You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Requests a session token that hasn't expired. You should call this method every
* time you need to make a request to your backend in order to get a valid token.
* This method will return cached tokens when possible, so you don’t need to worry
* about storing these tokens yourself.
*/
get(): Promise<string>;
}
Also, SessionToken.jti is described as "A unique identifier (a nonce) to prevent replay attacks".
In order to effectively use SessionToken.jti to prevent replay attacks, my backend server should reject requests that include session tokens that have already been sent. This requires my checkout extension frontend to send a new session token for each request to my backend server.
However, I cannot generate a new session token for each request because SessionToken.get() returns cached tokens. Therefore my backend server thinks that subsequent requests from the frontend are replay attacks, and rejects the requests.
Steps to reproduce the behavior:
Generate a session token with SessionToken.get().
Send the token to your backend server in the Authorization header.
Try to generate a new session token with SessionToken.get(). You should end up with the same session token as before.
Sending the token to your backend server will be rejected as a replay attack.
Expected behavior
SessionToken.get() should not cache tokens. Instead, each call to SessionToken.get() should return a new token.
The text was updated successfully, but these errors were encountered:
Please list the package(s) involved in the issue, and include the version you are using
@shopify/[email protected]
Describe the bug
useSessionToken
produces aSessionToken
.SessionToken.get()
is annotated with the following note:ui-extensions/packages/ui-extensions/src/surfaces/checkout/api/standard/standard.ts
Lines 733 to 741 in c22cbda
Also,
SessionToken.jti
is described as "A unique identifier (a nonce) to prevent replay attacks".In order to effectively use
SessionToken.jti
to prevent replay attacks, my backend server should reject requests that include session tokens that have already been sent. This requires my checkout extension frontend to send a new session token for each request to my backend server.However, I cannot generate a new session token for each request because
SessionToken.get()
returns cached tokens. Therefore my backend server thinks that subsequent requests from the frontend are replay attacks, and rejects the requests.Steps to reproduce the behavior:
SessionToken.get()
.SessionToken.get()
. You should end up with the same session token as before.Expected behavior
SessionToken.get()
should not cache tokens. Instead, each call toSessionToken.get()
should return a new token.The text was updated successfully, but these errors were encountered: