('associated_user', $body) && $body['associated_user']) {
+            return self::buildAccessTokenOnlineResponse($body);
         } else {
-            return self::buildAccessTokenResponse($response->getDecodedBody());
+            return self::buildAccessTokenResponse($body);
         }
     }
 

tests/Auth/MockSessionStorage.php

@@ -64,6 +64,16 @@ public function deleteSession(string $sessionId): bool
         }
     }
 
+    /**
+     * Retrieves all sessions in this storage.
+     *
+     * @return array
+     */
+    public function getAllSessions(): array
+    {
+        return $this->testSessions;
+    }
+
     /**
      * Retrieves the calls made to this class for assertions.
      *