This plug validates Shopify JWT - also known as session token authentication. Session tokens/JWT are a replacement for cookie based authentication in embedded apps.
PlugShopifyJwt is architected to support Session tokens whilst allowing you to verify with URL parameters (validation of URL parameters is not included in this plug) should you decide.
Grab you app secret, and crack open your router.ex file, insert plug PlugShopifyEmbeddedJWTAuth, [secret: "your-secret"]. A basic setup looks something similar to this:
pipeline :embedded do
plug PlugShopifyEmbeddedJWTAuth, [secret: "224e5146-4f1e-4a1d-a64a-2732df659542"]
end
scope "/api", HelloPhoenixWeb do
pipe_through :embedded
get "/show", PageController, :show
endThe package can be installed by adding plug_shopify_jwt to your list of dependencies in mix.exs:
def deps do
[
{:plug_shopify_jwt, "~> 0.1.1"}
]
endWe set the following on the conn.private object:
:ps_jwt_success-trueindicates the plug ran, found the JWT, decoded it and placed it in:shopify_jwt_claims-falseindicates that there was a failure in the pipeline.shopify_jwt_claims- returns the full decoded JWT.current_shop_name- returns the myshopify.com domain for the current store, e.g.example.shopify.com.
:halt_on_error-truestop the conn and returns an error 401. False will set:ps_jwt_successtofalseon failure and allow you to deal with the error elsewhere. Defaulttrue.algorithm- one of "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "Ed25519", "Ed25519ph", "Ed448", "Ed448ph". Shopify uses "HS256", which the plug will set as a default, however, for future proofing, we have exposed this config from Joken. DefaultHS256.secret- the app secret you got when you created your Shopify App in the Shopify Partner portal. Requiredsigner- used by the plug to storeJoken.Signer.