0

On Symfony 4, when catching a callback route from any external API service (in this case - Shopify API), my logged in user becomes anon.

  • (HTTP): Everything works when testing on localhost
  • (HTTPS): However, my logged in User becomes null / Anonymous when testing on my remote server (prod).

How do I fetch my logged in user after catching a callback route from any API service? I think it could be a problem with either HTTP vs HTTPS or some Symfony settings.

On Shopify API dashboard - Allowed redirection URL(s):

http://localhost:8000/shopify/callback
https://<myremoteip>.com/shopify/callback

Symfony Controller Route (for Shopify callback):

/**
* @Route("/shopify/callback", name="shopify_callback")
*/
public function shopify_auth_callback(Request $request)
{
    dd($this->getUser());
}

Callback Result (localhost):

App\Entity\User {#977 ▼
   -id: 103
   -email: "aaaa@gmail.com"
}

Callback Result (remote):

null
aivarastee
  • 81
  • 2
  • 12
  • 2
    technically symfony users are "remembered" by a session cookie. that cookie *should* be sent along with all requests heading to your server. if it's not the case, something is indeed weird. you should probably check if that assumption is true (go through the flow and check if the requests to your server indeed *all* do contain the *same* user cookie). if the cookie is missing, read the internet on why this can happen (there are some reasons too long for this comment). specifically look at both the request *and* response headers to see cookie resets. – Jakumi Dec 06 '20 at 08:06
  • Thanks for reply. The problem is that I'm following this process: 1. I call Shopify API for authorization 2. Shopify calls my "callback" url that I registered on Shopify (saying if success / fail) 3. My symfony user is lost (comes back as anonymous). And it's the same for any API that I use. You're saying I should look at cookie headers that I send to Shopify? And Shopify will send them back? – aivarastee Dec 06 '20 at 22:51
  • 1
    shopify is largely irrelevant for your problem I'd say. auth in symfony works in the way, that symfony/the server sends a header to the user that contains the cookie (= session identifier). This cookie should be sent to *your* server on every request the user does. depending on your configuration and the user's configuration, that cookie might expire or might be deleted at some point. To pinpoint that, you have to actively look for the cookie in your incoming and outgoing headers (network console in dev mode in your browser). only requests from and to symfony (!). – Jakumi Dec 06 '20 at 23:08
  • Yes, it's not related to Shopify specifically. I think it's related to any Cross-Domain request that I'm making. I looked at the headers I send: on localhost - it sends my cookie with "Set-Cookie: XXXXXXXX", and on my remote server I'm not sending any cookies. How can I send them in prod environment? – aivarastee Dec 06 '20 at 23:29
  • the point is, it should send some cookies at least when you log(ged) into symfony on prod. the options are 1. expiration (determined by php.ini var by default, there are additional config parameters in symfony) and 2. overwriting (might be caused by symfony for whatever reason). Don't want to be debugging with high-latency via Stackoverflow comment section, so you might want to spend some effort figuring this out for yourself, sry. – Jakumi Dec 07 '20 at 06:43
  • 1
    This indeed looks like a [`SameSite`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy issue. Have you already checked the cookie headers and/or the framework config in both environments? (`bin/console debug:config framework session`). – msg Dec 07 '20 at 18:57

2 Answers2

1

I had the same issue but with the Google Oauth system. I just changed the cookie samesite policy in framework configuration from 'strict' to 'lax' and it solved my issue

Now I can keep the user logged in after api redirection

framework:
  session:
    enabled: true
    cookie_secure: 'auto'
    cookie_samesite: 'lax'
    cookie_lifetime: 86400
King Julian
  • 101
  • 1
  • 3
0

The problem was that I was creating a new session before navigating to a remote URL.

Advice for future readers - make sure you're always on the same session, which you can fetch from the Request.

Avoid doing this:

$session = new Session();
aivarastee
  • 81
  • 2
  • 12