Merge pull request #824 from Shopify/abh/oauth

Adds check for Google Crawler attempting to crawl Auth Routes

Author: abharvey

.changeset/unlucky-falcons-search.md

@@ -0,0 +1,5 @@
+---
+'@shopify/shopify-api': patch
+---
+
+Adds check for Google's Crawler in the authorization functions to prevent CookieNotFound error loops. Fixes #686

.gitignore

@@ -13,3 +13,5 @@ bundle/
 *.js
 *.js.map
 *.tgz
+.vscode/
+

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "cSpell.words": ["isbot"]
+}

lib/auth/oauth/__tests__/oauth.test.ts

@@ -141,6 +141,19 @@ describe('beginAuth', () => {
     );
   });
 
+  test('response with a 410 when the request is a bot', async () => {
+    request.headers['User-Agent'] = 'Googlebot';
+
+    const response: NormalizedResponse = await shopify.auth.begin({
+      shop,
+      isOnline: true,
+      callbackPath: '/some-callback',
+      rawRequest: request,
+    });
+
+    expect(response.statusCode).toBe(410);
+  });
+
   test('fails to start if the app is private', () => {
     shopify.config.isCustomStoreApp = true;
 
@@ -260,7 +273,9 @@ describe('callback', () => {
     queueMockResponse(JSON.stringify(successResponse));
 
     const callbackResponse = await shopify.auth.callback({rawRequest: request});
-
+    if (!callbackResponse) {
+      fail('Callback response is undefined');
+    }
     const expectedId = `offline_${shop}`;
     const responseCookies = Cookies.parseCookies(
       callbackResponse.headers['Set-Cookie'],
@@ -521,6 +536,22 @@ describe('callback', () => {
     expect(responseCookies.shopify_app_session).toBeUndefined();
   });
 
+  test('callback throws an error when the request is done by a bot', async () => {
+    const botRequest = {
+      method: 'GET',
+      url: 'https://my-test-app.myshopify.io/totally-real-request',
+      headers: {
+        'User-Agent': 'Googlebot',
+      },
+    } as NormalizedRequest;
+
+    await expect(
+      shopify.auth.callback({
+        rawRequest: botRequest,
+      }),
+    ).rejects.toThrow(ShopifyErrors.BotActivityDetected);
+  });
+
   test('properly updates the OAuth cookie for offline, non-embedded apps', async () => {
     shopify.config.isEmbeddedApp = false;
 

lib/auth/oauth/oauth.ts

@@ -1,4 +1,5 @@
 import {v4 as uuidv4} from 'uuid';
+import isbot from 'isbot';
 
 import ProcessedQuery from '../../utils/processed-query';
 import {ConfigInterface} from '../../base-types';
@@ -18,8 +19,9 @@ import {
   AdapterHeaders,
   Cookies,
   NormalizedResponse,
+  NormalizedRequest,
 } from '../../../runtime/http';
-import {logger} from '../../logger';
+import {logger, ShopifyLogger} from '../../logger';
 
 import {
   SESSION_COOKIE_NAME,
@@ -39,6 +41,18 @@ export interface CallbackResponse<T = AdapterHeaders> {
   session: Session;
 }
 
+interface BotLog {
+  request: NormalizedRequest;
+  log: ShopifyLogger;
+  func: string;
+}
+
+const logForBot = ({request, log, func}: BotLog) => {
+  log.debug(`Possible bot request to auth ${func}: `, {
+    userAgent: request.headers['User-Agent'],
+  });
+};
+
 export function begin(config: ConfigInterface) {
   return async ({
     shop,
@@ -54,10 +68,15 @@ export function begin(config: ConfigInterface) {
     const log = logger(config);
     log.info('Beginning OAuth', {shop, isOnline, callbackPath});
 
-    const cleanShop = sanitizeShop(config)(shop, true)!;
     const request = await abstractConvertRequest(adapterArgs);
     const response = await abstractConvertIncomingResponse(adapterArgs);
 
+    if (isbot(request.headers['User-Agent'])) {
+      logForBot({request, log, func: 'begin'});
+      response.statusCode = 410;
+      return abstractConvertResponse(response, adapterArgs);
+    }
+
     const cookies = new Cookies(request, response, {
       keys: [config.apiSecretKey],
       secure: true,
@@ -82,6 +101,7 @@ export function begin(config: ConfigInterface) {
     const processedQuery = new ProcessedQuery();
     processedQuery.putAll(query);
 
+    const cleanShop = sanitizeShop(config)(shop, true)!;
     const redirectUrl = `https://${cleanShop}/admin/oauth/authorize${processedQuery.stringify()}`;
     response.statusCode = 302;
     response.statusText = 'Found';
@@ -116,9 +136,17 @@ export function callback(config: ConfigInterface) {
     ).searchParams;
     const shop = query.get('shop')!;
 
+    const response = {} as NormalizedResponse;
+    if (isbot(request.headers['User-Agent'])) {
+      logForBot({request, log, func: 'callback'});
+      throw new ShopifyErrors.BotActivityDetected(
+        'Invalid OAuth callback initiated by bot',
+      );
+    }
+
     log.info('Completing OAuth', {shop});
 
-    const cookies = new Cookies(request, {} as NormalizedResponse, {
+    const cookies = new Cookies(request, response, {
       keys: [config.apiSecretKey],
       secure: true,
     });

lib/error.ts

@@ -87,6 +87,7 @@ export class GraphqlQueryError extends ShopifyError {
 }
 
 export class InvalidOAuthError extends ShopifyError {}
+export class BotActivityDetected extends ShopifyError {}
 export class CookieNotFound extends ShopifyError {}
 export class InvalidSession extends ShopifyError {}
 

package.json

@@ -76,6 +76,7 @@
   "dependencies": {
     "@shopify/network": "^3.2.1",
     "compare-versions": "^5.0.3",
+    "isbot": "^3.6.10",
     "jose": "^4.9.1",
     "node-fetch": "^2.6.1",
     "tslib": "^2.0.3",

yarn.lock

@@ -4109,6 +4109,11 @@ is-windows@^1.0.0:
   resolved "https://registry.yarnpkg.com/is-windows/-/is-windows-1.0.2.tgz#d1850eb9791ecd18e6182ce12a30f396634bb19d"
   integrity sha512-eXK1UInq2bPmjyX6e3VHIzMLobc4J94i4AWn+Hpq3OU5KkrRC96OAcR3PRJ/pGu6m8TRnBHP9dkXQVsT/COVIA==
 
+isbot@^3.6.10:
+  version "3.6.10"
+  resolved "https://registry.yarnpkg.com/isbot/-/isbot-3.6.10.tgz#7b66334e81794f0461794debb567975cf08eaf2b"
+  integrity sha512-+I+2998oyP4oW9+OTQD8TS1r9P6wv10yejukj+Ksj3+UR5pUhsZN3f8W7ysq0p1qxpOVNbl5mCuv0bCaF8y5iQ==
+
 isexe@^2.0.0:
   version "2.0.0"
   resolved "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz"