Shopify_auth Multi Store Session Handling

- 1 answer

I am using Django with the shopify_auth package to connect with Shopify.

Does anyone have any examples of how to handle multi store sessions/connections?

So far, I am thinking of modifying shopify_auth's @login_required decorator with the following, but am unsure if I will miss anything with this:

In shopify_auth/

def login_required(f, redirect_field_name=REDIRECT_FIELD_NAME, login_url=None):

    def wrapper(request, *args, **kwargs):
        if request.user.is_authenticated():

            # Extract the Shopify-specific authentication parameters from the current request.
            new_request_d = [ ... get request.GET params ('shop', etc.) ... ]

            # Compare current active request.user with new reqeust.GET's 'shop'
            if request.user != new_request_d['shop']:
                [ ...  do something to change session to the other shop ...]
                [ ... redirect as necessary .... ]

            return f(request, *args, **kwargs)

In the shopify_auth module their is an unresolved issue about this.

It hints at using the ruby implementation.

Any help in the right direction would be appreciated.



I've solved the issue in the apps I work on by creating a custom modified SessionMiddleware that creates and handles separate session cookies per store, and associates requests to their respective shop via (in the following order of precedence):

  1. Request headers
  2. URL parameters
  3. Referrer

I unfortunately can't share the exact implementation due to closed-source agreements/restrictions, however I hope this leads you in the right direction.

Make sure that you still include other security middleware (CsrfViewMiddleware, AuthenticationMiddleware, SessionAuthenticationMiddleware, SecurityMiddleware) so the user can't spoof your system.

The advantage to this rather than logging the user out is that if you're loading anything via AJAX, going back and forth between tabs of different app installs will always work, and you won't have to worry about implementing weird redirect logic to handle those errors.