Description
Summary
- Shawn Lee-Kwong from customer accounts raised an issue regarding the usage of
post_logout_redirect_uri
option in the logout settings by a merchant. The team discussed if the client logout in Hydrogen has any specific logic that utilizes this option or if there is an option for developers to input that information. - Michelle Chen confirmed that the logout method doesn't take any option for post logout redirect, though the documentation promotes the
Logout URI setting
to be the site origin as a default. - Shawn clarified that the
post_logout_redirect_uri
will be validated against the Logout URI setting and if it doesn't match, it will default to the first it finds in the list. The default can be empty and not pass in that param, doing what it does now. If there is nothing in the logout uri setting, it defaults to the shop's domain url. - Bret Little pointed out potential risks if a headless site doesn't configure a logout redirect url, doesn't pass a redirect url to the logout method, and doesn't have a redirect from the shopify domain to the headless domain. In such a case, a user would end up on the shopify domain, which could be problematic.
- Shawn explained that this level of checking is necessary as part of the oauth flow to prevent potential hijacking of a logout and redirection to an attacker site.
This summary was generated using OpenAI's gpt-4 with a temperature of 0.5.
🧵 Slack Thread
User | Message | |
---|---|---|
Shawn Lee-Kwong 2024‑03‑01 14:14 |
Hey all, 👋 from new customer accounts, we were helping a merchant with their logout settings and realized they were not using post_logout_redirect_uri option to help make sure the customer redirected to the correct place after logging out.
This made us take a look at the client you guys made for hydrogen, we were wondering if the client logout has an specific logic to logout that utilitizes the |
|
Kara Daviduik 2024‑03‑01 14:24 |
cc @lynchv | |
Michelle Chen 2024‑03‑01 14:39 |
right, so the logout method doesn’t take any option for post logout redirect.
In the doc we do promote the Just to better understand the ideal flow for merchant using |
|
Michelle Chen 2024‑03‑01 14:40 |
I am 👍 for adding an option for post logout redirect. Just wondering what I should make the default as. | |
Shawn Lee-Kwong 2024‑03‑01 14:44 |
Just to better understand the ideal flow for merchant using <code>post_logout_redirect_uri</code> . Is there any restriction on this uri? ie. it need to be listed as part of the Logout URI setting?Yes, what is passed into post_logout_redirect_uri will be validated against the Logout URI setting, if it doesn’t match, it will default to the first it finds in the list (logout uri setting)
|
|
Shawn Lee-Kwong 2024‑03‑01 14:50 |
I am 👍 for adding an option for post logout redirect. Just wondering what I should make the default as.The default can be empty and not pass in that param, it will do what it does now. I think that is the only good default since we can’t guarantee a merchant / dev putting anything in the list of logout uri’s. If there is nothing in the logout uri setting, it defaults to the shops domain url |
|
Bret Little 2024‑03‑01 15:36 |
@s-lee-kwong is the shops domain url the myshopify.com domain? | |
Bret Little 2024‑03‑01 15:37 |
That's probably fine even if it's that. I think we still recommend devs add a redirect script to their liquid site for headless. cc @benjaminsehl | |
Shawn Lee-Kwong 2024‑03‑01 15:42 |
ya it would be Bret | |
Bret Little 2024‑03‑01 15:44 |
So that's the only risk:
|
|
Shawn Lee-Kwong 2024‑03‑01 15:45 |
so if 1. happens, 2. couldn’t happen since 2. would check against 1. and then you end up with the outcome as well | |
Bret Little 2024‑03‑01 15:47 |
Is that level of checking necessary? Why not just verify the logout uri is on the same authorized domain? | |
Shawn Lee-Kwong 2024‑03‑01 15:49 |
it’s part of the oauth flow, we don’t want someone to hijack a logout and redirect them to an attacker site. Same concept as the redirect_uri, albeit logout redirect is probably less dangerous | |
Shawn Lee-Kwong 2024‑03‑01 15:50 |
though I get your point about the authorized domain, Identity actually doesn’t know anything about the authorized domain other than the redirect uri but it doesn’t store that info in the tokens or anything like that |
Michelle Chen archived this conversation from hydrogen-oxygen
at 2024‑03‑01 21:31.
All times are in UTC.